N.Y. Comp. Codes R. & Regs. tit. 23, § 500.14
(a) As part of its cybersecurity program, each covered entity shall:
(b) Each class A company shall implement, unless the CISO has approved in writing the use of reasonably equivalent or more secure compensating controls: