A covered entity shall:

(a) Set forth standards for developing, implementing and maintaining reasonable safeguards to protect the security, confidentiality and integrity of customer information pursuant to 16 C.F.R. § 314, as in effect on July 1, 2023;

(b) develop and organize its information security program into one or more readily accessible parts; and

(c) maintain its information security program as part of the covered entity’s books and records in accordance with the record retention requirements of such covered entity.