These
policies and procedures must address (1) the identification and risk assessment of third parties with access to Information Systems or Nonpublic Information; (2) minimum
cybersecurity practices required to be
met by such third parties; (3) due diligence processes used to evaluate the adequacy of
cybersecurity practices of such third parties; and (4) periodic assessment, at least annually, of such third - parties and the continued adequacy of their
cybersecurity practices.