[§431:3B-205]  Oversight of third-party service provider arrangements.  A licensee shall:

     (1)  Exercise due diligence in selecting its third-party service provider; and

     (2)  Where appropriate, require a third-party service provider to implement appropriate administrative, technical, and physical measures to protect and secure the information systems and nonpublic information that are accessible to or held by the third-party service provider; provided that encrypted nonpublic information is not accessible to or held by the third‑party service provider within the meaning of this paragraph if the third-party service provider does not possess the associated protective process or key necessary to assign meaning to the nonpublic information. [L 2021, c 112, pt of §2]