If the licensee has a board of directors, the board or an appropriate committee of the board shall, at a minimum:

(1) Require the licensee’s executive management or its delegates to develop, implement, and maintain the licensee’s information security program;

Terms Used In Hawaii Revised Statutes 431:3B-204

  • Risk assessment: means the risk assessment that each licensee is required to conduct under section 431:3B-202. See Hawaii Revised Statutes 431:3B-101
  • Third-party service provider: means a person, not otherwise defined as a licensee, that contracts with a licensee to maintain, process, store, or otherwise is permitted access to nonpublic information through its provision of services to the licensee. See Hawaii Revised Statutes 431:3B-101
(2) Require the licensee’s executive management or its delegates to report in writing at least annually, the following information:

(A) The overall status of the information security program and the licensee’s compliance with this article; and
(B) Material matters related to the information security program, addressing issues such as risk assessment, risk management and control decisions, third-party service provider arrangements, results of testing, cybersecurity events or violations and management’s responses thereto, and recommendations for changes in the information security program; and
(3) If executive management delegates any of its responsibilities under this part, it shall oversee the development, implementation, and maintenance of the licensee’s information security program prepared by the delegate and shall receive a report from the delegate complying with the requirements of the report to the board of directors specified in paragraph (2).

  Previous
Next  
 Part II Contents