(a) In the case of a cybersecurity event involving nonpublic information that is used by the licensee that is acting as an assuming insurer or in the possession, custody, or control of a licensee that is acting as an assuming insurer and that does not have a direct contractual relationship with the affected consumers, the assuming insurer shall notify its affected ceding insurers and the commissioner of its state of domicile within three business days of making the determination that a cybersecurity event has occurred.

Terms Used In Hawaii Revised Statutes 431:3B-305

  • Commissioner: means the insurance commissioner of the State. See Hawaii Revised Statutes 431:3B-101
  • Consumer: means an individual, including but not limited to applicants, policyholders, insureds, beneficiaries, claimants, and certificate holders, who is a resident of this State and whose nonpublic information is in a licensee's possession, custody, or control. See Hawaii Revised Statutes 431:3B-101
  • Cybersecurity event: means an event resulting in unauthorized access to, or disruption or misuse of, an information system or nonpublic information stored on that information system. See Hawaii Revised Statutes 431:3B-101
  • State: means the State of Hawaii. See Hawaii Revised Statutes 431:3B-101
  • Third-party service provider: means a person, not otherwise defined as a licensee, that contracts with a licensee to maintain, process, store, or otherwise is permitted access to nonpublic information through its provision of services to the licensee. See Hawaii Revised Statutes 431:3B-101
(b) In the case of a cybersecurity event involving nonpublic information that is in the possession, custody, or control of a third-party service provider of a licensee that is an assuming insurer, the assuming insurer shall notify its affected ceding insurers and the commissioner of its state of domicile within three business days of receiving notice from its third-party service provider that a cybersecurity event has occurred.
(c) The ceding insurers that have a direct contractual relationship with affected consumers shall fulfill the consumer notification requirements imposed under chapter 487N and any other notification requirements relating to a cybersecurity event imposed under this part.

  Previous
Next  
 Part III Contents