Sec. 20. (a) As part of its information security program, a licensee shall establish a written incident response plan designed to promptly respond to, and recover from, any cybersecurity event.

     (b) An incident response plan must include the following:

Terms Used In Indiana Code 27-2-27-20

  • commissioner: refers to the insurance commissioner appointed under IC 27-1-1-2. See Indiana Code 27-2-27-3
  • cybersecurity event: means an event resulting in unauthorized access to or a disruption or misuse of an information system or nonpublic information stored on the information system that has a reasonable likelihood of materially harming a consumer or any material part of the normal operations of the licensee. See Indiana Code 27-2-27-5
  • department: means the department of insurance created by IC 27-1-1-1. See Indiana Code 27-2-27-6
  • information security program: means the administrative, technical, and physical safeguards that a licensee uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle nonpublic information. See Indiana Code 27-2-27-8
  • licensee: means a person that is:

    Indiana Code 27-2-27-10

(1) The internal process for responding to a cybersecurity event.

(2) The goals of the incident response plan.

(3) The definition of clear roles, responsibilities, and levels of decision making authority.

(4) External and internal communications and information sharing.

(5) Identification of requirements for the remediation of any identified weaknesses in information systems and associated controls.

(6) Documentation and reporting regarding cybersecurity events and related incident response activities.

(7) The evaluation and revision, as necessary, of the incident response plan.

     (c) Annually, not later than April 15, each insurer domiciled in Indiana shall submit to the commissioner a written statement certifying that the insurer is in compliance with the requirements set forth in sections 16 through 19 of this chapter and this section. Each insurer shall maintain for examination by the department all records, schedules, and data supporting this certificate for a period of five (5) years. To the extent an insurer has identified areas, systems, or processes that require material improvement, updating, or redesign, the insurer shall document the identification of the areas, systems, or processes and the remedial efforts planned and underway to address the areas, systems, or processes. The documentation must be available for inspection by the commissioner.

As added by P.L.130-2020, SEC.10.

  Previous section
Next section  
 Chapter 27 Contents