Indiana Code 27-2-27-22. Notice to ceding insurers and commissioner of cybersecurity event
(1) is used by a licensee acting as an assuming insurer; or
Terms Used In Indiana Code 27-2-27-22
- commissioner: refers to the insurance commissioner appointed under IC 27-1-1-2. See Indiana Code 27-2-27-3
- consumer: means a resident of Indiana whose nonpublic information is in a licensee's possession, custody, or control. See Indiana Code 27-2-27-4
- cybersecurity event: means an event resulting in unauthorized access to or a disruption or misuse of an information system or nonpublic information stored on the information system that has a reasonable likelihood of materially harming a consumer or any material part of the normal operations of the licensee. See Indiana Code 27-2-27-5
- licensee: means a person that is:
Indiana Code 27-2-27-10
- nonpublic information: means electronic information that is not publicly available information and is described in either of the following subdivisions:
Indiana Code 27-2-27-12
- third party service provider: means a person that contracts with a licensee to maintain, process, store, or otherwise is permitted access to nonpublic information through its provision of services to the licensee. See Indiana Code 27-2-27-15
(A) is acting as an assuming insurer; and
(B) does not have a direct contractual relationship with the affected consumers;
the assuming insurer shall notify its affected ceding insurers and the commissioner of its state of domicile within three (3) business days after making the determination that a cybersecurity event has occurred and the ceding insurers that have a direct contractual relationship with affected consumers shall fulfill the consumer notification requirements imposed under IC 24-4.9 and any other notification requirements relating to a cybersecurity event imposed under section 21(c) through 21(f) of this chapter.
(b) In the case of a cybersecurity event involving nonpublic information that is in the possession, custody, or control of a third party service provider of a licensee that is an assuming insurer:
(1) the assuming insurer shall notify its affected ceding insurers and the commissioner of its state of domicile within three (3) business days after receiving notice from its third party service provider that a cybersecurity event has occurred; and
(2) the ceding insurers that have a direct contractual relationship with affected consumers shall fulfill the consumer notification requirements imposed under IC 24-4.9 and any other notification requirements relating to a cybersecurity event imposed under section 21(c) through 21(f) of this chapter.
(c) Except for the obligations set forth in this section, a licensee acting as assuming insurer has no notice obligations relating to a cybersecurity event or other data breach under section 21 of this chapter or any other law of Indiana.
As added by P.L.130-2020, SEC.10.