§ 27-2-27-17 — Risk assessment; requirements

Indiana § 27-2-27-17

• Jurisdiction: Indiana
• Title 27: INSURANCE
• Art. 2: POWERS AND DUTIES OF INSURERS
• Ch. 27: Insurance Data Security

Text

A licensee shall conduct a risk assessment
of its information systems and treatment of nonpublic information by
doing the following:
(1) Designating one (1) or more employees, an affiliate, or an
outside vendor designated to act on behalf of the licensee
information security program.
(2) Identifying reasonably foreseeable internal or external threats
that could result in a cybersecurity event, including threats to
information systems and nonpublic information held or accessed
by third party service providers.
(3) Assessing the likelihood and potential damage of the threats
identified in subdivision (2), taking into consideration the
sensitivity of the nonpublic information.
(4) Assessing the sufficiency of the policies, procedures,
information systems, and other safeguards currently in place to
manage the threats identified in subdivision (2), including an
assessment of threats in each relevant area of the licensee's
operations, including the following:
(A) Employee training and management.
(B) Information systems, including network and software
design, and information classification, governance, processing,
storage, transmission, and disposal.
(C) Procedures for detecting, preventing, and responding to
cybersecurity events or other systems failures.
(5) Implementing information safeguards to manage the threats
identified under subdivision (2), and assessing the effectiveness
of the safeguards' key controls, systems, and procedures at least
one (1) time each year.

Legislative History

As added by P.L.130-2020, SEC.10.