§ 27-2-27-20 — Incident response plan

Indiana § 27-2-27-20

• Jurisdiction: Indiana
• Title 27: INSURANCE
• Art. 2: POWERS AND DUTIES OF INSURERS
• Ch. 27: Insurance Data Security

Text

(a) As part of its information security
program, a licensee shall establish a written incident response plan
designed to promptly respond to, and recover from, any cybersecurity
event.
(b) An incident response plan must include the following:
(1) The internal process for responding to a cybersecurity event.
(2) The goals of the incident response plan.
(3) The definition of clear roles, responsibilities, and levels of
decision making authority.
(4) External and internal communications and information
sharing.
(5) Identification of requirements for the remediation of any
identified weaknesses in information systems and associated
controls.
(6) Documentation and reporting regarding cybersecurity events
and related incident response activities.
(7) The evaluation and revision, as necessary, of the incident
response plan.
(c) Annually, not later than April 15, each insurer domiciled in
Indiana shall submit to the commissioner a written statement certifying
that the insurer is in compliance with the requirements set forth in
sections 16 through 19 of this chapter and this section. Each insurer
shall maintain for examination by the department all records,
schedules, and data supporting this certificate for a period of five (5)
years. To the extent an insurer has identified areas, systems, or
processes that require material improvement, updating, or redesign, the
insurer shall document the identification of the areas, systems, or
processes and the remedial efforts planned and underway to address the
areas, systems, or processes. The documentation must be available for
inspection by the commissioner.

Legislative History

As added by P.L.130-2020, SEC.10.