§ 24-A §2264 — Information security program

Maine § 24-A §2264

• Jurisdiction: Maine
• Title 24-A: MAINE INSURANCE CODE
• Ch. 24-B: MAINE INSURANCE DATA SECURITY ACT

Text

1.
Implementation of information security program.
Commensurate with the size and complexity of the licensee, the nature and scope of the licensee's activities, including its use of 3rd-party service providers, and the sensitivity of the nonpublic information used by the licensee or in the licensee's possession, custody or control, a licensee shall develop, implement and maintain a comprehensive, written information security program based on the licensee's risk assessment and containing administrative, technical and physical safeguards for the protection of nonpublic information and the licensee's information systems.
2.
Objectives of information security program.
A licensee's information security program must be designed to:
3.
Risk assessment.
A licensee shall:
4.
Risk management.
Based on its risk assessment pursuant to subsection 3, a licensee shall:
5.
Oversight by board of directors.
If a licensee has a board of directors, the board or an appropriate committee of the board, at a minimum, shall require the licensee's executive management or the executive management's delegates to:
6.
Oversight of 3rd-party service provider arrangements.
A licensee shall:
7.
Program adjustments.
A licensee shall monitor, evaluate and adjust, as appropriate, its information security program consistent with any relevant changes in technology, the sensitivity of the licensee's nonpublic information, internal or external threats to nonpublic information and the licensee's own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements and changes to information systems.
8.
Incident response plan.
As part of its information security program, a licensee shall establish a written incident response plan designed to promptly respond to and recover from any cybersecurity event that compromises the confidentiality, integrity or availability of nonpublic information in its possession; the licensee's information systems; or the continuing functionality of any aspect of the licensee's business or operations. The incident response plan must address the following areas:
9.
Annual certification to superintendent.
By April 15th annually, an insurance carrier domiciled in this State shall submit to the superintendent a written statement certifying that the insurance carrier is in compliance with the requirements set forth in this section. An insurance carrier shall maintain for examination by the superintendent all records, schedules and data supporting this certification for a period of 5 years. To the extent that an insurance carrier has identified areas, systems or processes that require material improvement, updating or redesign, the insurance carrier shall document the identification and the remedial efforts planned and underway to address such areas, systems or processes. The documentation required pursuant to this subsection must be available for inspection by the superintendent.

Legislative History

PL 2021, c. 24, §1 (NEW). PL 2025, c. 348, §30 (AMD).