1. Each licensee shall notify the director as promptly as practicable, but in no event later than four business days, from a determination that a cybersecurity event involving nonpublic information that is in the possession of a licensee has occurred when either of the following criteria has been met:
(1) This state is the licensee's state of domicile, in the case of an insurer, or this state is the licensee's home state, in the case of a producer, as those terms are defined in section 375.012 , and the cybersecurity event has a reasonable likelihood of materially harming a consumer residing in this state or a reasonable likelihood of materially harming any material part of the normal operations of the licensee; or
(2) The licensee reasonably believes that the nonpublic information involved is of two hundred fifty or more consumers residing in this state and is either of the following:
(a) A cybersecurity event impacting the licensee of which notice is required to be provided to any government body, self-regulatory agency, or any other supervisory body under any state or federal law; or
(b) A cybersecurity event that has a reasonable likelihood of materially harming:
a. Any consumer residing in this state; or
b. Any material part of the normal operations of the licensee.
2. The licensee shall provide as much of the following information as practicable except that the licensee shall not release to the state or any other entity nonpublic information of the consumer unless given written authority by the consumer or otherwise required by law. The licensee shall provide the information in electronic form as directed by the director. The licensee shall have a continuing obligation to update and supplement initial and subsequent notifications to the director regarding material changes to previously provided information relating to the cybersecurity event:
(1) The date of the cybersecurity event;
(2) A description of how the information was exposed, lost, stolen, or breached, including the specific roles and responsibilities of third-party service providers, if any;
(3) How the cybersecurity event was discovered;
(4) Whether any exposed, lost, stolen, or breached information has been recovered and if so, how this was done;
(5) The identity of the source of the cybersecurity event;
(6) Whether the licensee has filed a police report or has notified any regulatory, government, or law enforcement agencies and, if so, when such notification was provided;
(7) A description of the specific types of information acquired without authorization. "Specific types of information" means particular data elements including, for example, types of medical information, types of financial information, or types of information allowing identification of the consumer;
(8) The period during which the information system was compromised by the cybersecurity event;
(9) The number of total consumers in this state affected by the cybersecurity event. The licensee shall provide the best estimate in the initial report to the director and update this estimate with each subsequent report to the director under this section;
(10) The results of any internal review identifying a lapse in either automated controls or internal procedures, or confirming that all automated controls or internal procedures were followed;
(11) A description of the efforts being undertaken to remediate the situation that permitted the cybersecurity event to occur;
(12) A copy of the licensee's privacy policy and a statement outlining the steps the licensee will take to investigate and notify consumers affected by the cybersecurity event; and
(13) The name of a contact person who is both familiar with the cybersecurity event and authorized to act for the licensee.
3. The licensee shall comply with section 407.1500 , as applicable, and provide a copy of the notice sent to consumers under that section to the director when a licensee is required to notify the director under subsection 1 of section 375.1410 .
4. (1) In the case of a cybersecurity event in a system maintained by a third-party service provider of which the licensee has become aware, the licensee shall treat such event as it would under subsection 1 of section 375.1410 .
(2) The computation of a licensee's deadlines shall begin on the day after the third-party service provider notifies the licensee of the cybersecurity event or the licensee otherwise has actual knowledge of the cybersecurity event, whichever is sooner.
(3) Nothing in sections 375.1400 to 375.1427 shall prevent or abrogate an agreement between a licensee and another licensee, a third-party service provider, or any other party to fulfill any of the investigation requirements imposed under section 375.1407 or notice requirements imposed under this section.
5. (1) (a) In the event of a cybersecurity event involving nonpublic information that is used by the licensee that is acting as an assuming insurer or in the possession, custody, or control of a licensee that is acting as an assuming insurer and that does not have a direct contractual relationship with the affected consumers, the assuming insurer shall notify its affected ceding insurers and the commissioner or director of insurance for its state of domicile within three business days of making the determination that a cybersecurity event has occurred.
(b) The ceding insurers that have a direct contractual relationship with affected consumers shall fulfill the consumer notification requirements imposed under section 407.1500 and any other notification requirements relating to a cybersecurity event imposed under this section.
(c) Any licensee acting as assuming insurer shall have no other notice obligations relating to a cybersecurity event or other data breach under this section or any other law of the state.
(2) (a) In the event of a cybersecurity event involving nonpublic information that is in the possession, custody, or control of a third-party service provider of a licensee that is an assuming insurer, the assuming insurer shall notify its affected ceding insurers and the commissioner or director of insurance for its state of domicile within three business days of receiving notice from its third-party service provider that a cybersecurity event has occurred.
(b) The ceding insurers that have a direct contractual relationship with affected consumers shall fulfill the consumer notification requirements imposed under section 407.1500 and any other notification requirements relating to a cybersecurity event imposed under this section.
6. In the case of a cybersecurity event involving nonpublic information that is in the possession, custody, or control of a licensee that is an insurer or its third-party service provider for which a consumer accessed the insurer's services through an independent insurance producer, and for which consumer notice is required by law, including section 407.1500 , the insurer shall notify the producers of record of all affected consumers of the cybersecurity event no later than the time at which notice is provided to the affected consumers. The insurer is excused from this obligation for those instances in which it does not have the current producer of record information for any individual consumer.