§ 4514 — Corporate oversight

Pennsylvania § 4514

• Jurisdiction: Pennsylvania
• Title 40: INSURANCE
• Part: PART II
• Ch. 45: INSURANCE DATA SECURITY
• Subch.: PROCEDURES

Text

(a) Duties.--If a licensee has a board of directors, the board or an appropriate committee of the board shall, at a minimum:

(1) Require the licensee's executive management or delegates to develop, implement and maintain the licensee's information security program.

(2) Require the licensee's executive management or delegates to report in writing at least annually, the following information:

(i) The overall status of the information security program and the licensee's compliance with this chapter.

(ii) Material matters related to the information security program, addressing issues such as:

(A) Risk assessment, risk management and control decisions.

(B) Third-party service provider arrangements.

(C) The results of testing.

(D) Cybersecurity events.

(E) Any violation of this chapter and management's responses to the violation.

(F) Recommendations for changes in the information security program.

(b) Delegation.--If the executive management of a licensee delegates any of its responsibilities under this section or section 4512 (relating to risk assessment), 4513 (relating to information security program) or 4515 (relating to oversight of third-party service provider arrangements), the executive management shall oversee the development, implementation and maintenance of the licensee's information security program prepared by the delegated entity, which shall provide a written report to the executive management in accordance with the reporting requirements of this chapter.

Legislative History

Cross References.Section 4514 is referred to in sections 4516, 4521, 4532, 4536 of this title.