Back

Publish a Statement of Compliance for the organization's external requirements.


CONTROL ID
12350
CONTROL TYPE
Communicate
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Audits and risk management, CC ID: 00677

This Control has the following implementation support Control(s):
  • Include a commitment to comply with recommendations from applicable statutory bodies in the Statement of Compliance., CC ID: 12371
  • Include a commitment to cooperate with applicable statutory bodies in the Statement of Compliance., CC ID: 12370
  • Include the statutory bodies having jurisdiction over privacy rights violations in the Statement of Compliance., CC ID: 12369
  • Include a description of the organization's privacy policy in the Statement of Compliance., CC ID: 12362
  • Include the organization's fax number in the Statement of Compliance., CC ID: 12361
  • Include the organization's telephone number in the Statement of Compliance., CC ID: 12360
  • Include the organization's e-mail address in the Statement of Compliance., CC ID: 12359
  • Include the organization's name in the Statement of Compliance., CC ID: 12351
  • Include the organization's mailing address in the Statement of Compliance., CC ID: 12358
  • Describe how the organization processes personal data in the Statement of Compliance., CC ID: 12377
  • Describe the context of monetary losses in the Statement of Compliance., CC ID: 15533
  • Describe the nature of monetary losses in the Statement of Compliance., CC ID: 15532
  • Include trends in the origination of incidents that have occurred in the Report on Compliance., CC ID: 15512
  • Include trends in the frequency of incidents that have occurred in the Report on Compliance., CC ID: 15511
  • Include trends in the incident types that have occurred in the Statement of Compliance., CC ID: 15510
  • Include the scope of renewable energy in the Report on Compliance., CC ID: 15509
  • Include the scope of energy consumption in the Report on Compliance., CC ID: 15508
  • Include the total amount of energy consumed in the Statement of Compliance., CC ID: 15506
  • Include the number of unique customers who were affected by data breaches in the Report on Compliance., CC ID: 15505
  • Approve and sign the Report on Compliance., CC ID: 12392


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • provide a national competent authority, upon a reasoned request, with all the information and documentation necessary to demonstrate the conformity of a high-risk AI system with the requirements set out in Chapter 2 of this Title, including access to the logs automatically generated by the high-risk… (Article 25 2(b), Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • Importers shall provide national competent authorities, upon a reasoned request, with all necessary information and documentation to demonstrate the conformity of a high-risk AI system with the requirements set out in Chapter 2 of this Title in a language which can be easily understood by that natio… (Article 26 5., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • Upon a reasoned request from a national competent authority, distributors of high- risk AI systems shall provide that authority with all the information and documentation necessary to demonstrate the conformity of a high-risk system with the requirements set out in Chapter 2 of this Title. Distribut… (Article 27 5., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • An indication that management of the entity is responsible for the entity's compliance with the specified requirements. (AT-C Section 315.26 e., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • A statement that the examination does not provide a legal determination on the entity's compliance with specified requirements. (AT-C Section 315.20 i., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • An identification of the compliance matters that are being reported on or the assertion about such matters, including the point in time or period of time to which the measurement or evaluation of compliance relates. (AT-C Section 315.20 c., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • Annually, each insurer domiciled in this State shall submit to the Commissioner, a written statement by February 15, certifying that the insurer is in compliance with the requirements set forth in Section 4 of this Act. Each insurer shall maintain for examination by the Department all records, sched… (Section 4.I ¶ 1, Insurance Data Security Model Law, NAIC MDL-668, Q4 2017)
  • The overall status of the Information Security Program and the Licensee's compliance with this Act; and (Section 4.E ¶ 1(2)(a), Insurance Data Security Model Law, NAIC MDL-668, Q4 2017)
  • REPORT.—Not later than March 1 of each year, the Director, in consultation with the Secretary, shall submit to Congress a report on the effectiveness of information security policies and practices during the preceding year, including— (§ 3553(c), Federal Information Security Modernization Act of 2014)
  • a description of the threshold for reporting major information security incidents; (§ 3553(c)(2), Federal Information Security Modernization Act of 2014)
  • an assessment of agency compliance with standards promulgated under section 11331 of title 40; and (§ 3553(c)(4), Federal Information Security Modernization Act of 2014)
  • any other information as the Director or the Secretary, in consultation with the Director, may require. (§ 3554(c)(1)(A)(iv), Federal Information Security Modernization Act of 2014)
  • The Department will maintain the Privacy Shield List of organizations that file completed self-certification submissions, thereby assuring the availability of Privacy Shield benefits, and will update such list on the basis of annual self-recertification submissions and notifications received pursuan… (§ III.6.d., EU-U.S. Privacy Shield Framework Principles)
  • Where the organization has chosen outside compliance review, such a review must demonstrate that its privacy policy regarding personal information received from the EU conforms to the Privacy Shield Principles, that it is being complied with, and that individuals are informed of the mechanisms throu… (§ III.7.d., EU-U.S. Privacy Shield Framework Principles)
  • Under the self-assessment approach, such verification must indicate that an organization's published privacy policy regarding personal information received from the EU is accurate, comprehensive, prominently displayed, completely implemented and accessible. It must also indicate that its privacy pol… (§ III.7.c., EU-U.S. Privacy Shield Framework Principles)
  • The Department will maintain the Privacy Shield List of organizations that file completed self-certification submissions, thereby assuring the availability of Privacy Shield benefits, and will update such list on the basis of annual self-recertification submissions and notifications received pursuan… (§ III.6.d., EU-U.S. Privacy Shield Framework Principles)
  • Independent recourse mechanisms must publish an annual report providing aggregate statistics regarding their dispute resolution services. The annual report must include: (1) the total number of Privacy Shield-related complaints received during the reporting year; (2) the types of complaints received… (§ III.11.d.iii., EU-U.S. Privacy Shield Framework Principles)
  • Persistent failure to comply arises where an organization that has self-certified to the Department refuses to comply with a final determination by any privacy self-regulatory, independent dispute resolution, or government body, or where such a body determines that an organization frequently fails t… (§ III.11.g.ii., EU-U.S. Privacy Shield Framework Principles)
  • The result of any remedies provided by the dispute resolution body should be that the effects of non-compliance are reversed or corrected by the organization, insofar as feasible, and that future processing by the organization will be in conformity with the Principles and, where appropriate, that pr… (§ III.11.e.i., EU-U.S. Privacy Shield Framework Principles)
  • In order to provide transparency in respect of lawful requests by public authorities to access personal information, Privacy Shield organizations may voluntarily issue periodic transparency reports on the number of requests for personal information they receive by public authorities for law enforcem… (§ III.16.a., EU-U.S. Privacy Shield Framework Principles)
  • Provide records and compliance reports. A covered entity or business associate must keep such records and submit such compliance reports, in such time and manner and containing such information, as the Secretary may determine to be necessary to enable the Secretary to ascertain whether the covered e… (§ 160.310(a), 45 CFR Part 160 - General Administrative Requirements)
  • Evaluate the financial institution's adherence to NACHA and clearing house operating rules and regulations. (App A Tier 1 Objectives and Procedures Objective 8:1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Each insurer domiciled in this state, annually on or before February 15, shall submit to the commissioner a written statement certifying that the insurer is in compliance with the requirements set forth in this chapter. Each insurer shall maintain for examination by the department all records, sched… (Section 27-62-4(i), Code of Alabama, Title 27, Chapter 62, Sections 1-11, Insurance Data Security Law)
  • The overall status of the information security program of the licensee and the compliance of the licensee with this chapter. (Section 27-62-4(e)(2) a., Code of Alabama, Title 27, Chapter 62, Sections 1-11, Insurance Data Security Law)
  • Annual Certification to Commissioner of Domiciliary State. Except as provided in subdivision (10) of this subsection, each insurer domiciled in this state shall submit to the Insurance Commissioner a written statement, not later than February fifteenth, annually, certifying that such insurer is in c… (Part VI(c)(9), Connecticut General Statutes, Title 38a, Chapter 697, Part VI, Section 38a-38, Insurance Data Security Law)
  • The overall status of such licensee's information security program and such licensee's compliance with this section; and (Part VI(c)(5)(B)(i), Connecticut General Statutes, Title 38a, Chapter 697, Part VI, Section 38a-38, Insurance Data Security Law)
  • The overall status of the information security program and the licensee's compliance with this chapter. (§ 8604.(e)(2) a., Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)
  • Submit annually to the Commissioner a written statement by February 15, certifying that the insurer is in compliance with the requirements under in this section. (§ 8604.(i)(1), Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)
  • The overall status of the information security program and the licensee's compliance with this article; and (§431:3B-204(2)(A), Hawaii Revised Statute, Volume 9, Chapter 431, Article 3B, Sections 101-306, Insurance Data Security Law)
  • Each insurer domiciled in the State shall annually submit to the commissioner a written statement by March 31, certifying that the insurer is in compliance with the requirements set forth in this part. (§431:3B-208(a), Hawaii Revised Statute, Volume 9, Chapter 431, Article 3B, Sections 101-306, Insurance Data Security Law)
  • the overall status of the information security program; (Sec. 19.(b)(2)(A), Indiana Code, Title 27, Article 2, Chapter 27, Sections 1-32, Insurance Data Security)
  • the licensee's compliance with this chapter; and (Sec. 19.(b)(2)(B), Indiana Code, Title 27, Article 2, Chapter 27, Sections 1-32, Insurance Data Security)
  • Annually, not later than April 15, each insurer domiciled in Indiana shall submit to the commissioner a written statement certifying that the insurer is in compliance with the requirements set forth in sections 16 through 19 of this chapter and this section. Each insurer shall maintain for examinati… (Sec. 20.(c), Indiana Code, Title 27, Article 2, Chapter 27, Sections 1-32, Insurance Data Security)
  • If a licensee’s executive management delegates any of its responsibilities under this section the executive management shall oversee the delegate’s development, implementation, and maintenance of the licensee’s information security program, and shall require the delegate to submit an annual wr… (507F.4 5.b., Iowa Code, Title XIII, Chapter 507F, Sections 1-16, Insurance Data Security)
  • The overall status of the licensee’s information security program and the licensee’s compliance with this chapter. (507F.4 5.a.(2)(a), Iowa Code, Title XIII, Chapter 507F, Sections 1-16, Insurance Data Security)
  • An insurer domiciled in this state shall annually submit to the commissioner on or before April 15 a written certification that the insurer is in compliance with this section. Each insurer shall maintain all records, schedules, documentation, and data supporting the insurer’s certification for fiv… (507F.4 8., Iowa Code, Title XIII, Chapter 507F, Sections 1-16, Insurance Data Security)
  • If a licensee becomes aware of a cybersecurity event in an information system maintained by a third-party service provider of the licensee, the licensee shall comply with section 507F.7, or the licensee may obtain a written certification from the third-party service provider that the provider is in … (507F.9 1., Iowa Code, Title XIII, Chapter 507F, Sections 1-16, Insurance Data Security)
  • The overall status of the information security program and the licensee's compliance with this Chapter. (§2504.E.(2)(a), Louisiana Revised Statutes, Title 22, Chapter 21, Sections 2501-2511, Insurance Data Security)
  • Annually, each insurer domiciled in this state shall submit to the commissioner a written statement by February 15, certifying that the insurer is in compliance with the requirements set forth in this Section. (§2504.I.(1), Louisiana Revised Statutes, Title 22, Chapter 21, Sections 2501-2511, Insurance Data Security)
  • The overall status of the licensee's information security program and the licensee's compliance with this chapter; and (§2264 5.B.(1), Maine Revised Statutes, Title 24-A, Chapter 24-B, Sections 2261-2272, Maine Insurance Data Security Act)
  • Annual certification to superintendent. By April 15th annually, an insurance carrier domiciled in this State shall submit to the superintendent a written statement certifying that the insurance carrier is in compliance with the requirements set forth in this section. An insurance carrier shall maint… (§2264 9., Maine Revised Statutes, Title 24-A, Chapter 24-B, Sections 2261-2272, Maine Insurance Data Security Act)
  • The overall status of the information security program and the licensee's compliance with this chapter. (Sec. 555.(5)(b)(i), Michigan Compiled Laws, Chapter 5A Sections 550-565, Data Security)
  • By February 15 of each year, each insurer domiciled in this state shall submit to the director a written statement, certifying that the insurer is in compliance with the requirements of this section. Each insurer shall maintain for examination by the department all records, schedules, and data suppo… (Sec. 555.(9), Michigan Compiled Laws, Chapter 5A Sections 550-565, Data Security)
  • Subject to paragraph (b), by April 15 of each year, an insurer domiciled in this state shall certify in writing to the commissioner that the insurer is in compliance with the requirements set forth in this section. Each insurer shall maintain all records, schedules, and data supporting this certific… (§ 60A.9851 Subdivision 9(a), Minnesota Statutes, Chapter 60A, Sections 985 - 9857, Information Security Program)
  • the overall status of the information security program and the licensee's compliance with sections 60A.985 to 60A.9858; and (§ 60A.9851 Subdivision 5(2)(i), Minnesota Statutes, Chapter 60A, Sections 985 - 9857, Information Security Program)
  • Annually, each insurer domiciled in this state shall submit to the commissioner a written statement by February 15, certifying that the insurer is in compliance with the requirements set forth in this section. Each insurer shall maintain for examination by the department all records, schedules and d… (§ 83-5-807 (9), Mississippi Code Annotated, Title 83, Chapter 5, Article 11, Sections 801 - 825, Insurance Data Security Law)
  • The overall status of the information security program and the licensee’s compliance with this article; and (§ 83-5-807 (5)(b)(i), Mississippi Code Annotated, Title 83, Chapter 5, Article 11, Sections 801 - 825, Insurance Data Security Law)
  • The overall status of the information security program and the licensee's compliance with this chapter; and (§ 420-P:4 V.(b)(1), New Hampshire Revised Statutes, Title XXXVIII, Chapter 420-P, Sections 1-14, Insurance Data Security Law)
  • Annually, each insurer domiciled in this state shall submit to the commissioner, a written statement by March 1, certifying that the insurer is in compliance with the requirements set forth in this section. Each insurer shall maintain for examination by the department all records, schedules and data… (§ 420-P:4 IX., New Hampshire Revised Statutes, Title XXXVIII, Chapter 420-P, Sections 1-14, Insurance Data Security Law)
  • The overall status of the information security program and the licensee's compliance with the provisions of this chapter; and (26.1-02.2-03. 5.b.(1), North Dakota Century Code, Title 26.1, Chapter 26.1‑02.2, Sections 1-11, Insurance Data Security)
  • Annually, an insurer domiciled in this state shall submit to the commissioner, a written statement by April fifteenth, certifying the insurer is in compliance with the requirements set forth in this section. An insurer shall maintain for examination by the department all records, schedules, and data… (26.1-02.2-03. 10., North Dakota Century Code, Title 26.1, Chapter 26.1‑02.2, Sections 1-11, Insurance Data Security)
  • The overall status of the information security program and the licensee's compliance with this chapter; (Section 3965.02 (E)(2)(a), Ohio Revised Code, Title 39, Chapter 3965, Sections 1-11, Cybersecurity Requirements For Insurance Companies)
  • By the fifteenth day of February of each year, unless otherwise permitted to file on the first day of June in division (I)(2) of this section, each insurer domiciled in this state shall submit to the superintendent of insurance a written statement certifying that the insurer is in compliance with th… (Section 3965.02 (I)(1), Ohio Revised Code, Title 39, Chapter 3965, Sections 1-11, Cybersecurity Requirements For Insurance Companies)
  • the overall status of the information security program and the licensee's compliance with this chapter; and (SECTION 38-99-20. (E)(1)(b)(i), South Carolina Code of Laws, Title 38, Chapter 99, Sections 10-100, Insurance Data Security Act)
  • Annually, each insurer domiciled in this State shall submit to the director, a written statement by February fifteenth, certifying that the insurer is in compliance with the requirements set forth in this section. Each insurer shall maintain for examination by the department all records, schedules, … (SECTION 38-99-20. (I), South Carolina Code of Laws, Title 38, Chapter 99, Sections 10-100, Insurance Data Security Act)
  • The status of the licensee's information security program and compliance with this part; and (§ 56-2-1004 (5)(B)(i), Tennessee Code Annotated, Title 56, Chapter 2, Part 10, Sections 1-11, Insurance Data Security Law)
  • Each insurer domiciled in this state shall submit to the commissioner by April 15 of each year written certification that the insurer is in compliance with this section. Each insurer shall maintain for examination by the department all records, schedules, and data supporting the certification for a … (§ 56-2-1004 (9)(A), Tennessee Code Annotated, Title 56, Chapter 2, Part 10, Sections 1-11, Insurance Data Security Law)
  • If the licensee's executive management delegates any of the executive management's responsibilities under this section, then the executive management must oversee the development, implementation, and maintenance of the licensee's information security program prepared by the delegates and must either… (§ 56-2-1004 (5)(C), Tennessee Code Annotated, Title 56, Chapter 2, Part 10, Sections 1-11, Insurance Data Security Law)
  • If a licensee has a board of directors, the board or an appropriate committee of the board shall, at a minimum, require the licensee's information executive management or its delegates to (i) develop, implement, and maintain the licensee's information security program and (ii) report in writing (a) … (§ 38.2-623.D.1., Code of Virginia, Title 38.2, Chapter 6, Article 2, Sections 621-629, Insurance Data Security Act)
  • Beginning in 2023 and annually thereafter, each insurer domiciled in the Commonwealth shall, by February 15, submit to the Commissioner a written statement certifying that the insurer is in compliance with the requirements set forth in this section, any rules adopted pursuant to this article, and an… (§ 38.2-623.H., Code of Virginia, Title 38.2, Chapter 6, Article 2, Sections 621-629, Insurance Data Security Act)
  • The overall status of the information security program and the licensee's compliance with this subchapter. (§ 601.952(7)(c)1., Wisconsin Statutes, Chapter 601, Subchapter IX, Sections 95-956, Insurance Data Security)
  • Annual certification to commissioner. Beginning in 2023, a licensee who is domiciled in this state shall annually submit, no later than March 1, to the commissioner a written certification that the licensee is in compliance with the requirements of this section. The licensee shall maintain all recor… (§ 601.952(8), Wisconsin Statutes, Chapter 601, Subchapter IX, Sections 95-956, Insurance Data Security)