Submit the incident response report to the proper authorities in a timely manner.

Back

CONTROL ID
12705

CONTROL TYPE
Communicate

CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS

This Control directly supports the implied Control(s):

Create an incident response report following an incident response., CC ID: 12700

There are no implementation support Controls.

SELECTED AUTHORITY DOCUMENTS COMPLIED WITH

A financial institution shall, within 14 days or such longer period as the Authority may allow, from the discovery of the relevant incident as described in paragraph 7 or a relevant incident arising from the circumstances set out in regulation 21(d) of the Markets Regulations, as the case may be, su… (Technology Risk Management ¶ 8, Monetary Authority of Singapore: Securities and Futures Act (CAP. 289) Notice on Technology Risk Management, Amendment 2018)
A financial institution shall, within 14 days or such longer period as the Authority may allow, from the discovery of the relevant incident as described in paragraph 7 or a relevant incident arising from the circumstances set out in regulation 23(1)(e) of the Markets Regulations, as the case may be,… (Technology Risk Management ¶ 8, Monetary Authority of Singapore: Securities and Futures Act (CAP. 289) Notice on Technology Risk Management, Notice No.: CMG-N02)
Under CPS 234, an APRA-regulated entity must notify APRA of information security incidents that meet specified criteria. Prudential Standard CPS 232 Business Continuity Management also includes a requirement for notifying APRA of disruptions that meet specified criteria. Where a disruption resulting… (87., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
For the purpose of the first subparagraph, financial entities shall produce, after collecting and analysing all relevant information, the initial notification and reports referred to in paragraph 4 of this Article using the templates referred to in Article 20 and submit them to the competent authori… (Art. 19.1. ¶ 4, Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
Financial entities shall report major ICT-related incidents to the relevant competent authority as referred to in Article 46 in accordance with paragraph 4 of this Article. (Art. 19.1. ¶ 1, Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
Credit institutions classified as significant, in accordance with Article 6(4) of Regulation (EU) No 1024/2013, shall report major ICT-related incidents to the relevant national competent authority designated in accordance with Article 4 of Directive 2013/36/EU, which shall immediately transmit that… (Art. 19.1. ¶ 3, Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
The information mentioned in subsection (6) must be recorded in such a way as to enable the Commissioner to verify compliance with this section. (§ 67(7), UK Data Protection Act 2018 Chapter 12)
The information mentioned in subsection (6) must be recorded in such a way as to enable the Commissioner to verify compliance with this section. (§ 67(7), UK Data Protection Act 2018 Chapter 12, Revised 06/06/2022)
matters (e.g. incident or crisis notification) that require communication to regulatory bodies or other interested parties; and (§ 7.4 Guidance ¶ 2(i), ISO/IEC 27003:2017, Information technology â Security techniques â Information security management systems â Guidance, Second Edition, 2017-03)
Communications about the nature of the incident, recovery actions taken, and activities required for the prevention of future security events are made to management and others as appropriate (internal and external). (CC7.5 Communicates Information About the Event, Trust Services Criteria)
Communications about the nature of the incident, recovery actions taken, and activities required for the prevention of future security events are made to management and others as appropriate (internal and external). (CC7.5 ¶ 2 Bullet 2 Communicates Information About the Event, Trust Services Criteria, (includes March 2020 updates))
In the case of a Cybersecurity Event in a system maintained by a Third-Party Service Provider, of which the Licensee has become aware, the Licensee shall treat such event as it would under Section 6A. (Section 6.D(1), Insurance Data Security Model Law, NAIC MDL-668, Q4 2017)
A Cybersecurity Event impacting the Licensee of which notice is required to be provided to any government body, self-regulatory agency or any other supervisory body pursuant to any state or federal law; or (Section 6.A ¶ 1(2)(a), Insurance Data Security Model Law, NAIC MDL-668, Q4 2017)
In the case of a Cybersecurity Event involving Nonpublic Information that is used by the Licensee that is acting as an assuming insurer or in the possession, custody or control of a Licensee that is acting as an assuming insurer and that does not have a direct contractual relationship with the affec… (Section 6.E(1)(a), Insurance Data Security Model Law, NAIC MDL-668, Q4 2017)
In the case of a Cybersecurity Event involving Nonpublic Information that is in the possession, custody or control of a Third-Party Service Provider of a Licensee that is an assuming insurer, the assuming insurer shall notify its affected ceding insurers and the Commissioner of its state of domicile… (Section 6.E(2)(a), Insurance Data Security Model Law, NAIC MDL-668, Q4 2017)
This State is the Licensee's state of domicile, in the case of an insurer, or this State is the Licensee's home state, in the case of a producer, as those terms are defined in [insert reference to Producer Licensing Model Act]; or (Section 6.A ¶ 1(1), Insurance Data Security Model Law, NAIC MDL-668, Q4 2017)
Response programs that specify actions to be taken when the financial institution suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies. (Supplement A § I.B.2(c), 12 CFR Appendix F to Part 225 - Interagency Guidelines Establishing Information Security Standards)
Response programs that specify actions to be taken when the bank holding company suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies; and (§ III.C(1)(g), 12 CFR Appendix F to Part 225 - Interagency Guidelines Establishing Information Security Standards)
If an SCI event is not resolved or the SCI entity's investigation of the SCI event is not closed within 30 calendar days of the occurrence of the SCI event, then submit an interim written notification pertaining to such SCI event to the Commission within 30 calendar days after the occurrence of the … (§242.1002(b)(4)(i)(B)(1), 17 CFR PART 242, Regulations M, SHO, ATS, AC, NMS, and SBSR and Customer Margin Requirements for Security Futures)
Submit to the Commission a report, within 30 calendar days after the end of each calendar quarter, containing a summary description of such systems disruptions and systems intrusions, including the SCI systems and, for systems intrusions, indirect SCI systems, affected by such systems disruptions an… (§242.1002(b)(5)(ii), 17 CFR PART 242, Regulations M, SHO, ATS, AC, NMS, and SBSR and Customer Margin Requirements for Security Futures)
Within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, submit a written notification pertaining to such SCI event to the Commission, which shall be made on a good faith, best efforts basis and include: (§242.1002(b)(2), 17 CFR PART 242, Regulations M, SHO, ATS, AC, NMS, and SBSR and Customer Margin Requirements for Security Futures)
Notifying law enforcement; or (Appendix A-IV. ¶ 1 (h), 17 CFR Part 248 Subpart C, Regulation S-ID - Identity Theft Red Flags)
Rapidly report cyber incidents to DoD at https://dibnet.dod.mil. (§ 252.204-7012(c)(1)(ii), 252.204-7012, SAFEGUARDING COVERED DEFENSE INFORMATION AND CYBER INCIDENT REPORTING (DEC 2019))
Initial incident reports should be submitted within one hour of discovery with follow-on information provided as available. Initial reports may be incomplete to facilitate communication and teamwork between the CSP and the organizations performing MCD/BCD Actions. CSPs should balance the necessity o… (Section 6.5.2 ¶ 4, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
Providing timely incident and system health reports. (Section 6.4 ¶ 1 Bullet 4, sub-bullet 5, sub sub-bullet 2, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
Details about contacting the appropriate regulator; (TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:9 Bullet 5, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
Information about threats is shared with law enforcement and regulators when required or prompted. (Domain 2: Assessment Factor: Information Sharing, INFORMATION SHARING Baseline 1 ¶ 3, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
Approves a policy to escalate and report significant security incidents to the board, steering committee, government agencies, and law enforcement, as appropriate. (App A Objective 2:2 f., FFIEC Information Technology Examination Handbook - Management, November 2015)
Confidentiality of reports. SARs are confidential. Any credit union, including its officials, employees, and agents, subpoenaed or otherwise requested to disclose a SAR or the information in a SAR must decline to produce the SAR or to provide any information that would disclose that a SAR was prepar… (§ 748.1 (c)(5), 12 CFR Part 748, NCUA Guidelines for Safeguarding Member Information, July 1, 2001)
Response programs that specify actions to be taken when the national bank or Federal savings association suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies; and (§ III. C. 1.(g), Appendix B of OCC 12 CFR Part 30, Safety and Soundness Standards)
Report significant cyber incidents to senior management; appropriate federal, state, local, tribal, and territorial (SLTT) entities; and applicable ISAC(s). (Table 2: Communications Baseline Security Measures Cell 1, Pipeline Security Guidelines)
This state is the state of domicile of the licensee, in the case of an insurer, or this state is the home state of the licensee, in the case of a producer, as those terms are defined in Section 27-7-1, and the cybersecurity event has a reasonable likelihood of materially harming a consumer residing … (Section 27-62-6(a)(1), Code of Alabama, Title 27, Chapter 62, Sections 1-11, Insurance Data Security Law)
A cybersecurity event impacting the licensee that the licensee is required to notify any government body, self-regulatory agency, or any other supervisory body about pursuant to any state or federal law. (Section 27-62-6(a)(2) a., Code of Alabama, Title 27, Chapter 62, Sections 1-11, Insurance Data Security Law)
If the licensee becomes aware of a cybersecurity event in a system maintained by a third-party service provider, the licensee shall treat the event in the same manner as provided under subsection (a) unless the third-party service provider provides the notice required under subsection (a) to the com… (Section 27-62-6(e)(1), Code of Alabama, Title 27, Chapter 62, Sections 1-11, Insurance Data Security Law)
In the case of a cybersecurity event involving nonpublic information that is used by the licensee that is acting as an assuming insurer or in the possession, custody, or control of a licensee that is acting as an assuming insurer and that does not have a direct contractual relationship with the affe… (Section 27-62-6(f)(1) a., Code of Alabama, Title 27, Chapter 62, Sections 1-11, Insurance Data Security Law)
In the case of a cybersecurity event involving nonpublic information that is in the possession, custody, or control of a third-party service provider of a licensee that is an assuming insurer, the assuming insurer shall notify its affected ceding insurers and the commissioner of its state of domicil… (Section 27-62-6(f)(2) a., Code of Alabama, Title 27, Chapter 62, Sections 1-11, Insurance Data Security Law)
Any agency that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California (1) whose unencrypted personal information was, or… (§ 1798.29(a), California Civil Code Section 1798.29)
Any agency that is required to issue a security breach notification pursuant to this section to more than 500 California residents as a result of a single breach of the security system shall electronically submit a single sample copy of that security breach notification, excluding any personally ide… (§ 1798.29(e), California Civil Code Section 1798.29)
In the case of a cybersecurity event involving a system maintained by a third-party service provider, each licensee affected by the event shall treat such event, if the licensee as is aware of such event, as such licensee would treat such event under subdivision (1) of this subsection. (Part VI(e)(4)(A), Connecticut General Statutes, Title 38a, Chapter 697, Part VI, Section 38a-38, Insurance Data Security Law)
State or federal law requires that a notice concerning such cybersecurity event be provided to a government body, self-regulatory agency or another supervisory body; or (Part VI(e)(1)(B)(i), Connecticut General Statutes, Title 38a, Chapter 697, Part VI, Section 38a-38, Insurance Data Security Law)
Such licensee is an insurer and this state is the insurer's state of domicile, or the licensee is an insurance producer, as defined in section 38a-702a, and this state is the insurance producer's home state, as defined in section 38a-702a; and (Part VI(e)(1)(A), Connecticut General Statutes, Title 38a, Chapter 697, Part VI, Section 38a-38, Insurance Data Security Law)
In the case of a cybersecurity event involving nonpublic information that is in the possession, custody or control of a third-party service provider of a licensee, when the licensee is acting as an assuming insurer, including an assuming insurer that is domiciled in another state or jurisdiction, th… (Part VI(e)(5)(B)(i), Connecticut General Statutes, Title 38a, Chapter 697, Part VI, Section 38a-38, Insurance Data Security Law)
In the case of a cybersecurity event involving nonpublic information that is used by a licensee that is acting as an assuming insurer or in the possession, custody or control of a licensee that is acting as an assuming insurer and that does not have a direct contractual relationship with the affecte… (Part VI(e)(5)(A)(i), Connecticut General Statutes, Title 38a, Chapter 697, Part VI, Section 38a-38, Insurance Data Security Law)
In accordance with the proposed timetable established pursuant to subdivision (1) of subsection (e) of this section, submit to the office of the Attorney General and the state contracting agency either (A) a report detailing the breach or suspected breach, including a plan to mitigate the effects of… (¶ 4e-70(b)(8), Connecticut General Statutes, Title 4e, Chapter 62a, Section 4e-70, Requirements for state contractors who receive confidential information)
The cybersecurity event impacts a licensee that is required to provide notice to a government body, self-regulatory agency, or other supervisory body under state or federal law. (§ 8606.(a)(2) a., Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)
The licensee is required to provide notice of the cybersecurity event to a government body, self-regulatory agency, or other supervisory body under state or federal law. (§ 8606.(a)(1) c., Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)
The licensee is an insurer who is domiciled in this State or a producer whose home state is this State, as "home state" is defined under Chapter 17 of this title, and the cybersecurity event results in any of the following: (§ 8606.(a)(1), Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)
Notification to the Commissioner. â A licensee shall notify the Commissioner as promptly as possible but in no event later than 3 business days from the licensee's determination that a cybersecurity event has occurred if either of the following criteria has been met: (§ 8606.(a), Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)
If a cybersecurity event occurs in a system that a third-party service provider maintains and of which a licensee has become aware, the licensee shall treat the event as it would under subsection (a) of this section unless the third-party service provider provides the notice to the Commissioner unde… (§ 8606.(d)(1), Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)
If a cybersecurity event involves nonpublic information that is used by a licensee who is acting as an assuming insurer, or the nonpublic information is in the possession, custody, or control of a licensee who is acting as an assuming insurer and does not have a direct contractual relationship with … (§ 8606.(e)(1), Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)
If a cybersecurity event involves nonpublic information that is in the possession, custody, or control of a third-party service provider of a licensee who is acting as an assuming insurer, the licensee who is acting as an assuming insurer shall notify the affected ceding insurer and the Commissioner… (§ 8606.(e)(2), Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)
A police report, incident report, or computer forensics report. (501.171 (3)(c) 1., Florida Statutes, Title XXXIII Chapter 501 Section 171, Security of confidential personal information)
Each licensee shall notify the commissioner as promptly as possible, but in no event later than three business days from a determination that a cybersecurity event impacting two hundred fifty or more consumers has occurred. If law enforcement officials instruct a licensee not to distribute informati… (§431:3B-302(a), Hawaii Revised Statute, Volume 9, Chapter 431, Article 3B, Sections 101-306, Insurance Data Security Law)
The licensee is domiciled in the State, in the case of an insurer, or the licensee's home state is Hawaii, in the case of an independent insurance producer; or (§431:3B-302(a)(1), Hawaii Revised Statute, Volume 9, Chapter 431, Article 3B, Sections 101-306, Insurance Data Security Law)
In the case of a cybersecurity event involving nonpublic information that is in the possession, custody, or control of a third-party service provider of a licensee that is an assuming insurer, the assuming insurer shall notify its affected ceding insurers and the commissioner of its state of domicil… (§431:3B-305(b), Hawaii Revised Statute, Volume 9, Chapter 431, Article 3B, Sections 101-306, Insurance Data Security Law)
In the case of a cybersecurity event impacting a licensee's nonpublic information in a system maintained by a third-party service provider, of which the licensee has become aware, the licensee shall treat the event as it would under section 431:3B-302 unless the third-party service provider provides… (§431:3B-304(a), Hawaii Revised Statute, Volume 9, Chapter 431, Article 3B, Sections 101-306, Insurance Data Security Law)
In the case of a cybersecurity event involving nonpublic information that is used by the licensee that is acting as an assuming insurer or in the possession, custody, or control of a licensee that is acting as an assuming insurer and that does not have a direct contractual relationship with the affe… (§431:3B-305(a), Hawaii Revised Statute, Volume 9, Chapter 431, Article 3B, Sections 101-306, Insurance Data Security Law)
A government agency shall submit a written report to the legislature within twenty days after discovery of a security breach at the government agency that details information relating to the nature of the breach, the number of individuals affected by the breach, a copy of the notice of security brea… (§ 487N-4 ¶ 1, Hawaii Revised Statutes Volume 11 Chapter 487N, Security Breach of Personal Information)
Indiana is the licensee's state of domicile, if the licensee is an insurer, or the licensee's home state, if the licensee is a producer, and the cybersecurity event has a reasonable likelihood of materially harming a consumer residing in Indiana or materially harming any material part of the normal … (Sec. 21.(c)(1), Indiana Code, Title 27, Article 2, Chapter 27, Sections 1-32, Insurance Data Security)
A cybersecurity event impacting the licensee of which notice is required to be provided by any other state, federal, or local law. (Sec. 21.(c)(2)(A), Indiana Code, Title 27, Article 2, Chapter 27, Sections 1-32, Insurance Data Security)
the assuming insurer shall notify its affected ceding insurers and the commissioner of its state of domicile within three (3) business days after making the determination that a cybersecurity event has occurred and the ceding insurers that have a direct contractual relationship with affected consume… (Sec. 22.(a) ¶ 1, Indiana Code, Title 27, Article 2, Chapter 27, Sections 1-32, Insurance Data Security)
the assuming insurer shall notify its affected ceding insurers and the commissioner of its state of domicile within three (3) business days after receiving notice from its third party service provider that a cybersecurity event has occurred; and (Sec. 22.(b)(1), Indiana Code, Title 27, Article 2, Chapter 27, Sections 1-32, Insurance Data Security)
The licensee is an insurer who is domiciled in this state, or is a producer whose home state is this state, and any of the following apply: (507F.7 1.a., Iowa Code, Title XIII, Chapter 507F, Sections 1-16, Insurance Data Security)
The laws of this state or federal law requires that notice of the cybersecurity event be given by the licensee to a government body, self-regulatory agency, or other supervisory body. (507F.7 1.a.(1), Iowa Code, Title XIII, Chapter 507F, Sections 1-16, Insurance Data Security)
State or federal law requires that notice of the cybersecurity event be given by the licensee to a government body, self-regulatory agency, or other supervisory body. (507F.7 1.b.(1), Iowa Code, Title XIII, Chapter 507F, Sections 1-16, Insurance Data Security)
If a cybersecurity event involves nonpublic information that is in the possession, custody, or control of a third-party service provider of a licensee that is acting as an assuming insurer, the assuming insurer shall notify each of the assuming insurerâs affected ceding insurers and the commission… (507F.10 2., Iowa Code, Title XIII, Chapter 507F, Sections 1-16, Insurance Data Security)
If a cybersecurity event involves nonpublic information used by, or that is in the possession, custody, or control of, a licensee that is acting as an assuming insurer and that does not have a direct contractual relationship with consumers affected by the cybersecurity event, the assuming insurer sh… (507F.10 1., Iowa Code, Title XIII, Chapter 507F, Sections 1-16, Insurance Data Security)
In the case of a cybersecurity event involving nonpublic information that is in the possession, custody, or control of a third-party service provider of a licensee that is an assuming insurer, the assuming insurer shall notify its affected ceding insurers and the commissioner of its state of domicil… (§2506.E.(2)(a), Louisiana Revised Statutes, Title 22, Chapter 21, Sections 2501-2511, Insurance Data Security)
This state is the licensee's state of domicile, in the case of an insurer, or this state is the licensee's home state, in the case of a producer, an adjuster, or public adjuster as those terms are defined in R.S. 22:1542, 1661, or 1692, and the cybersecurity event has reasonable likelihood of materi… (§2506.A.(1), Louisiana Revised Statutes, Title 22, Chapter 21, Sections 2501-2511, Insurance Data Security)
A cybersecurity event affecting the licensee of which notice is required to be provided to any government body, self-regulatory agency, or any other supervisory body pursuant to any state or federal law. (§2506.A.(2)(a), Louisiana Revised Statutes, Title 22, Chapter 21, Sections 2501-2511, Insurance Data Security)
The licensee shall treat the cybersecurity event as it would pursuant to Subsection A of this Section, unless the third-party service provider gives the notice required in Subsection A of this Section. (§2506.D.(1)(a), Louisiana Revised Statutes, Title 22, Chapter 21, Sections 2501-2511, Insurance Data Security)
In the case of a cybersecurity event involving nonpublic information used by a licensee acting as an assuming insurer or in the possession, custody, or control of a licensee acting as an assuming insurer and that does not have a direct contractual relationship with the affected consumers, the assumi… (§2506.E.(1)(a), Louisiana Revised Statutes, Title 22, Chapter 21, Sections 2501-2511, Insurance Data Security)
This State is the licensee's state of domicile, in the case of an insurance carrier, or this State is the licensee's home state, as that term is defined in section 1420-A, subsection 2, in the case of an insurance producer; or (§2266 1.A., Maine Revised Statutes, Title 24-A, Chapter 24-B, Sections 2261-2272, Maine Insurance Data Security Act)
A cybersecurity event affecting the licensee of which notice is required to be provided to any government body, self-regulatory organization or other supervisory body pursuant to any state or federal law; or (§2266 1.B.(1), Maine Revised Statutes, Title 24-A, Chapter 24-B, Sections 2261-2272, Maine Insurance Data Security Act)
Notification to consumers. A licensee shall comply with Title 10, chapter 210-B, as applicable, and, when required to notify the superintendent under subsection 1, provide to the superintendent a copy of the notice sent to consumers pursuant to Title 10, chapter 210-B. (§2266 3., Maine Revised Statutes, Title 24-A, Chapter 24-B, Sections 2261-2272, Maine Insurance Data Security Act)
The licensee shall respond to the cybersecurity event as described under subsection 1; and (§2266 4.A., Maine Revised Statutes, Title 24-A, Chapter 24-B, Sections 2261-2272, Maine Insurance Data Security Act)
The assuming insurer shall notify its affected ceding insurers and the superintendent of its state of domicile within 3 business days of receiving notice from its 3rd-party service provider that a cybersecurity event has occurred; and (§2266 5.B.(1), Maine Revised Statutes, Title 24-A, Chapter 24-B, Sections 2261-2272, Maine Insurance Data Security Act)
The assuming insurer shall notify its affected ceding insurers and the superintendent of its state of domicile within 3 business days of making the determination that a cybersecurity event has occurred; and (§2266 5.A.(1), Maine Revised Statutes, Title 24-A, Chapter 24-B, Sections 2261-2272, Maine Insurance Data Security Act)
A cybersecurity event impacting the licensee of which notice is required to be provided to any government body, self-regulatory agency, or other supervisory body under any state or federal law. (500.559 (1)(b)(i), Michigan Compiled Laws Chapter 500 Act 218 of 1956 Chapter 5A Section 559, Notification of cybersecurity event involving nonpublic information; duty to update and supplement notifications to director; contents; application to third-party service provider; duties of ceding insurers with direct contractual relationship)
This state is the licensee's state of domicile, for an insurer, or this state is the licensee's home state, for an insurance producer as that term is defined in section 1201, and the cybersecurity event has a reasonable likelihood of materially harming either of the following: (500.559 (1)(a), Michigan Compiled Laws Chapter 500 Act 218 of 1956 Chapter 5A Section 559, Notification of cybersecurity event involving nonpublic information; duty to update and supplement notifications to director; contents; application to third-party service provider; duties of ceding insurers with direct contractual relationship)
Each licensee shall notify the director as promptly as possible but not later than 10 business days after a determination that a cybersecurity event involving nonpublic information that is in the possession of a licensee has occurred when either of the following criteria has been met: (500.559 (1), Michigan Compiled Laws Chapter 500 Act 218 of 1956 Chapter 5A Section 559, Notification of cybersecurity event involving nonpublic information; duty to update and supplement notifications to director; contents; application to third-party service provider; duties of ceding insurers with direct contractual relationship)
Each licensee shall notify the director as promptly as possible but not later than 10 business days after a determination that a cybersecurity event involving nonpublic information that is in the possession of a licensee has occurred when either of the following criteria has been met: (Sec. 559.(1), Michigan Compiled Laws, Chapter 5A Sections 550-565, Data Security)
This state is the licensee's state of domicile, for an insurer, or this state is the licensee's home state, for an insurance producer as that term is defined in section 1201, and the cybersecurity event has a reasonable likelihood of materially harming either of the following: (Sec. 559.(1)(a), Michigan Compiled Laws, Chapter 5A Sections 550-565, Data Security)
A cybersecurity event impacting the licensee of which notice is required to be provided to any government body, self-regulatory agency, or other supervisory body under any state or federal law. (Sec. 559.(1)(b)(i), Michigan Compiled Laws, Chapter 5A Sections 550-565, Data Security)
For a cybersecurity event in a system maintained by a third-party service provider, of which the licensee has become aware, the licensee shall treat the event as it would under this section. The computation of the licensee's deadlines begins on the day after the third-party service provider notifies… (Sec. 559.(4), Michigan Compiled Laws, Chapter 5A Sections 550-565, Data Security)
For a cybersecurity event involving nonpublic information that is used by the licensee that is acting as an assuming insurer or in the possession, custody, or control of a licensee that is acting as an assuming insurer and that does not have a direct contractual relationship with the affected consum… (Sec. 559.(5), Michigan Compiled Laws, Chapter 5A Sections 550-565, Data Security)
In the case of a cybersecurity event involving nonpublic information that is used by the licensee that is acting as an assuming insurer or in the possession, custody, or control of a licensee that is acting as an assuming insurer and that does not have a direct contractual relationship with the affe… (§ 60A.9853 Subdivision 5(a), Minnesota Statutes, Chapter 60A, Sections 985 - 9857, Information Security Program)
In the case of a cybersecurity event involving nonpublic information that is in the possession, custody, or control of a third-party service provider of a licensee that is an assuming insurer, the assuming insurer shall notify its affected ceding insurers and the commissioner of its state of domicil… (§ 60A.9853 Subdivision 5(c), Minnesota Statutes, Chapter 60A, Sections 985 - 9857, Information Security Program)
a cybersecurity event impacting the licensee of which notice is required to be provided to any government body, self-regulatory agency, or any other supervisory body pursuant to any state or federal law; or (§ 60A.9853 Subdivision 1(2)(i), Minnesota Statutes, Chapter 60A, Sections 985 - 9857, Information Security Program)
this state is the licensee's state of domicile, in the case of an insurer, or this state is the licensee's home state, in the case of a producer, as those terms are defined in chapter 60K and the cybersecurity event has a reasonable likelihood of materially harming: (§ 60A.9853 Subdivision 1(1), Minnesota Statutes, Chapter 60A, Sections 985 - 9857, Information Security Program)
A cybersecurity event impacting the licensee of which notice is required to be provided to any government body, self-regulatory agency or any other supervisory body pursuant to any state or federal law; or (§ 83-5-811 (1)(b)(i), Mississippi Code Annotated, Title 83, Chapter 5, Article 11, Sections 801 - 825, Insurance Data Security Law)
This state is the licenseeâs state of domicile, in the case of an insurer, or this state is the licenseeâs home state, in the case of a producer, as those terms are defined in Section 83-17-53, and the cybersecurity event has a reasonable likelihood of materially harming a consumer residing in t… (§ 83-5-811 (1)(a), Mississippi Code Annotated, Title 83, Chapter 5, Article 11, Sections 801 - 825, Insurance Data Security Law)
In the case of a cybersecurity event involving nonpublic information that is in the possession, custody or control of a third-party service provider of a licensee who is an assuming insurer, the assuming insurer shall notify its affected ceding insurers and the commissioner of its state of domicile … (§ 83-5-811 (5)(b)(i), Mississippi Code Annotated, Title 83, Chapter 5, Article 11, Sections 801 - 825, Insurance Data Security Law)
In the case of a cybersecurity event involving nonpublic information that is used by the licensee who is acting as an assuming insurer or in the possession, custody or control of a licensee who is acting as an assuming insurer and that does not have a direct contractual relationship with the affecte… (§ 83-5-811 (5)(a)(i), Mississippi Code Annotated, Title 83, Chapter 5, Article 11, Sections 801 - 825, Insurance Data Security Law)
In the case of a cybersecurity event in a system maintained by a third-party service provider, of which the licensee has become aware, the licensee shall treat such event as it would under subsection (1) of this section unless the third-party service provider provides the notice required under subse… (§ 83-5-811 (4)(a), Mississippi Code Annotated, Title 83, Chapter 5, Article 11, Sections 801 - 825, Insurance Data Security Law)
A state agency or third party that is required to issue a notification to an individual pursuant to this section shall simultaneously submit to the state's chief information officer at the department of administration and to the attorney general's consumer protection office an electronic copy of the… (¶ 2-6-1503(5), Montana Code Annotated Title 2., Chapter 6., Part 15., Sections 2-6-1501 to 1503)
Any person or business that is required to issue a notification pursuant to this section shall simultaneously submit an electronic copy of the notification and a statement providing the date and method of distribution of the notification to the attorney general's consumer protection office, excludin… (§ 30-14-1704(8), Montana Code Annotated Title 30, Chapter 14, Part 17, Section 30-14-1704)
Any person or business that conducts business in Montana and that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the data system following discovery or notification of the breach to any resident of Montana whose unencrypted personal… (§ 30-14-1704(1), Montana Code Annotated Title 30, Chapter 14, Part 17, Section 30-14-1704)
New Hampshire is the licensee's state of domicile, in the case of an insurer, or this state is the licensee's home state, in the case of a producer, as those terms are defined in RSA 402-J, and the cybersecurity event has a reasonable likelihood of materially harming a consumer residing in this stat… (§ 420-P:6 I.(a), New Hampshire Revised Statutes, Title XXXVIII, Chapter 420-P, Sections 1-14, Insurance Data Security Law)
As to notice of cybersecurity events of reinsurers to insurers, in the case of a cybersecurity event involving nonpublic information that is used by the licensee that is acting as an assuming insurer or in the possession, custody, or control of a licensee that is acting as an assuming insurer and th… (§ 420-P:6 V.(a)(1), New Hampshire Revised Statutes, Title XXXVIII, Chapter 420-P, Sections 1-14, Insurance Data Security Law)
In the case of a cybersecurity event in a system maintained by a third-party service provider, of which the licensee has become aware, the licensee shall treat such event as it would under paragraph I, unless the third-party service provider provides the notice required under paragraph I to the comm… (§ 420-P:6 IV.(a), New Hampshire Revised Statutes, Title XXXVIII, Chapter 420-P, Sections 1-14, Insurance Data Security Law)
In the case of a cybersecurity event involving nonpublic information that is in the possession, custody, or control of a third-party service provider of a licensee that is an assuming insurer, the assuming insurer shall notify its affected ceding insurers and the commissioner of its state of domicil… (§ 420-P:6 V.(b)(1), New Hampshire Revised Statutes, Title XXXVIII, Chapter 420-P, Sections 1-14, Insurance Data Security Law)
Impacts the licensee, in which case notice shall be provided to any government body, self-regulatory agency, or any other supervisory body pursuant to any state or federal law; or (§ 420-P:6 I.(b)(1), New Hampshire Revised Statutes, Title XXXVIII, Chapter 420-P, Sections 1-14, Insurance Data Security Law)
Safe Harbor for HIPAA Compliance. â A licensee that is in possession of protected health information subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and that has established and maintains programs and procedures regarding information privacy, security, and breach… (§ 420-P:10, New Hampshire Revised Statutes, Title XXXVIII, Chapter 420-P, Sections 1-14, Insurance Data Security Law)
A person that is required to issue notification of a security breach pursuant to the Data Breach Notification Act to more than one thousand New Mexico residents as a result of a single security breach shall notify the office of the attorney general and major consumer reporting agencies that compile … (57-12C-10 ¶ 1, 2017 New Mexico Statutes Chapter 57 - Trade Practices and Regulations Article 12C - Data Breach Notification Section 57-12C-1)
NOTIFICATION TO ATTORNEY GENERAL AND CREDIT REPORTING AGENCIES.--A person that is required to issue notification of a security breach pursuant to the Data Breach Notification Act to more than one thousand New Mexico residents as a result of a single security breach shall notify the office of the att… (¶ 10, New Mexico House Bill 15, Data Breach Notification Act)
Notice of Cybersecurity Event. Each Covered Entity shall notify the superintendent as promptly as possible but in no event later than 72 hours from a determination that a Cybersecurity Event has occurred that is either of the following: (§ 500.17 Notices to Superintendent (a), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies)
Cybersecurity Events impacting the Covered Entity of which notice is required to be provided to any government body, self-regulatory agency or any other supervisory body; or (§ 500.17 Notices to Superintendent (a)(1), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies)
Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity. (§ 500.17 Notices to Superintendent (a)(2), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies)
Each covered entity shall promptly provide to the superintendent any information requested regarding such incident. Covered entities shall have a continuing obligation to update the superintendent with material changes or new information previously unavailable. (§ 500.17 Notices to Superintendent (a)(2), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)
Each covered entity shall notify the superintendent electronically in the form set forth on the department's website as promptly as possible but in no event later than 72 hours after determining that a cybersecurity incident has occurred at the covered entity, its affiliates, or a third-party servic… (§ 500.17 Notices to Superintendent (a)(1), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)
Notice to affected persons under this section is not required if the exposure of private information was an inadvertent disclosure by persons authorized to access private information, and the person or business reasonably determines such exposure will not likely result in misuse of such information,… (§ 899-AA. 2(a), New York General Business Law Chapter 20, Article 39-F, Section 899-aa, Notification; person without valid authorization has acquired private information)
This state is the licensee's state of domicile, in the case of an insurer, or this state is the licensee's home state, in the case of a producer as defined in chapter 26.1-26, and the cybersecurity event has a reasonable likelihood of materially harming a consumer residing in this state or reasonabl… (26.1-02.2-05. 1.a., North Dakota Century Code, Title 26.1, Chapter 26.1â02.2, Sections 1-11, Insurance Data Security)
In the case of a cybersecurity event in a system maintained by a third-party service provider, of which the licensee has become aware, the licensee shall treat the event in accordance with subsection 1 unless the third-party service provider provides the notice required under chapter 26.1-02.2 to th… (26.1-02.2-05. 4., North Dakota Century Code, Title 26.1, Chapter 26.1â02.2, Sections 1-11, Insurance Data Security)
A cybersecurity event impacting the licensee for which notice is required to be provided to any government body, self-regulatory agency, or any other supervisory body pursuant to any state or federal law; or (26.1-02.2-05. 1.b.(1), North Dakota Century Code, Title 26.1, Chapter 26.1â02.2, Sections 1-11, Insurance Data Security)
If a cybersecurity event involving nonpublic information that is used by a licensee that is acting as an assuming insurer or in the possession, custody, or control of a licensee that is acting as an assuming insurer and that does not have a direct contractual relationship with the affected consumers… (26.1-02.2-05. 5., North Dakota Century Code, Title 26.1, Chapter 26.1â02.2, Sections 1-11, Insurance Data Security)
If a cybersecurity event involving nonpublic information that is in the possession, custody, or control of a third-party service provider of a licensee that is an assuming insurer, the assuming insurer shall notify the insurer's affected ceding insurers and the commissioner of the insurer's state of… (26.1-02.2-05. 6., North Dakota Century Code, Title 26.1, Chapter 26.1â02.2, Sections 1-11, Insurance Data Security)
This state is the licensee's state of domicile, in the case of an insurer, or this state is the licensee's home state, in the case of an independent insurance agent. (Section 3965.04 (A)(1)(a), Ohio Revised Code, Title 39, Chapter 3965, Sections 1-11, Cybersecurity Requirements For Insurance Companies)
A cybersecurity event impacting the licensee of which notice is required to be provided to any government body, self- regulatory agency, or any other supervisory body pursuant to any state or federal law; (Section 3965.04 (A)(2)(a), Ohio Revised Code, Title 39, Chapter 3965, Sections 1-11, Cybersecurity Requirements For Insurance Companies)
If a licensee becomes aware of a cybersecurity event in a system maintained by a third-party service provider, the licensee shall treat the event as it would under division (A) of this section. (Section 3965.04 (D)(1), Ohio Revised Code, Title 39, Chapter 3965, Sections 1-11, Cybersecurity Requirements For Insurance Companies)
The assuming insurer shall notify its affected ceding insurers and the insurance commissioner of its state or jurisdiction of domicile within three business days of making the determination that a cybersecurity event has occurred. (Section 3965.04 (E)(1)(a), Ohio Revised Code, Title 39, Chapter 3965, Sections 1-11, Cybersecurity Requirements For Insurance Companies)
The assuming insurer shall notify its affected ceding insurers and the insurance commissioner of its state or jurisdiction of domicile within three business days of receiving notice from its third-party service provider that a cybersecurity event has occurred. (Section 3965.04 (E)(2)(a), Ohio Revised Code, Title 39, Chapter 3965, Sections 1-11, Cybersecurity Requirements For Insurance Companies)
South Carolina is the licensee's state of domicile in the case of an insurer, or the licensee's home state in the case of a producer; or (SECTION 38-99-40. (A)(1), South Carolina Code of Laws, Title 38, Chapter 99, Sections 10-100, Insurance Data Security Act)
impacts the licensee of which notice is required to be provided to any governmental body, self-regulatory agency, or any other supervisory body pursuant to state or federal law; or (SECTION 38-99-40. (A)(2)(a), South Carolina Code of Laws, Title 38, Chapter 99, Sections 10-100, Insurance Data Security Act)
In the case of a cybersecurity event in a system maintained by a third-party service provider of which the licensee has become aware, the licensee shall treat such event as it would under subsection (A). (SECTION 38-99-40. (D)(1), South Carolina Code of Laws, Title 38, Chapter 99, Sections 10-100, Insurance Data Security Act)
In the case of a cybersecurity event involving nonpublic information used by the licensee who is acting as an assuming insurer or in the possession, custody, or control of a licensee who is acting as an assuming insurer and that does not have a direct contractual relationship with the affected consu… (SECTION 38-99-40. (E)(1)(a), South Carolina Code of Laws, Title 38, Chapter 99, Sections 10-100, Insurance Data Security Act)
In the case of a cybersecurity event involving nonpublic information that is in the possession, custody, or control of a third-party service provider of a licensee who is an assuming insurer, the assuming insurer shall notify its affected ceding insurers and the director of its state of domicile wit… (SECTION 38-99-40. (E)(2)(a), South Carolina Code of Laws, Title 38, Chapter 99, Sections 10-100, Insurance Data Security Act)
The licensee is domiciled in this state, in the case of an insurer, as defined in Â§â56-6-102, or this state is the licensee's home state, in the case of an insurance producer, as defined in Â§â56-6-102; and (§ 56-2-1006 (a)(1)(A), Tennessee Code Annotated, Title 56, Chapter 2, Part 10, Sections 1-11, Insurance Data Security Law)
A cybersecurity event of which notice must be provided to a government body, self-regulatory agency, or other supervisory body pursuant to state or federal law; or (§ 56-2-1006 (a)(2)(A), Tennessee Code Annotated, Title 56, Chapter 2, Part 10, Sections 1-11, Insurance Data Security Law)
If a licensee becomes aware of a cybersecurity event in the licensee's information system maintained by a third-party service provider, then the licensee must treat the event as if it occurred in an information system maintained by the licensee for purposes of subsection (a). (§ 56-2-1006 (d)(1), Tennessee Code Annotated, Title 56, Chapter 2, Part 10, Sections 1-11, Insurance Data Security Law)
In the case of a cybersecurity event involving nonpublic information that is used by, or in the possession, custody, or control of, a licensee acting as an assuming insurer that does not have a direct contractual relationship with the affected consumers, the assuming insurer shall notify the affecte… (§ 56-2-1006 (e)(1)(A), Tennessee Code Annotated, Title 56, Chapter 2, Part 10, Sections 1-11, Insurance Data Security Law)
In the case of a cybersecurity event involving nonpublic information in the possession, custody, or control of a third-party service provider of a licensee that is an assuming insurer, the assuming insurer shall notify the affected ceding insurers and the commissioner of the licensee's state of domi… (§ 56-2-1006 (e)(2)(A), Tennessee Code Annotated, Title 56, Chapter 2, Part 10, Sections 1-11, Insurance Data Security Law)
In the event an entity provides notice to more than 1,000 persons at one time, pursuant to this section, the entity shall notify, without unreasonable delay, the Office of the Attorney General and the Commissioner of Health of the timing, distribution, and content of the notice. (§ 32.1-127.1:05.E, Code of Virginia Title 32.1, Chapter 5., Section 32.1-127.1:05 Breach of medical information notification.)
If a licensee has determined that a cybersecurity event has actually occurred, such licensee shall notify the Commissioner, in accordance with requirements prescribed by the Commission, as promptly as possible but in no event later than three business days from such determination if: (§ 38.2-625.A., Code of Virginia, Title 38.2, Chapter 6, Article 2, Sections 621-629, Insurance Data Security Act)
The licensee is a domestic insurance company, or in the case of a producer, the Commonwealth is the licensee's home state and the cybersecurity event meets threshold and other requirements prescribed by the Commission; or (§ 38.2-625.A.1., Code of Virginia, Title 38.2, Chapter 6, Article 2, Sections 621-629, Insurance Data Security Act)
The licensee reasonably believes that the nonpublic information involved is of 250 or more consumers residing in the Commonwealth or the licensee is required under federal law or the laws of another state to provide notice of the cybersecurity event to any government body, self-regulatory agency, or… (§ 38.2-625.A.2., Code of Virginia, Title 38.2, Chapter 6, Article 2, Sections 621-629, Insurance Data Security Act)
If there is a cybersecurity event in a system maintained by a third-party service provider, the licensee, once it has become aware of such cybersecurity event, shall treat such event as it would under this section, unless the third-party service provider provides notice in accordance with this secti… (§ 38.2-626.F., Code of Virginia, Title 38.2, Chapter 6, Article 2, Sections 621-629, Insurance Data Security Act)
If a cybersecurity event involves nonpublic information that is used by a licensee that is acting as an assuming insurer or is in the possession, control, or custody of a licensee that is acting as an assuming insurer or its third-party service provider and the licensee does not have a direct contra… (§ 38.2-625.F., Code of Virginia, Title 38.2, Chapter 6, Article 2, Sections 621-629, Insurance Data Security Act)
A cybersecurity event for which notice is required to be provided to a government body, self-regulatory agency, or other supervisory entity under state or federal law. (§ 601.954(1)(a)2.a., Wisconsin Statutes, Chapter 601, Subchapter IX, Sections 95-956, Insurance Data Security)
Third-party service providers. If the licensee has knowledge of a cybersecurity event involving nonpublic information on an information system maintained by a 3rd-party service provider and any of the conditions in sub. (1) (a) are met, the licensee shall provide notice to the commissioner no later … (§ 601.954(3), Wisconsin Statutes, Chapter 601, Subchapter IX, Sections 95-956, Insurance Data Security)
Reinsurers. In the event of a cybersecurity event involving nonpublic information, or involving nonpublic information on an information system maintained by a 3rd-party service provider, a licensee who is acting as an assuming insurer and who does not have a direct contractual relationship with the … (§ 601.954(4), Wisconsin Statutes, Chapter 601, Subchapter IX, Sections 95-956, Insurance Data Security)