Back

Include the number of customers that were affected by the incident in the incident response report.


CONTROL ID
12727
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Create an incident response report following an incident response., CC ID: 12700

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Magnitude of the incident including foregone revenue, losses, costs, investments, number of customers affected, implications, consequences to reputation and confidence; and (§ 7.3.12.b.ii., Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • the number and/or relevance of clients or financial counterparts affected and, where applicable, the amount or number of transactions affected by the ICT-related incident, and whether the ICT-related incident has caused reputational impact; (Art. 18.1.(a), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • In the event of a failure of assets which are of essential importance for the availability of the cloud service (e. g. central network components), the cloud provider is able to promptly detect which cloud customers are affected by this in order to ensure a response to the malfunctions occurred that… (Section 5.4 AM-01 Description of additional requirements (availability) ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • For each significant service disruption, the entity shall disclose the duration of the disruption, the extent of impact, and the root cause, as well as any corrective actions taken to prevent future disruptions. Where material, the entity shall indicate the associated cost incurred, such as remediat… (Note to TC-SI-550a.1 1, Software & IT Services Sustainability Accounting Standard, Version 2018-10)
  • The entity may discuss estimated amount of potential loss, probability of that loss, and the associated time frame. These estimates may be based on insurance figures or other third-party or internal assessments of potential loss. (TC-SI-550a.2. 4, Software & IT Services Sustainability Accounting Standard, Version 2018-10)
  • For each significant service interruption, the entity shall disclose the duration of the disruption, the extent of impact, and the root cause, as well as any corrective actions taken to prevent future disruptions. (Note to TC-TL-550a.1 1, Telecommunication Services Sustainability Accounting Standard, Version 2018-10)
  • The number of total Consumers in this State affected by the Cybersecurity Event. The Licensee shall provide the best estimate in the initial report to the Commissioner and update this estimate with each subsequent report to the Commissioner pursuant to this section; (Section 6.B(9), Insurance Data Security Model Law, NAIC MDL-668, Q4 2017)
  • An analysis of parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss. (§242.1002(b)(4)(ii)(C), 17 CFR PART 242, Regulations M, SHO, ATS, AC, NMS, and SBSR and Customer Margin Requirements for Security Futures)
  • To the extent available as of the time of the notification: The SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; the potential impact of the SCI event on the market; a description of the steps the SCI entity has taken, is taking, o… (§242.1002(b)(2)(ii), 17 CFR PART 242, Regulations M, SHO, ATS, AC, NMS, and SBSR and Customer Margin Requirements for Security Futures)
  • The SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; and (§242.1002(c)(1)(ii)(B), 17 CFR PART 242, Regulations M, SHO, ATS, AC, NMS, and SBSR and Customer Margin Requirements for Security Futures)
  • A detailed description of: The SCI entity's assessment of the types and number of market participants affected by the SCI event; the SCI entity's assessment of the impact of the SCI event on the market; the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; t… (§242.1002(b)(4)(ii)(A), 17 CFR PART 242, Regulations M, SHO, ATS, AC, NMS, and SBSR and Customer Margin Requirements for Security Futures)
  • the number of individuals whose information was affected by the major information security incident; and (§ 3554(c)(1)(A)(iii)(I), Federal Information Security Modernization Act of 2014)
  • The approximate number of individuals in the state who were affected by the breach. (§ 8-38-6 (b)(2), Code of Alabama Title 8 Chapter 38 Section 8-38-1 thru 8-38-12, Alabama Data Breach Notification Act of 2018)
  • The number of total consumers in this state affected by the cybersecurity event. The licensee shall provide the best estimate in the initial report to the commissioner and update this estimate with each subsequent report to the commissioner pursuant to this section. (Section 27-62-6(b)(9), Code of Alabama, Title 27, Chapter 62, Sections 1-11, Insurance Data Security Law)
  • The number of total consumers in this state affected by the cybersecurity event; (Part VI(e)(2)(A)(ix), Connecticut General Statutes, Title 38a, Chapter 697, Part VI, Section 38a-38, Insurance Data Security Law)
  • The number of total consumers in this State who are affected by the cybersecurity event. The licensee shall provide the best estimate in the initial report to the Commissioner and update the estimate with each subsequent report to the Commissioner under this section. (§ 8606.(b)(2) i., Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)
  • The number of District residents affected by the breach; (§ 28?3852. (b-1)(5), Code of the District of Columbia Title 28 Chapter 38 Subchapter II, Consumer Security Breach Notification)
  • The number of individuals in this state who were or potentially have been affected by the breach. (¶ 501.171(3)(b)2, Florida Statutes, Title XXXII, Chapter 501, Section 501.171, Security of confidential personal information)
  • The number of individuals in this state who were or potentially have been affected by the breach. (501.171 (3)(b) 2., Florida Statutes, Title XXXIII Chapter 501 Section 171, Security of confidential personal information)
  • The number of total consumers in the State affected by the cybersecurity event. (§431:3B-302(b)(9), Hawaii Revised Statute, Volume 9, Chapter 431, Article 3B, Sections 101-306, Insurance Data Security Law)
  • The licensee shall provide the best estimate in the initial notification to the commissioner and update this estimate with each subsequent notification to the commissioner pursuant to this section; (§431:3B-302(b)(9) ¶ 1, Hawaii Revised Statute, Volume 9, Chapter 431, Article 3B, Sections 101-306, Insurance Data Security Law)
  • A government agency shall submit a written report to the legislature within twenty days after discovery of a security breach at the government agency that details information relating to the nature of the breach, the number of individuals affected by the breach, a copy of the notice of security brea… (§ 487N-4 ¶ 1, Hawaii Revised Statutes Volume 11 Chapter 487N, Security Breach of Personal Information)
  • The number of Illinois residents affected by such incident at the time of notification. (§ 10 (e)(2)(B), Illinois Compiled Statutes Chapter 815 Article 530 Sections 530/5 thru 530/25, Notice of Breach)
  • The number of Illinois residents affected by such incident at the time of notification. (§ 12 (e)(B), Illinois Compiled Statutes Chapter 815 Article 530 Sections 530/5 thru 530/25, Notice of Breach)
  • The total number of consumers in Indiana affected by the cybersecurity event. The licensee shall provide the best estimate in the initial report to the commissioner and update this estimate with each subsequent report to the commissioner under this section. (Sec. 21.(d)(9), Indiana Code, Title 27, Article 2, Chapter 27, Sections 1-32, Insurance Data Security)
  • The total number of consumers affected by the cybersecurity event. The licensee shall provide the best estimate of affected consumers in the licensee’s initial report to the commissioner and shall update the estimate in each subsequent report to the commissioner under subsection 3. (507F.7 2.h., Iowa Code, Title XIII, Chapter 507F, Sections 1-16, Insurance Data Security)
  • The total number of consumers in this state affected by the cybersecurity event. (§2506.B.(2)(i)(i), Louisiana Revised Statutes, Title 22, Chapter 21, Sections 2501-2511, Insurance Data Security)
  • The licensee shall provide the best estimate in the initial report to the commissioner and update this estimate with each subsequent report to the commissioner pursuant to this Section. (§2506.B.(2)(i)(ii), Louisiana Revised Statutes, Title 22, Chapter 21, Sections 2501-2511, Insurance Data Security)
  • Notification to consumer reporting agencies. If a person discovers a breach of the security of the system that requires notification to more than 1,000 persons at a single time, the person shall also notify, without unreasonable delay, consumer reporting agencies that compile and maintain files on c… (§ 1348. 4., Maine Revised Statutes Title 10 Chapter 210-B, Notice of Risk to Personal Data Act)
  • The total number of consumers in this State affected by the cybersecurity event. The licensee shall provide its best estimate in the notification provided pursuant to subsection 1 to the superintendent and update this estimate with each subsequent report to the superintendent pursuant to this sectio… (§2266 2.I., Maine Revised Statutes, Title 24-A, Chapter 24-B, Sections 2261-2272, Maine Insurance Data Security Act)
  • The number of affected individuals residing in the State; (§ 14?3504. (h)(2)(i), Maryland Code Commercial Law Title 14 Subtitle 35 Sections 3504 thru 3507, Security Breach)
  • A person or agency that owns or licenses data that includes personal information about a resident of the commonwealth, shall provide notice, as soon as practicable and without unreasonable delay, when such person or agency (1) knows or has reason to know of a breach of security or (2) when the perso… (Section 3 (b) ¶ 1, Massachusetts General Law Title XV Chapter 93H, Security Breaches)
  • The number of total consumers in this state affected by the cybersecurity event. The licensee shall provide the best estimate in the initial report to the director and update this estimate with each subsequent report to the director under this section. (500.559 (2)(i), Michigan Compiled Laws Chapter 500 Act 218 of 1956 Chapter 5A Section 559, Notification of cybersecurity event involving nonpublic information; duty to update and supplement notifications to director; contents; application to third-party service provider; duties of ceding insurers with direct contractual relationship)
  • The number of total consumers in this state affected by the cybersecurity event. The licensee shall provide the best estimate in the initial report to the director and update this estimate with each subsequent report to the director under this section. (Sec. 559.(2)(i), Michigan Compiled Laws, Chapter 5A Sections 550-565, Data Security)
  • the number of individuals whose data was improperly accessed or acquired; (§ 13.055 2.(b)(2), Minnesota Statutes Chapter 13 Section 055, Disclosure of Breach in Security; Notification and Investigation Report Required)
  • the number of total consumers in this state affected by the cybersecurity event. The licensee shall provide the best estimate in the initial report to the commissioner and update this estimate with each subsequent report to the commissioner pursuant to this section; (§ 60A.9853 Subdivision 2(9), Minnesota Statutes, Chapter 60A, Sections 985 - 9857, Information Security Program)
  • The number of total consumers in this state affected by the cybersecurity event. The licensee shall provide the best estimate in the initial report to the commissioner and update this estimate with each subsequent report to the commissioner pursuant to this section; (§ 83-5-811 (2)(i), Mississippi Code Annotated, Title 83, Chapter 5, Article 11, Sections 801 - 825, Insurance Data Security Law)
  • A state agency or third party that is required to issue a notification to an individual pursuant to this section shall simultaneously submit to the state's chief information officer at the department of administration and to the attorney general's consumer protection office an electronic copy of the… (¶ 2-6-1503(5), Montana Code Annotated Title 2., Chapter 6., Part 15., Sections 2-6-1501 to 1503)
  • If a person is required to notify more than 1,000 consumers of a breach of security pursuant to this section, the person shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined by 15 U.S.C. section … (§ 359-C:20 VI.(a), New Hampshire Revised Statutes Annotated Title XXVI Chapter 359-C Section 20, Notification of Security Breach Required)
  • Any person engaged in trade or commerce that is subject to RSA 358-A:3, I shall also notify the regulator which has primary regulatory authority over such trade or commerce. All other persons shall notify the New Hampshire attorney general's office. The notice shall include the anticipated date of t… (§ 359-C:20 I.(b), New Hampshire Revised Statutes Annotated Title XXVI Chapter 359-C Section 20, Notification of Security Breach Required)
  • The number of total consumers in this state affected by the cybersecurity event. The licensee shall provide the best estimate in the initial report to the commissioner and update this estimate with each subsequent report to the commissioner pursuant to this section. (§ 420-P:6 II.(i), New Hampshire Revised Statutes, Title XXXVIII, Chapter 420-P, Sections 1-14, Insurance Data Security Law)
  • NOTIFICATION TO ATTORNEY GENERAL AND CREDIT REPORTING AGENCIES.--A person that is required to issue notification of a security breach pursuant to the Data Breach Notification Act to more than one thousand New Mexico residents as a result of a single security breach shall notify the office of the att… (¶ 10, New Mexico House Bill 15, Data Breach Notification Act)
  • In the event that any New York residents are to be notified, the person or business shall notify the state attorney general, the department of state and the division of state police as to the timing, content and distribution of the notices and approximate number of affected persons and shall provide… (§ 899-aa. 8. (a), Consolidated Laws of New York General Business GBS Chapter 20 Article 39-F Section 899-AA, Notification; person without valid authorization has acquired private information)
  • In the event that more than five thousand New York residents are to be notified at one time, the person or business shall also notify consumer reporting agencies as to the timing, content and distribution of the notices and approximate number of affected persons. Such notice shall be made without de… (§ 899-aa. 8. (b), Consolidated Laws of New York General Business GBS Chapter 20 Article 39-F Section 899-AA, Notification; person without valid authorization has acquired private information)
  • In the event that any New York residents are to be notified, the person or business shall notify the state attorney general, the department of state and the division of state police as to the timing, content and distribution of the notices and approximate number of affected persons and shall provide… (§ 899-AA. 8(a), New York General Business Law Chapter 20, Article 39-F, Section 899-aa, Notification; person without valid authorization has acquired private information)
  • In the event a business provides notice to an affected person pursuant to this section, the business shall notify without unreasonable delay the Consumer Protection Division of the Attorney General's Office of the nature of the breach, the number of consumers affected by the breach, steps taken to i… (§ 75-65. (e1), North Carolina General Statutes Chapter 75 Article 2A Section 65, Protection from security breaches)
  • The total number of consumers in this state affected by the cybersecurity event. The licensee shall provide the best estimate in the initial report to the commissioner and update the estimate with a subsequent report to the commissioner pursuant to this section; (26.1-02.2-05. 2.i., North Dakota Century Code, Title 26.1, Chapter 26.1‑02.2, Sections 1-11, Insurance Data Security)
  • The number of total consumers in this state affected by the cybersecurity event. The licensee shall provide the best estimate in the initial report to the superintendent and update this estimate with each subsequent report to the superintendent pursuant to this section. (Section 3965.04 (B)(1)(i), Ohio Revised Code, Title 39, Chapter 3965, Sections 1-11, Cybersecurity Requirements For Insurance Companies)
  • For state and municipal agencies, no later than thirty (30) calendar days after confirmation of the breach and the ability to ascertain the information required to fulfill the notice requirements contained in subsection (d), and shall be consistent with the legitimate needs of law enforcement as pro… (§ 11-49.3-4. (a)(2)(i), Rhode Island General Laws Title 11 Chapter 49.3, Sections 4 thru 7, Notification of Breach)
  • For persons subject to subsection (a)(1), which is not a state or municipal agency, no later than forty-five (45) calendar days after confirmation of the breach and the ability to ascertain the information required to fulfill the notice requirements contained in subsection (d), and shall be consiste… (§ 11-49.3-4. (a)(2)(ii), Rhode Island General Laws Title 11 Chapter 49.3, Sections 4 thru 7, Notification of Breach)
  • A general and brief description of the incident, including how the security breach occurred and the number of affected individuals; (§ 11-49.3-4. (d)(1), Rhode Island General Laws Title 11 Chapter 49.3, Sections 4 thru 7, Notification of Breach)
  • the number of total consumers in this State affected by the cybersecurity event, in which case the licensee shall provide the best estimate in the initial report to the director and update this estimate with each subsequent report to the director pursuant to this section; (SECTION 38-99-40. (B)(9), South Carolina Code of Laws, Title 38, Chapter 99, Sections 10-100, Insurance Data Security Act)
  • The number of total consumers in this state affected by the cybersecurity event. The licensee shall provide its best estimate of this number of consumers in its initial report to the commissioner and update this estimate with each subsequent report to the commissioner pursuant to this subsection (b)… (§ 56-2-1006 (b)(1)(I), Tennessee Code Annotated, Title 56, Chapter 2, Part 10, Sections 1-11, Insurance Data Security Law)
  • the number of residents of this state affected by the breach at the time of notification; (§ 521.053. (i)(2), Texas Business and Commerce Code Title 11 Subtitle B Chapter 521 Section 521.053, Notification Required Following Breach of Security of Computerized Data)
  • When the data collector provides notice of the breach pursuant to subdivision (1) of this subsection (b), the data collector shall notify the Attorney General or the Department, as applicable, of the number of Vermont consumers affected, if known to the data collector, and shall provide a copy of th… (§ 2435. (b)(3)(C)(i), Vermont Statutes Title 9 Chapter 62, Subchapter 2, Security Breach Notice Act)
  • The number of consumers in the Commonwealth affected by the cybersecurity event. The licensee shall provide the best estimate in the initial report to the Commissioner and update this estimate with each subsequent report to the Commissioner pursuant to this section; (§ 38.2-625.B.9., Code of Virginia, Title 38.2, Chapter 6, Article 2, Sections 621-629, Insurance Data Security Act)
  • The number of Washington consumers affected by the breach, or an estimate if the exact number is not known; (RCW 19.255.010 (7)(a)(i), Revised Code of Washington Title 19 Chapter 255, Personal Information -- Notice of Security Breaches)
  • Any agency that is required to issue a notification pursuant to this section to more than five hundred Washington residents as a result of a single breach shall, by the time notice is provided to affected individuals, electronically submit a single sample copy of that security breach notification, e… (§42.56.590(14), Revised Code of Washington Title 42, Chapter 42.56, Section 42.56.590 Personal information—Notice of security breaches.)
  • If a security breach of either of these types occurs, all licensees must notify the Insurance Commissioner. The notification must be made in writing and must include the number of consumers potentially affected and the actions being taken by the licensee. (¶ 3, Washington State Register, 17-23-188, Two Day Notification Requirement for Security Breaches)
  • The number of consumers affected by the cybersecurity event. (§ 601.954(1)(b)5., Wisconsin Statutes, Chapter 601, Subchapter IX, Sections 95-956, Insurance Data Security)