(a) If a licensee learns that a cybersecurity event has or may have occurred, the licensee, or an outside vendor or service provider designated to act on behalf of the licensee, shall conduct a prompt investigation.
(b) During an investigation under this section, the licensee, or an outside vendor or service provider designated to act on behalf of the licensee, shall, at a minimum, do as much of the following as possible:
(1) Determine whether a cybersecurity event has occurred.
(2) Assess the nature and scope of the cybersecurity event.
(3) Identify the nonpublic information that may have been involved in the cybersecurity event.
(4) Perform or oversee reasonable measures to restore the security of the information system compromised in the cybersecurity event to prevent further unauthorized acquisition, release, or use of nonpublic information that is in the licensee's possession, custody, or control.
(c) If a licensee provides nonpublic information to a third-party service provider and learns that a cybersecurity event has or may have occurred in a system that the third-party service provider maintains, the licensee shall complete the steps listed in subsection (b) of this section or make reasonable efforts to confirm and document that the third-party service provider has completed the steps.
(d) A licensee shall maintain records concerning a cybersecurity event for a period of at least 5 years from the date of the cybersecurity event and shall produce those records upon the Commissioner's demand.