Sec. 19. (a) If the licensee has a board of directors, the board of directors shall require the licensee's executive management or its delegates to develop, implement, and maintain the licensee's information security program.
(b) If the licensee's executive management delegates any of its responsibilities under this section, it shall:
(1) oversee the development, implementation, and maintenance of the licensee's information security program prepared by the delegate; and
(2) receive a report from the delegate concerning:
(A) the overall status of the information security program;
(B) the licensee's compliance with this chapter; and
(C) material matters related to the information security program addressing such issues as:
(i) risk assessment;
(ii) risk management and control decisions;
(iii) third party service provider arrangements;
(iv) results of testing;
(v) cybersecurity events and management's responses to cybersecurity events; and
(vi) recommendations for changes in the information security program.
As added by P.L.130-2020, SEC.10.