Sec. 20. (a) As part of its information security program, a licensee shall establish a written incident response plan designed to promptly respond to, and recover from, any cybersecurity event.
(b) An incident response plan must include the following:
(1) The internal process for responding to a cybersecurity event.
(2) The goals of the incident response plan.
(3) The definition of clear roles, responsibilities, and levels of decision making authority.
(4) External and internal communications and information sharing.
(5) Identification of requirements for the remediation of any identified weaknesses in information systems and associated controls.
(6) Documentation and reporting regarding cybersecurity events and related incident response activities.
(7) The evaluation and revision, as necessary, of the incident response plan.
(c) Annually, not later than April 15, each insurer domiciled in Indiana shall submit to the commissioner a written statement certifying that the insurer is in compliance with the requirements set forth in sections 16 through 19 of this chapter and this section. Each insurer shall maintain for examination by the department all records, schedules, and data supporting this certificate for a period of five (5) years. To the extent an insurer has identified areas, systems, or processes that require material improvement, updating, or redesign, the insurer shall document the identification of the areas, systems, or processes and the remedial efforts planned and underway to address the areas, systems, or processes. The documentation must be available for inspection by the commissioner.
As added by P.L.130-2020, SEC.10.