Sec. 16. (a) A licensee shall develop, implement, and maintain a comprehensive, written information security program that:
(1) is based on the risk assessment required under section 17 of this chapter; and
(2) contains administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee's information systems.
(b) An information security program must accomplish the following:
(1) Protect the security and confidentiality of nonpublic information and information systems.
(2) Protect against any threats or hazards to the security or integrity of nonpublic information and information systems.
(3) Protect against unauthorized access to or use of nonpublic information and minimize the likelihood of harm to a consumer.
(4) Define and periodically reevaluate a schedule for retention of nonpublic information and a procedure for its destruction when no longer needed.
As added by P.L.130-2020, SEC.10.
Structure Indiana Code
Article 2. Powers and Duties of Insurers
Chapter 27. Insurance Data Security
27-2-27-1. Applicability of Chapter
27-2-27-2. "Authorized Individual"
27-2-27-5. "Cybersecurity Event"
27-2-27-8. "Information Security Program"
27-2-27-9. "Information System"
27-2-27-11. "Multi-Factor Authentication"
27-2-27-12. "Nonpublic Information"
27-2-27-13. "Publicly Available Information"
27-2-27-15. "Third Party Service Provider"
27-2-27-16. Information Security Program; Requirements
27-2-27-17. Risk Assessment; Requirements
27-2-27-18. Actions Required Based on Risk Assessment Results
27-2-27-19. Board of Directors; Executive Management
27-2-27-20. Incident Response Plan
27-2-27-21. Investigation of Cybersecurity Event
27-2-27-22. Notice to Ceding Insurers and Commissioner of Cybersecurity Event
27-2-27-23. Notice to Producers of Cybersecurity Event
27-2-27-24. Powers of Commissioner
27-2-27-26. Exemptions From Chapter
27-2-27-27. Suspension; Revocation
27-2-27-29. Private Right of Action