Indiana Code
Chapter 27. Insurance Data Security
27-2-27-17. Risk Assessment; Requirements

Sec. 17. A licensee shall conduct a risk assessment of its information systems and treatment of nonpublic information by doing the following:
(1) Designating one (1) or more employees, an affiliate, or an outside vendor designated to act on behalf of the licensee information security program.
(2) Identifying reasonably foreseeable internal or external threats that could result in a cybersecurity event, including threats to information systems and nonpublic information held or accessed by third party service providers.
(3) Assessing the likelihood and potential damage of the threats identified in subdivision (2), taking into consideration the sensitivity of the nonpublic information.
(4) Assessing the sufficiency of the policies, procedures, information systems, and other safeguards currently in place to manage the threats identified in subdivision (2), including an assessment of threats in each relevant area of the licensee's operations, including the following:
(A) Employee training and management.
(B) Information systems, including network and software design, and information classification, governance, processing, storage, transmission, and disposal.
(C) Procedures for detecting, preventing, and responding to cybersecurity events or other systems failures.
(5) Implementing information safeguards to manage the threats identified under subdivision (2), and assessing the effectiveness of the safeguards' key controls, systems, and procedures at least one (1) time each year.
As added by P.L.130-2020, SEC.10.

<< Previous

Next >>

Structure Indiana Code

Indiana Code

Title 27. Insurance

Article 2. Powers and Duties of Insurers

Chapter 27. Insurance Data Security

27-2-27-1. Applicability of Chapter

27-2-27-2. "Authorized Individual"

27-2-27-3. "Commissioner"

27-2-27-4. "Consumer"

27-2-27-5. "Cybersecurity Event"