Indiana Code
Chapter 27. Insurance Data Security
27-2-27-22. Notice to Ceding Insurers and Commissioner of Cybersecurity Event

Sec. 22. (a) In the case of a cybersecurity event involving nonpublic information that:
(1) is used by a licensee acting as an assuming insurer; or
(2) is in the possession, custody, or control of a licensee that:
(A) is acting as an assuming insurer; and
(B) does not have a direct contractual relationship with the affected consumers;
the assuming insurer shall notify its affected ceding insurers and the commissioner of its state of domicile within three (3) business days after making the determination that a cybersecurity event has occurred and the ceding insurers that have a direct contractual relationship with affected consumers shall fulfill the consumer notification requirements imposed under IC 24-4.9 and any other notification requirements relating to a cybersecurity event imposed under section 21(c) through 21(f) of this chapter.
(b) In the case of a cybersecurity event involving nonpublic information that is in the possession, custody, or control of a third party service provider of a licensee that is an assuming insurer:
(1) the assuming insurer shall notify its affected ceding insurers and the commissioner of its state of domicile within three (3) business days after receiving notice from its third party service provider that a cybersecurity event has occurred; and
(2) the ceding insurers that have a direct contractual relationship with affected consumers shall fulfill the consumer notification requirements imposed under IC 24-4.9 and any other notification requirements relating to a cybersecurity event imposed under section 21(c) through 21(f) of this chapter.
(c) Except for the obligations set forth in this section, a licensee acting as assuming insurer has no notice obligations relating to a cybersecurity event or other data breach under section 21 of this chapter or any other law of Indiana.
As added by P.L.130-2020, SEC.10.

Structure Indiana Code