The bill amends Section 27-13.1-3 of the General Laws to update the language for gender neutrality and to give the director discretion to conduct examinations of insurance companies, with a mandatory examination at least once every five years based on various criteria. It also introduces a new section, 27-1-46, requiring domestic insurance companies to develop a comprehensive written information security program to protect nonpublic information, with specific guidelines on administrative, technical, and physical safeguards. The program must include a risk assessment, designate responsible personnel, and assess potential threats, including those from third-party service providers. Insurers must also integrate cybersecurity risks into their enterprise risk management processes, provide regular training, and if they have a board, ensure the board oversees the development and maintenance of the program.

The bill further details the creation of an incident response plan to address cybersecurity events, with insurers required to promptly respond to and recover from such events. Insurers must investigate potential cybersecurity events, maintain records for at least five years, and submit an annual compliance certification to the commissioner. In the event of a cybersecurity event, insurers must notify the commissioner within three business days if the event affects 250 or more consumers in the state or is likely to cause material harm. The bill also specifies the information to be included in the notification and outlines the procedures for notifying the commissioner about events involving third-party service providers and reinsurers. The "Identity Theft Protection Act of 2015" is introduced, setting new requirements for insurers in the event of a cybersecurity event, including notification protocols for affected parties. The act is set to take effect on January 1, 2025.

Statutes affected:
7281  SUB A: 27-13.1-3
7281: 27-13.1-3