The bill amends Section 27-13.1-3 of the General Laws to update the language regarding the authority, scope, and scheduling of examinations by the director of the Department of Business Regulation, including changes for gender neutrality and specifying that examinations of any company may occur as often as deemed appropriate, but at least once every five years. It also introduces a new section, 27-1-46, which requires domestic insurance companies to develop, implement, and maintain a comprehensive written information security program, with administrative, technical, and physical safeguards for the protection of nonpublic information and the insurer's information system. The bill defines relevant terms and outlines the objectives and requirements of the information security program, including risk assessment, designation of responsible personnel, and evaluation of threats, especially those posed by third-party service providers.

The bill further mandates insurers to implement information safeguards to manage identified threats and to annually assess the effectiveness of these safeguards. It specifies risk management strategies, including the design of an information security program to mitigate risks, implementation of appropriate security measures, and inclusion of cybersecurity risks in the insurer's enterprise risk management process. Insurers with a board of directors are required to have the board oversee the development, implementation, and maintenance of the information security program. The bill also requires insurers to notify the commissioner within three business days upon determining that a cybersecurity event has occurred, with detailed information about the event, and to maintain records of all such events for at least five years. Additionally, it outlines procedures for notifying the commissioner about cybersecurity events involving third-party service providers and reinsurers, and mandates that insurers domiciled in the state must annually certify compliance with these requirements. The "Identity Theft Protection Act of 2015" is also introduced, with new requirements for insurers in the event of a cybersecurity event, including notification of affected parties and the commissioner within 72 hours. The act is set to take effect on January 1, 2025.

Statutes affected:
7281  SUB A: 27-13.1-3
7281: 27-13.1-3