Section 21.23.250 - [Effective 1/1/2026] Risk assessment(a) A licensee shall conduct a risk assessment commensurate with the size and complexity of the licensee and in consideration of the nature and scope of the licensee's activities to evaluate the security and confidentiality of nonpublic information used by or in the possession or control of the licensee. In conducting the risk assessment, the licensee shall (1) identify reasonably foreseeable internal or external threats in each area of the licensee's operations that could result in unauthorized access, transmission, disclosure, misuse, alteration, or destruction of nonpublic information, including the security of information systems and nonpublic information that are accessible to, or held by, third-party service providers;(2) assess the likelihood and potential damage of the threats identified in (1) of this subsection, taking into consideration the sensitivity of nonpublic information; and(3) assess the sufficiency in each area of the licensee's operations of the licensee's policies, procedures, information systems, and other safeguards in place to manage the threats identified in (1) of this subsection, including the areas of (A) employee training and management;(B) network and software design, information classification, governance, processing, storage, transmission, and disposal; and(C) detecting, preventing, and responding to attacks or intrusions on information systems and nonpublic information, or other information system failures.(b) A licensee shall use the licensee's risk assessment to design the licensee's information security program required under AS 21.23.260(a).Added by SLA 2024, ch. 39,sec. 1, eff. 1/1/2026.