Section 27-2-27-17 - Risk assessment; requirements A licensee shall conduct a risk assessment of its information systems and treatment of nonpublic information by doing the following:
(1) Designating one (1) or more employees, an affiliate, or an outside vendor designated to act on behalf of the licensee information security program.(2) Identifying reasonably foreseeable internal or external threats that could result in a cybersecurity event, including threats to information systems and nonpublic information held or accessed by third party service providers.(3) Assessing the likelihood and potential damage of the threats identified in subdivision (2), taking into consideration the sensitivity of the nonpublic information.(4) Assessing the sufficiency of the policies, procedures, information systems, and other safeguards currently in place to manage the threats identified in subdivision (2), including an assessment of threats in each relevant area of the licensee's operations, including the following:(A) Employee training and management.(B) Information systems, including network and software design, and information classification, governance, processing, storage, transmission, and disposal.(C) Procedures for detecting, preventing, and responding to cybersecurity events or other systems failures.(5) Implementing information safeguards to manage the threats identified under subdivision (2), and assessing the effectiveness of the safeguards' key controls, systems, and procedures at least one (1) time each year.Added by P.L. 130-2020,SEC. 10, eff. 7/1/2020.