Section 21.23.260 - [Effective 1/1/2026] Information security program(a) A licensee shall develop, implement, and maintain a comprehensive written information security program based on the licensee's risk assessment conducted under AS 21.23.250(a). A licensee shall designate one or more employees, an outside vendor, or a third-party service provider to act on behalf of the licensee as the person responsible for the licensee's information security program.(b) A licensee's information security program must (1) contain administrative, technical, and physical safeguards to protect the security and confidentiality of nonpublic information and the security of the licensee's information system;(2) protect against a threat or hazard to the security or integrity of nonpublic information and the information system;(3) protect against unauthorized access to or use of nonpublic information and minimize the likelihood of harm to a consumer;(4) establish and periodically reevaluate a schedule for retention of nonpublic information; and(5) establish and implement a mechanism for the destruction of nonpublic information when the information is no longer needed.(c) In developing, implementing, and maintaining a licensee's information security program, the licensee shall(1) based on the licensee's risk assessment conducted under AS 21.23.250(a), implement the following security measures if the licensee determines that the security measure is appropriate:(A) place and use effective access controls on information systems, including controls to authenticate and permit access only by authorized individuals, to protect against the unauthorized acquisition of nonpublic information; the controls may include multi-factor authentication procedures;(B) identify and manage the data, personnel, devices, information systems, and facilities that enable the organization to achieve its business objectives in accordance with the relative importance of the data, personnel, devices, information systems, and facilities to the organization's business objectives and risk strategy;(C) allow only authorized individuals to access physical locations containing nonpublic information;(D) protect by encryption or other appropriate means nonpublic information transmitted over an external network or stored on a laptop computer or other portable computing or storage device or media;(E) adopt secure development practices for applications used by the licensee that are developed in-house; the licensee shall adopt procedures for testing the security of externally developed applications used by the licensee;(F) modify information systems in accordance with the licensee's information security program;(G) regularly test and monitor information systems and procedures to detect actual and attempted attacks on, or intrusions into, information systems;(H) include audit trails inside the information security program that are designed to detect and respond to cybersecurity events and to reconstruct material financial transactions sufficient to support normal operations and obligations of the licensee;(I) implement measures to protect against destruction, loss, or damage of nonpublic information caused by environmental hazards, including fire and water damage, or other catastrophes or technological failures; and(J) develop, implement, and maintain procedures for the secure disposal of nonpublic information in any format;(2) determine the cybersecurity risks to include in the licensee's risk management process;(3) stay informed of emerging threats or vulnerabilities and, when sharing information, use reasonable security measures in accordance with the character of the sharing and the type of information shared;(4) include cybersecurity risks in the licensee's enterprise risk management process;(5) provide personnel of the licensee with cybersecurity awareness training that is updated as necessary to reflect the risks identified in the risk assessment;(6) implement information safeguards to manage the threats identified in a risk assessment, and, not less than once a year, assess the effectiveness of the key controls, information systems, and procedures of the safeguards;(7)[Subsection (7) Effective 1/1/2027]
exercise due diligence in selecting a third-party service provider;(8)[Subsection (8) Effective 1/1/2027]
where appropriate, require a third-party service provider to implement appropriate administrative, technical, and physical measures to protect and secure the information systems and nonpublic information that are accessible to, or held by, the third-party service provider; for purposes of this paragraph, encrypted nonpublic information is not considered accessible to, or held by, the third-party service provider if the associated protective process or key necessary to assign meaning to the nonpublic information is not within the possession of the third-party service provider;(9) require that a third-party service provider that has access to or holds nonpublic information notify the licensee as soon as possible but not later than 10 business days after determining that the third-party service provider has experienced a cybersecurity event involving nonpublic information associated with a consumer; for purposes of this paragraph, encrypted nonpublic information is considered accessible to or held by the third-party service provider if the associated protective process or key necessary to assign meaning to the nonpublic information is within the possession of the third-party service provider;(10) monitor, evaluate, and adjust, as appropriate, the information security program consistent with relevant changes in technology, the sensitivity of its nonpublic information, internal or external threats to nonpublic information, and the licensee's own changing business arrangements, including mergers, acquisitions, alliances, joint ventures, outsourcing arrangements, and changes to information systems; and(11) establish a written incident response plan designed to promptly respond to, and recover from, a cybersecurity event that compromises the confidentiality, integrity, or availability of nonpublic information in the licensee's possession, the licensee's information systems, or the continuing functionality of an aspect of the licensee's business or operations; the incident response plan must address the following: (A) the internal process for responding to a cybersecurity event;(B) the goals of the incident response plan;(C) the definition of clear roles, responsibilities, and levels of decision-making authority;(D) the licensee's internal process used for external and internal communication and information sharing;(E) the identification of requirements for the remediation of an identified weakness in information systems and associated controls;(F) the documentation and reporting of cybersecurity events and related incident response activities; and(G) the evaluation and revision as necessary of the incident response plan following a cybersecurity event.(d) A licensee's board of directors or an appropriate committee of the licensee's board of directors shall, at a minimum, require that (1) the licensee's executive management or the executive management's delegate develop, implement, and maintain the licensee's information security program; and(2) at least once a year, the licensee's executive management or the executive management's delegate report to the licensee's board of directors or an appropriate committee of the licensee's board of directors the following in writing: (A) the overall status of the information security program and the licensee's compliance with AS 21.23.240 - 21.23.399; and(B) material matters related to the information security program, including risk assessment, risk management and control decisions, third-party service provider arrangements, results of testing, cybersecurity events or violations, management's responses to the cybersecurity events or violations, and recommendations for changes in the information security program.(e) If a licensee's executive management meets a requirement under (d) of this section through a delegate, the executive management shall oversee the development, implementation, and maintenance of the licensee's information security program prepared by the delegate. The delegate shall provide a report to the executive management that complies with the requirements of (d)(2) of this section.(f) Each licensee who is an insurer domiciled in this state shall (1) submit to the director a written statement by February 15 of each year certifying that the insurer is in compliance with the requirements under AS 21.23.250 and this section;(2) maintain and allow the director to examine for a period of five years after the insurer submits the written statement described in (1) of this subsection all records, schedules, and data supporting the written statement; and(3) provide documentation of any areas, information systems, or processes that the insurer has identified as requiring material improvement, updating, or redesign, and provide documentation of the remedial efforts planned and underway to address the areas, information systems, or processes; the insurer shall make the documentation available for examination by the director at the director's request.(g) In this section,(1) "authorized individual" means an individual known to and screened by the licensee and for whom the licensee has determined access to the nonpublic information held by the licensee and its information systems is appropriate and necessary;(2) "multi-factor authentication" means authentication through verification of at least two of the following types of authentication factors: (A) a knowledge factor, including a password;(B) a possession factor, including a token or text message on a mobile telephone; or(C) an inherence factor, including a biometric characteristic.Added by SLA 2024, ch. 39,sec. 1, eff. 1/1/2026.