Section 21-2-805 - Arkansas Cyber Response Board(a)(1) There is created the Arkansas Cyber Response Board, which shall be composed of the following members: (A)(i) Three (3) members appointed by the Governor, one (1) of whom shall represent counties and one (1) of whom shall represent municipalities.(ii)(a) In addition to the three (3) members appointed by the Governor under subdivision (a)(1)(A)(i) of this section: (1) The Governor shall appoint one (1) member if the State of Arkansas joins the Arkansas Self-Funded Cyber Response Program; and(2) The Governor shall appoint one (1) member if a higher education entity joins the program.(b) If the Governor appoints members under subdivision (a)(1)(A)(ii)(a) of this section, the Chair of the Arkansas Cyber Response Board shall notify the Legislative Council and the Director of the Bureau of Legislative Research of the additional appointments;(B) The Secretary of the Department of Education or his or her designee;(C) The Director of the Division of Information Systems or his or her designee;(D) The Director of the Division of Emergency Management or his or her designee;(E) One (1) staff member of Arkansas Legislative Audit who is designated by the Legislative Auditor; and(F) The Insurance Commissioner or his or her designee.(2) The member under subdivision (a)(1)(F) of this section shall be a nonvoting board member.(3) The commissioner shall serve as the Chair of the Arkansas Cyber Response Board and call the first meeting no later than thirty (30) days after August 1, 2023.(4) Members of the board that are appointed by the Governor shall serve a term of six (6) years.(b) The board shall: (1)(A) Establish a definition of a cyberattack that will be covered under the Arkansas Self-Funded Cyber Response Program based on industry standards.(B) The definition of a cyberattack established under subdivision (b)(1)(A) of this section shall be reviewed annually and updated as necessary by the board;(2) Establish minimum cybersecurity standards for participating governmental entities;(3) Determine a maximum amount of program coverage, not to exceed fifty thousand dollars ($50,000), for participating governmental entities that have not met the minimum cybersecurity standards established by the board under this section;(4) Create a cyber response panel;(5)(A) Designate a cyber response contact.(B) The cyber response contact may select an entity from the cyber response panel to assist with forensic analysis, restoration guidance, and other board-authorized assistance to the participating governmental entity.(C) The cyber response contact shall provide to the board:(i) Prompt notice detailing the cyberattack; and(ii) A detailed report of the action that is being taken;(6) Promulgate rules and procedures regarding utilization of the program by participating governmental entities to generally align with the following procedures:(A) Upon discovery of a cyberattack, a participating governmental entity shall notify the cyber response contact designated by the board;(B)(i) The cyber response contact shall make a determination of program coverage in consultation with the board, if feasible.(ii) If consultation with the board is not feasible under subdivision (b)(6)(B)(i) of this section due to the timing of the cyberattack, then the cyber response contact shall review and evaluate criteria established by the board to make a determination of program coverage.(C) The cyber response contact shall notify the board once the cyber response contact has made a determination of program coverage; and(D) Any other procedures that the board deems necessary to carry out this subchapter.(c)(1) Board members shall receive no compensation for their services, but members other than the Secretary of the Department of Education, the Director of the Division of Information Systems, the Director of the Division of Emergency Management, the staff member of Arkansas Legislative Audit, the board member appointed by the Governor, and the commissioner may receive expense reimbursement under § 25-16-901 et seq.(2) The expense reimbursement of board members shall be paid from the Arkansas Self-Funded Cyber Response Program Trust Fund.(d)(1) The board shall meet at least quarterly.(2) If there is no proof of loss or other business for the board to consider, the chair may cancel a regularly scheduled quarterly meeting upon written notice to the board members.(3) The board shall also meet at any other time as necessary to carry out its responsibilities and duties, at the call of the chair, or upon the request of a majority of the board.(4) The board may meet in person or virtually at the determination of the chair.(5) All action of the board shall be by majority vote of the membership in attendance.(6)(A) If a board member is unable to attend any board meeting, the board member shall appoint a designee to act as his or her representative.(B) The representative under subdivision (d)(6)(A) of this section shall have all the rights and privileges of the board member represented.(e)(1) Due to the potential threat to the security of participating governmental entities, all meetings, documents, and records, except financial records, shall be exempt from disclosure under the Freedom of Information Act of 1967, § 25-19-101 et seq.(2) The financial records of the fund shall not be exempt from disclosure under the Freedom of Information Act of 1967, § 25-19-101 et seq.(3) However, all meetings, documents, records, and policy decisions shall be subject to review by the Joint Committee on Advanced Communications and Information Technology during a closed meeting.(f) The board shall prepare and submit an annual report to the Joint Committee on Advanced Communications and Information Technology concerning cyberattcks on participating governmental entities.(g) The board shall: (1) Administer the fund; and(2) Notify, in a timely manner, the cochairs of the Joint Committee on Advanced Communications and Information Technology of any payments made to a government entity of thirty-five thousand dollars ($35,000) or greater due to a cyberattack incidence.Added by Act 2023, No. 846,§ 2, eff. 8/1/2023.