Current through Pa Acts 2024-53, 2024-56 through 2024-111
Section 4514 - Corporate oversight(a) Duties.--If a licensee has a board of directors, the board or an appropriate committee of the board shall, at a minimum:(1) Require the licensee's executive management or delegates to develop, implement and maintain the licensee's information security program.(2) Require the licensee's executive management or delegates to report in writing at least annually, the following information:(i) The overall status of the information security program and the licensee's compliance with this chapter.(ii) Material matters related to the information security program, addressing issues such as: (A) Risk assessment, risk management and control decisions.(B) Third-party service provider arrangements.(C) The results of testing.(D) Cybersecurity events.(E) Any violation of this chapter and management's responses to the violation.(F) Recommendations for changes in the information security program.(b)Delegation.--If the executive management of a licensee delegates any of its responsibilities under this section or section 4512 (relating to risk assessment), 4513 (relating to information security program) or 4515 (relating to oversight of third-party service provider arrangements), the executive management shall oversee the development, implementation and maintenance of the licensee's information security program prepared by the delegated entity, which shall provide a written report to the executive management in accordance with the reporting requirements of this chapter.Added by P.L. TBD 2023 No. 2,§ 1, eff. 12/11/2023.