Section 431:3B-202 - Objectives of the information security program; risk assessment(a) A licensee's information security program shall be designed to: (1) Protect the security and confidentiality of nonpublic information and the security of the information system;(2) Protect against any threats or hazards to the security or integrity of nonpublic information and the information system;(3) Protect against unauthorized access to or use of nonpublic information, and minimize the likelihood of harm to any consumer; and(4) Define and periodically reevaluate a schedule for retention of nonpublic information and a mechanism for its destruction when no longer needed.(b) Regarding risk assessment, the licensee shall:(1) Designate one or more employees, an affiliate, or a third-party service provider to act on behalf of the licensee who is responsible for the information security program;(2) Identify reasonably foreseeable internal or external threats that could result in unauthorized access, transmission, disclosure, misuse, alteration, or destruction of nonpublic information, including the security of information systems and nonpublic information that are accessible to or held by third-party service providers;(3) Assess the likelihood and potential damage of the reasonably foreseeable internal or external threats, taking into consideration the sensitivity of the nonpublic information;(4) Assess the sufficiency of policies, procedures, information systems, and other safeguards in place to manage the reasonably foreseeable internal or external threats, including consideration of threats in each relevant area of the licensee's operations, including: (A) Employee training and management;(B) Information systems, including network and software design, as well as information classification, governance, processing, storage, transmission, and disposal; and(C) Detecting, preventing, and responding to attacks, intrusions, or other systems failures; and(5) Implement information safeguards to manage the threats identified in its ongoing assessment, and no less than annually, assess the effectiveness of the safeguards' key controls, systems, and procedures.Added by L 2021, c 112,§ 2, eff. 7/1/2021.