Cyber Legislation Introduced in Illinois | Legislative Alert
As part of its advocacy efforts, the Alliance continually monitors legislation and regulations on behalf of its members. As the Alliance is made aware of legislation or regulations that could impact fraternal insurers, we will provide timely information regarding these matters. Below is information regarding a cybersecurity bill that was recently introduced in Illinois.
As introduced, House Bill 2829 would create the “Financial Institution Cybersecurity Act” which provides that certain covered entities must maintain a cybersecurity program to protect the confidentiality of their information system. The term “covered entity” as used in the legislation means any person operating under or required to operate under ... the Illinois Insurance Code”... and other codes as enumerated. Under the legislation each covered entity must maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the covered entity’s information systems. Each covered entity must also implement and maintain a written policy/policies approved by a senior officer of the covered entity’s board of directors (or an appropriate committee thereof) or equivalent governing body, setting for the covered entity’s policies and procedures for the protection of its information systems and nonpublic information stored on those information systems.
In addition to certain internal reports that must be provided to the covered entity’s board of directors, covered entities must conduct periodic risk assessments designed to assess the effectiveness of the covered entity’s cybersecurity program. The covered entity must also establish a written incident response plan designed to promptly respond to, and recover from, any cybersecurity event materially affecting the confidentiality, integrity or availability of the covered entity’s information systems.
In the event of a cybersecurity event covered entities are required to notify the Superintendent no later than 72 hours from a determination that a cybersecurity event of the type defined in the legislation has occurred.
The Illinois legislation mirrors the NY Cybersecurity Regulation and includes similar exemption language. Under House Bill 2829, covered entities may qualify for any exemption from some provisions of the legislation if they have:
(a) less than 10 employees, including independent contractors, of the covered entity located in Illinois or responsible for business of the covered entity; OR
(b) less than $5M in gross annual revenue in each of the last 3 fiscal years from Illinois business operations of the covered entity or its affiliates; OR
(c) less than $10M in year-end total assets, calculated in accordance with GAAP, including assets of affiliates,
A covered entity that qualifies for any of the exemptions (above) shall file a notice of exemption in the form set forth by the Secretary of Financial and Professional Regulation within 30 days of the determination that the covered entity is exempt. If a covered entity, as of its most fiscal year end, ceases to qualify for an exemption, such covered entity shall have 180 days from that fiscal year end to comply with all applicable requirements of the Act.
An employee, agent, representative, or designee of a covered entity, who is itself a covered entity, is exempt from this Act and need not develop its own cybersecurity program to the extent that the employee, agent, representative or designee is covered by the cybersecurity program of the covered entity. A covered entity that does not directly or indirectly operate, maintain, utilize or control any information systems, and that does not, and is not required to directly or indirectly control, own, access, generate, receive or possess nonpublic information is exempt from certain requirements, as specified in the legislation.
The legislation provides for a January 1, 2020 effective date and gives covered entities 180 days from the effective date to comply with certain provisions. It also provides for additional transition periods for compliance with specific provisions enumerated in the legislation as follows:
1 year from the effective date of the Act covered entities must comply with the requirements set forth in subsection (b) of Section 20, Sections 25, 45, 60 and subsection (b) of Section 70.
18 months from the effective date of the Act covered entities must comply with the requirements of Sections 30, 45, 65, subsection (a) of Section 70 and Section 75.
Two years from the effective date of the Act covered entities must comply with the requirements of Section 55 of the Act.
The Alliance is monitoring House Bill 2829 and will provide updates on the legislation as needed. Please distribute this Legislative Alert to others within your society to permit maximum distribution. If you have any questions regarding this Alert, please contact Joe Annotti (firstname.lastname@example.org).