|
| | 101ST GENERAL ASSEMBLY
State of Illinois
2019 and 2020
HB2829 Introduced , by Rep. Anne Stava-Murray SYNOPSIS AS INTRODUCED:
|
| |
Creates the Financial Institution Cybersecurity Act. Provides that persons and entities operating under the authority of the Secretary of Financial and Professional Regulation under the Illinois Banking Act, the Illinois Insurance Code, the Savings Bank Act, the Illinois Credit Union Act, the Corporate Fiduciary Act, and the Residential Mortgage License Act of 1987 must maintain a cybersecurity program to protect the confidentiality of their information systems. Requires the implementation and maintenance of written policies to protect information systems. Makes provisions for testing, risk assessment, audit trails, and third-party service provider policies. Provides for supervision by the Secretary of Financial and Professional Regulation. Requires annual certifications beginning November 1, 2020. Effective January 1, 2020.
|
| |
| | | FISCAL NOTE ACT MAY APPLY | |
| | A BILL FOR |
|
|
| | HB2829 | | LRB101 10631 JLS 55737 b |
|
|
| 1 | | AN ACT concerning regulation.
|
| 2 | | Be it enacted by the People of the State of Illinois,
|
| 3 | | represented in the General Assembly:
|
| 4 | | Section 1. Short title. This Act may be cited as the |
| 5 | | Financial Institution Cybersecurity Act.
|
| 6 | | Section 5. Definitions. In this Act: |
| 7 | | (a) "Affiliate" means any person that controls, is |
| 8 | | controlled by or is under common control with another person. |
| 9 | | For purposes of this definition, "control" means the |
| 10 | | possession, direct or indirect, of the power to direct or cause |
| 11 | | the direction of the management and policies of a person, |
| 12 | | whether through the ownership of stock of such person or |
| 13 | | otherwise. |
| 14 | | (b) "Authorized user" means any employee, contractor, |
| 15 | | agent or other person that participates in the business |
| 16 | | operations of a covered entity and is authorized to access and |
| 17 | | use any information systems and data of the covered entity. |
| 18 | | (c) "Covered entity" means any person operating under or |
| 19 | | required to operate under the Illinois Banking Act, the |
| 20 | | Illinois Insurance Code, the Savings Bank Act, the Illinois |
| 21 | | Credit Union Act, the Corporate Fiduciary Act, and the |
| 22 | | Residential Mortgage License Act of 1987. |
| 23 | | (d) "Cybersecurity event" means any act or attempt, |
|
| | HB2829 | - 2 - | LRB101 10631 JLS 55737 b |
|
|
| 1 | | successful or unsuccessful, to gain unauthorized access to, |
| 2 | | disrupt or misuse an information system or information stored |
| 3 | | on such information system. |
| 4 | | (e) "Information system" means a discrete set of electronic |
| 5 | | information resources organized for the collection, |
| 6 | | processing, maintenance, use, sharing, dissemination or |
| 7 | | disposition of electronic information, as well as any |
| 8 | | specialized system such as industrial or process controls |
| 9 | | systems, telephone switching and private branch exchange |
| 10 | | systems, and environmental control systems. |
| 11 | | (f) "Multi-factor authentication" means authentication |
| 12 | | through verification of at least 2 of the following types of |
| 13 | | authentication factors: |
| 14 | | (1) knowledge factors, such as a password; or |
| 15 | | (2) possession factors, such as a token or text message |
| 16 | | on a mobile phone; or |
| 17 | | (3) inherence factors, such as a biometric |
| 18 | | characteristic. |
| 19 | | (g) "Nonpublic information" means all electronic |
| 20 | | information that is not publicly available information and is: |
| 21 | | (1) business related information of a covered entity |
| 22 | | the tampering with which, or unauthorized disclosure, |
| 23 | | access or use of which, would cause a material adverse |
| 24 | | impact to the business, operations or security of the |
| 25 | | covered entity; |
| 26 | | (2) any information concerning an individual which |
|
| | HB2829 | - 3 - | LRB101 10631 JLS 55737 b |
|
|
| 1 | | because of name, number, personal mark, or other identifier |
| 2 | | can be used to identify such individual, in combination |
| 3 | | with any one or more of the following data elements: (i) |
| 4 | | social security number, (ii) drivers' license number or |
| 5 | | non-driver identification card number, (iii) account |
| 6 | | number, credit or debit card number, (iv) any security |
| 7 | | code, access code or password that would permit access to |
| 8 | | an individual's financial account, or (v) biometric |
| 9 | | records; |
| 10 | | (3) any information or data, except age or gender, in |
| 11 | | any form or medium created by or derived from a health care |
| 12 | | provider or an individual and that relates to (i) the past, |
| 13 | | present or future physical, mental or behavioral health or |
| 14 | | condition of any individual or a member of the individual's |
| 15 | | family, (ii) the provision of health care to any |
| 16 | | individual, or (iii) payment for the provision of health |
| 17 | | care to any individual. |
| 18 | | (h) "Penetration testing" means a test methodology in which |
| 19 | | assessors attempt to circumvent or defeat the security features |
| 20 | | of an information system by attempting penetration of databases |
| 21 | | or controls from outside or inside the covered entity's |
| 22 | | information systems. |
| 23 | | (i) "Person" means any individual or any non-governmental |
| 24 | | entity, including but not limited to any non-governmental |
| 25 | | partnership, corporation, branch, agency, or association. |
| 26 | | (j) "Publicly available information" means any information |
|
| | HB2829 | - 4 - | LRB101 10631 JLS 55737 b |
|
|
| 1 | | that a covered entity has a reasonable basis to believe is |
| 2 | | lawfully made available to the general public from: federal, |
| 3 | | State, or local government records; widely distributed media; |
| 4 | | or disclosures to the general public that are required to be |
| 5 | | made by federal, State, or local law. |
| 6 | | For the purposes of this subsection, a covered entity has a |
| 7 | | reasonable basis to believe that information is lawfully made |
| 8 | | available to the general public if the covered entity has taken |
| 9 | | steps to determine: |
| 10 | | (1) that the information is of the type that is |
| 11 | | available to the general public; and |
| 12 | | (2) whether an individual can direct that the |
| 13 | | information not be made available to the general public |
| 14 | | and, if so, that such individual has not done so. |
| 15 | | (k) "Risk assessment" means the risk assessment that each |
| 16 | | covered entity is required to conduct under Section 45 of this |
| 17 | | Act. |
| 18 | | (l) "Risk-based authentication" means any risk-based |
| 19 | | system of authentication that detects anomalies or changes in |
| 20 | | the normal use patterns of a person and requires additional |
| 21 | | verification of the person's identity when such deviations or |
| 22 | | changes are detected, such as through the use of challenge |
| 23 | | questions. |
| 24 | | (m) "Secretary" means the Secretary of Financial and |
| 25 | | Professional Regulation. |
| 26 | | (n) "Senior officer" means the senior individual or |
|
| | HB2829 | - 5 - | LRB101 10631 JLS 55737 b |
|
|
| 1 | | individuals (acting collectively or as a committee) |
| 2 | | responsible for the management, operations, security, |
| 3 | | information systems, compliance or risk of a covered entity, |
| 4 | | including a branch or agency of a foreign banking organization |
| 5 | | subject to this Act. |
| 6 | | (o) "Third-party service provider" means a person that (i) |
| 7 | | is not an affiliate of the covered entity, (ii) provides |
| 8 | | services to the covered entity, and (iii) maintains, processes |
| 9 | | or otherwise is permitted access to nonpublic information |
| 10 | | through its provision of services to the covered entity.
|
| 11 | | Section 10. Cybersecurity program. |
| 12 | | (a) Each covered entity shall maintain a cybersecurity |
| 13 | | program designed to protect the confidentiality, integrity and |
| 14 | | availability of the covered entity's information systems. |
| 15 | | (b) The cybersecurity program shall be based on the covered |
| 16 | | entity's risk assessment and designed to perform the following |
| 17 | | core cybersecurity functions: |
| 18 | | (1) identify and assess internal and external |
| 19 | | cybersecurity risks that may threaten the security or |
| 20 | | integrity of nonpublic information stored on the covered |
| 21 | | entity's information systems; |
| 22 | | (2) use defensive infrastructure and the |
| 23 | | implementation of policies and procedures to protect the |
| 24 | | covered entity's information systems, and the nonpublic |
| 25 | | information stored on those information systems, from |
|
| | HB2829 | - 6 - | LRB101 10631 JLS 55737 b |
|
|
| 1 | | unauthorized access, use or other malicious acts; |
| 2 | | (3) detect cybersecurity events; |
| 3 | | (4) respond to identified or detected cybersecurity |
| 4 | | events to mitigate any negative effects; |
| 5 | | (5) recover from cybersecurity events and restore |
| 6 | | normal operations and services; and |
| 7 | | (6) fulfill applicable regulatory reporting |
| 8 | | obligations. |
| 9 | | (c) A covered entity may meet the requirements of this Act |
| 10 | | by adopting the relevant and applicable provisions of a |
| 11 | | cybersecurity program maintained by an affiliate, provided |
| 12 | | that such provisions satisfy the requirements of this Act, as |
| 13 | | applicable to the covered entity. |
| 14 | | (d) All documentation and information relevant to the |
| 15 | | covered entity's cybersecurity program shall be made available |
| 16 | | to the superintendent upon request.
|
| 17 | | Section 15. Cybersecurity policy. Each covered entity |
| 18 | | shall implement and maintain a written policy or policies, |
| 19 | | approved by a senior officer or the covered entity's board of |
| 20 | | directors (or an appropriate committee thereof) or equivalent |
| 21 | | governing body, setting forth the covered entity's policies and |
| 22 | | procedures for the protection of its information systems and |
| 23 | | nonpublic information stored on those information systems. The |
| 24 | | cybersecurity policy shall be based on the covered entity's |
| 25 | | risk assessment and address the following areas to the extent |
|
| | HB2829 | - 7 - | LRB101 10631 JLS 55737 b |
|
|
| 1 | | applicable to the covered entity's operations: |
| 2 | | (a) information security; |
| 3 | | (b) data governance and classification; |
| 4 | | (c) asset inventory and device management; |
| 5 | | (d) access controls and identity management; |
| 6 | | (e) business continuity and disaster recovery planning and |
| 7 | | resources; |
| 8 | | (f) systems operations and availability concerns; |
| 9 | | (g) systems and network security; |
| 10 | | (h) systems and network monitoring; |
| 11 | | (i) systems and application development and quality |
| 12 | | assurance; |
| 13 | | (j) physical security and environmental controls; |
| 14 | | (k) customer data privacy; |
| 15 | | (l) vendor and third-party service provider management; |
| 16 | | (m) risk assessment; and |
| 17 | | (n) incident response.
|
| 18 | | Section 20. Chief information security officer. |
| 19 | | (a) Chief information security officer. Each covered |
| 20 | | entity shall designate a qualified individual responsible for |
| 21 | | overseeing and implementing the covered entity's cybersecurity |
| 22 | | program and enforcing its cybersecurity policy (for purposes of |
| 23 | | this Act, "chief information security officer"). The chief |
| 24 | | information security officer may be employed by the covered |
| 25 | | entity, one of its affiliates or a third-party service |
|
| | HB2829 | - 8 - | LRB101 10631 JLS 55737 b |
|
|
| 1 | | provider. To the extent this requirement is met using a |
| 2 | | third-party service provider or an affiliate, the covered |
| 3 | | entity shall: |
| 4 | | (1) retain responsibility for compliance with this |
| 5 | | Act; |
| 6 | | (2) designate a senior member of the covered entity's |
| 7 | | personnel responsible for direction and oversight of the |
| 8 | | third-party service provider; and |
| 9 | | (3) require the third-party service provider to |
| 10 | | maintain a cybersecurity program that protects the covered |
| 11 | | entity in accordance with the requirements of this Act. |
| 12 | | (b) Report. The chief information security officer of each |
| 13 | | covered entity shall report in writing at least annually to the |
| 14 | | covered entity's board of directors or equivalent governing |
| 15 | | body. If no such board of directors or equivalent governing |
| 16 | | body exists, the report shall be timely presented to a senior |
| 17 | | officer of the covered entity responsible for the covered |
| 18 | | entity's cybersecurity program. The chief information security |
| 19 | | officer shall report on the covered entity's cybersecurity |
| 20 | | program and material cybersecurity risks. The chief |
| 21 | | information security officer shall consider to the extent |
| 22 | | applicable: |
| 23 | | (1) the confidentiality of nonpublic information and |
| 24 | | the integrity and security of the covered entity's |
| 25 | | information systems; |
| 26 | | (2) the covered entity's cybersecurity policies and |
|
| | HB2829 | - 9 - | LRB101 10631 JLS 55737 b |
|
|
| 1 | | procedures; |
| 2 | | (3) material cybersecurity risks to the covered |
| 3 | | entity; |
| 4 | | (4) overall effectiveness of the covered entity's |
| 5 | | cybersecurity program; and |
| 6 | | (5) material cybersecurity events involving the |
| 7 | | covered entity during the time period addressed by the |
| 8 | | report.
|
| 9 | | Section 25. Penetration testing and vulnerability |
| 10 | | assessments. The cybersecurity program for each covered entity |
| 11 | | shall include monitoring and testing, developed in accordance |
| 12 | | with the covered entity's risk assessment, designed to assess |
| 13 | | the effectiveness of the covered entity's cybersecurity |
| 14 | | program. The monitoring and testing shall include continuous |
| 15 | | monitoring or periodic penetration testing and vulnerability |
| 16 | | assessments. Absent effective continuous monitoring, or other |
| 17 | | systems to detect, on an ongoing basis, changes in information |
| 18 | | systems that may create or indicate vulnerabilities, covered |
| 19 | | entities shall conduct: |
| 20 | | (a) annual penetration testing of the covered entity's |
| 21 | | information systems determined each given year based on |
| 22 | | relevant identified risks in accordance with the risk |
| 23 | | assessment; and |
| 24 | | (b) bi-annual vulnerability assessments, including any |
| 25 | | systematic scans or reviews of information systems reasonably |
|
| | HB2829 | - 10 - | LRB101 10631 JLS 55737 b |
|
|
| 1 | | designed to identify publicly known cybersecurity |
| 2 | | vulnerabilities in the covered entity's information systems |
| 3 | | based on the risk assessment.
|
| 4 | | Section 30. Audit trail. |
| 5 | | (a) Each covered entity shall securely maintain systems |
| 6 | | that, to the extent applicable and based on its Risk |
| 7 | | Assessment: |
| 8 | | (1) are designed to reconstruct material financial |
| 9 | | transactions sufficient to support normal operations and |
| 10 | | obligations of the covered entity; and |
| 11 | | (2) include audit trails designed to detect and respond |
| 12 | | to cybersecurity events that have a reasonable likelihood |
| 13 | | of materially harming any material part of the normal |
| 14 | | operations of the covered entity. |
| 15 | | (b) Each covered entity shall maintain records required by |
| 16 | | paragraph(1) of subsection (a) for not fewer than 5 years and |
| 17 | | shall maintain records required by paragraph (2) of subsection |
| 18 | | (a) for not fewer than 3 years.
|
| 19 | | Section 35. Access privileges. As part of its cybersecurity |
| 20 | | program, based on the covered entity's risk assessment each |
| 21 | | covered entity shall limit user access privileges to |
| 22 | | information systems that provide access to Nonpublic |
| 23 | | Information and shall periodically review such access |
| 24 | | privileges.
|
|
| | HB2829 | - 11 - | LRB101 10631 JLS 55737 b |
|
|
| 1 | | Section 40. Application security. |
| 2 | | (a) Each covered entity's cybersecurity program shall |
| 3 | | include written procedures, guidelines and standards designed |
| 4 | | to ensure the use of secure development practices for in-house |
| 5 | | developed applications utilized by the covered entity, and |
| 6 | | procedures for evaluating, assessing or testing the security of |
| 7 | | externally developed applications utilized by the covered |
| 8 | | entity within the context of the covered entity's technology |
| 9 | | environment. |
| 10 | | (b) All such procedures, guidelines and standards shall be |
| 11 | | periodically reviewed, assessed and updated as necessary by the |
| 12 | | chief information security officer (or a qualified designee) of |
| 13 | | the covered entity.
|
| 14 | | Section 45. Risk assessment. |
| 15 | | (a) Each covered entity shall conduct a periodic Risk |
| 16 | | Assessment of the covered entity's information systems |
| 17 | | sufficient to inform the design of the cybersecurity program as |
| 18 | | required by this Act. Such risk assessment shall be updated as |
| 19 | | reasonably necessary to address changes to the covered entity's |
| 20 | | information systems, nonpublic information or business |
| 21 | | operations. The covered entity's risk assessment shall allow |
| 22 | | for revision of controls to respond to technological |
| 23 | | developments and evolving threats and shall consider the |
| 24 | | particular risks of the covered entity's business operations |
|
| | HB2829 | - 12 - | LRB101 10631 JLS 55737 b |
|
|
| 1 | | related to cybersecurity, nonpublic information collected or |
| 2 | | stored, information systems utilized and the availability and |
| 3 | | effectiveness of controls to protect nonpublic information and |
| 4 | | information systems. |
| 5 | | (b) The risk assessment shall be carried out in accordance |
| 6 | | with written policies and procedures and shall be documented. |
| 7 | | Such policies and procedures shall include: |
| 8 | | (1) criteria for the evaluation and categorization of |
| 9 | | identified cybersecurity risks or threats facing the |
| 10 | | covered entity; |
| 11 | | (2) criteria for the assessment of the |
| 12 | | confidentiality, integrity, security and availability of |
| 13 | | the covered entity's information systems and nonpublic |
| 14 | | information, including the adequacy of existing controls |
| 15 | | in the context of identified risks; and |
| 16 | | (3) requirements describing how identified risks will |
| 17 | | be mitigated or accepted based on the risk assessment and |
| 18 | | how the cybersecurity program will address the risks.
|
| 19 | | Section 50. Cybersecurity personnel and intelligence. |
| 20 | | (a) In addition to the requirements set forth in subsection |
| 21 | | (a) of Section 20, each covered entity shall: |
| 22 | | (1) utilize qualified cybersecurity personnel of the |
| 23 | | covered entity, an affiliate or a third-party service |
| 24 | | provider sufficient to manage the covered entity's |
| 25 | | cybersecurity risks and to perform or oversee the |
|
| | HB2829 | - 13 - | LRB101 10631 JLS 55737 b |
|
|
| 1 | | performance of the core cybersecurity functions specified |
| 2 | | in subsection (b) of Section 10 of this Act; |
| 3 | | (2) provide cybersecurity personnel with cybersecurity |
| 4 | | updates and training sufficient to address relevant |
| 5 | | cybersecurity risks; and |
| 6 | | (3) verify that key cybersecurity personnel take steps |
| 7 | | to maintain current knowledge of changing cybersecurity |
| 8 | | threats and countermeasures. |
| 9 | | (b) A covered entity may choose to utilize an affiliate or |
| 10 | | qualified third-party service provider to assist in complying |
| 11 | | with the requirements set forth in this Act, subject to the |
| 12 | | requirements set forth in Section 55 of this Act.
|
| 13 | | Section 55. Third-party service provider security policy. |
| 14 | | (a) A covered entity shall implement written policies and |
| 15 | | procedures designed to ensure the security of information |
| 16 | | systems and nonpublic information that are accessible to, or |
| 17 | | held by, third-party service providers. Such policies and |
| 18 | | procedures shall be based on the risk assessment of the covered |
| 19 | | entity and shall address to the extent applicable: |
| 20 | | (1) the identification and risk assessment of |
| 21 | | third-party service providers; |
| 22 | | (2) minimum cybersecurity practices required to be met |
| 23 | | by such third-party service providers in order for them to |
| 24 | | do business with the covered entity; |
| 25 | | (3) due diligence processes used to evaluate the |
|
| | HB2829 | - 14 - | LRB101 10631 JLS 55737 b |
|
|
| 1 | | adequacy of cybersecurity practices of such third-party |
| 2 | | service providers; and |
| 3 | | (4) periodic assessment of such third-party service |
| 4 | | providers based on the risk they present and the continued |
| 5 | | adequacy of their cybersecurity practices. |
| 6 | | (b) Such policies and procedures shall include relevant |
| 7 | | guidelines for due diligence and contractual protections |
| 8 | | relating to third-party service providers including to the |
| 9 | | extent applicable guidelines addressing: |
| 10 | | (1) the third-party service provider's policies and |
| 11 | | procedures for access controls, including its use of |
| 12 | | multi-factor authentication as required by Section 60 of |
| 13 | | this Act, to limit access to relevant information systems |
| 14 | | and nonpublic information; |
| 15 | | (2) the third-party service provider's policies and |
| 16 | | procedures for use of encryption as required by Section 75 |
| 17 | | of this Act to protect nonpublic information in transit and |
| 18 | | at rest; |
| 19 | | (3) notice to be provided to the covered entity in the |
| 20 | | event of a cybersecurity event directly impacting the |
| 21 | | covered entity's information systems or the covered |
| 22 | | entity's nonpublic information being held by the |
| 23 | | third-party service provider; and |
| 24 | | (4) representations and warranties addressing the |
| 25 | | third-party service provider's cybersecurity policies and |
| 26 | | procedures that relate to the security of the covered |
|
| | HB2829 | - 15 - | LRB101 10631 JLS 55737 b |
|
|
| 1 | | entity's information systems or nonpublic information. |
| 2 | | (c) An agent, employee, representative or designee of a |
| 3 | | covered entity who is itself a covered entity need not develop |
| 4 | | its own third-party information security policy pursuant to |
| 5 | | this Section if the agent, employee, representative or designee |
| 6 | | follows the policy of the covered entity that is required to |
| 7 | | comply with this Act.
|
| 8 | | Section 60. Multi-factor authentication. |
| 9 | | (a) Based on its risk assessment, each covered entity shall |
| 10 | | use effective controls, which may include multi-factor |
| 11 | | authentication or risk-based authentication, to protect |
| 12 | | against unauthorized access to nonpublic information or |
| 13 | | information systems. |
| 14 | | (b) Multi-factor authentication shall be utilized for any |
| 15 | | individual accessing the covered entity's internal networks |
| 16 | | from an external network, unless the covered entity's chief |
| 17 | | information security officer has approved in writing the use of |
| 18 | | reasonably equivalent or more secure access controls.
|
| 19 | | Section 65. Limitations on data retention. As part of its |
| 20 | | cybersecurity program, each covered entity shall include |
| 21 | | policies and procedures for the secure disposal on a periodic |
| 22 | | basis of any nonpublic information identified in paragraphs (2) |
| 23 | | and (3) of subsection (g) of Section 5 that is no longer |
| 24 | | necessary for business operations or for other legitimate |
|
| | HB2829 | - 16 - | LRB101 10631 JLS 55737 b |
|
|
| 1 | | business purposes of the covered entity, except where such |
| 2 | | information is otherwise required to be retained by law or |
| 3 | | rule, or where targeted disposal is not reasonably feasible due |
| 4 | | to the manner in which the information is maintained.
|
| 5 | | Section 70. Training and monitoring. As part of its |
| 6 | | cybersecurity program, each covered entity shall: |
| 7 | | (a) implement risk-based policies, procedures and controls |
| 8 | | designed to monitor the activity of authorized users and detect |
| 9 | | unauthorized access or use of, or tampering with, Nonpublic |
| 10 | | Information by such authorized users; and |
| 11 | | (b) provide regular cybersecurity awareness training for |
| 12 | | all personnel that is updated to reflect risks identified by |
| 13 | | the covered entity in its risk assessment.
|
| 14 | | Section 75. Encryption of nonpublic information. |
| 15 | | (a) As part of its cybersecurity program, based on its risk |
| 16 | | assessment, each covered entity shall implement controls, |
| 17 | | including encryption, to protect nonpublic information held or |
| 18 | | transmitted by the covered entity both in transit over external |
| 19 | | networks and at rest. |
| 20 | | (1) To the extent a covered entity determines that |
| 21 | | encryption of nonpublic information in transit over |
| 22 | | external networks is infeasible, the covered entity may |
| 23 | | instead secure such nonpublic information using effective |
| 24 | | alternative compensating controls reviewed and approved by |
|
| | HB2829 | - 17 - | LRB101 10631 JLS 55737 b |
|
|
| 1 | | the covered entity's chief information security officer. |
| 2 | | (2) To the extent a covered entity determines that |
| 3 | | encryption of nonpublic information at rest is infeasible, |
| 4 | | the covered entity may instead secure such nonpublic |
| 5 | | information using effective alternative compensating |
| 6 | | controls reviewed and approved by the covered entity's |
| 7 | | chief information security officer. |
| 8 | | (b) To the extent that a covered entity is utilizing |
| 9 | | compensating controls under subsection (a), the feasibility of |
| 10 | | encryption and effectiveness of the compensating controls |
| 11 | | shall be reviewed by the chief information security officer at |
| 12 | | least annually.
|
| 13 | | Section 80. Incident response plan. |
| 14 | | (a) As part of its cybersecurity program, each covered |
| 15 | | entity shall establish a written incident response plan |
| 16 | | designed to promptly respond to, and recover from, any |
| 17 | | cybersecurity event materially affecting the confidentiality, |
| 18 | | integrity or availability of the covered entity's information |
| 19 | | systems or the continuing functionality of any aspect of the |
| 20 | | covered entity's business or operations. |
| 21 | | (b) Such incident response plan shall address the following |
| 22 | | areas: |
| 23 | | (1) the internal processes for responding to a |
| 24 | | cybersecurity event; |
| 25 | | (2) the goals of the incident response plan; |
|
| | HB2829 | - 18 - | LRB101 10631 JLS 55737 b |
|
|
| 1 | | (3) the definition of clear roles, responsibilities |
| 2 | | and levels of decision-making authority; |
| 3 | | (4) external and internal communications and |
| 4 | | information sharing; |
| 5 | | (5) identification of requirements for the remediation |
| 6 | | of any identified weaknesses in information systems and |
| 7 | | associated controls; |
| 8 | | (6) documentation and reporting regarding |
| 9 | | cybersecurity events and related incident response |
| 10 | | activities; and |
| 11 | | (7) the evaluation and revision as necessary of the |
| 12 | | incident response plan following a cybersecurity event.
|
| 13 | | Section 85. Notices to Secretary. |
| 14 | | (a) Notice of cybersecurity event. A covered entity shall |
| 15 | | notify the superintendent as promptly as possible but in no |
| 16 | | event later than 72 hours from a determination that a |
| 17 | | cybersecurity event has occurred that is either of the |
| 18 | | following: |
| 19 | | (1) cybersecurity events impacting the covered entity |
| 20 | | of which notice is required to be provided to any |
| 21 | | government body, self-regulatory agency or any other |
| 22 | | supervisory body; or |
| 23 | | (2) cybersecurity events that have a reasonable |
| 24 | | likelihood of materially harming any material part of the |
| 25 | | normal operations of the covered entity. |
|
| | HB2829 | - 19 - | LRB101 10631 JLS 55737 b |
|
|
| 1 | | (b) Annually each covered entity shall submit to the |
| 2 | | Secretary a written statement covering the prior calendar year. |
| 3 | | This statement shall be submitted by February 15 in the form |
| 4 | | required by the Secretary, certifying that the covered entity |
| 5 | | is in compliance with the requirements in this Act. A covered |
| 6 | | entity shall maintain for examination by the Secretary all |
| 7 | | records, schedules and data supporting this certificate for a |
| 8 | | period of 5 years. To the extent a covered entity has |
| 9 | | identified areas, systems or processes that require material |
| 10 | | improvement, updating or redesign, the covered entity shall |
| 11 | | document the identification and the remedial efforts planned |
| 12 | | and underway to address such areas, systems or processes. Such |
| 13 | | documentation must be available for inspection by the |
| 14 | | Secretary.
|
| 15 | | Section 90. Confidentiality. Information provided by a |
| 16 | | covered entity pursuant to this Act is subject to exemptions |
| 17 | | from disclosure provided under the Illinois Banking Act and the |
| 18 | | Illinois Insurance Code, the Savings Bank Act, the Illinois |
| 19 | | Credit Union Act, the Corporate Fiduciary Act, and the |
| 20 | | Residential Mortgage License Act of 1987.
|
| 21 | | Section 95. Exemptions. |
| 22 | | (a) A covered entity with: |
| 23 | | (1) fewer than 10 employees, including any independent |
| 24 | | contractors, of the covered entity or its affiliates |
|
| | HB2829 | - 20 - | LRB101 10631 JLS 55737 b |
|
|
| 1 | | located in Illinois or responsible for business of the |
| 2 | | covered entity; or |
| 3 | | (2) less than $5,000,000 in gross annual revenue in |
| 4 | | each of the last 3 fiscal years from Illinois business |
| 5 | | operations of the covered entity and its affiliates; or |
| 6 | | (3) less than $10,000,000 in year-end total assets, |
| 7 | | calculated in accordance with generally accepted |
| 8 | | accounting principles, including assets of all affiliates, |
| 9 | | shall be exempt from the requirements of Sections 20, 25, |
| 10 | | 30, 40, 50, 60, 70, 75, and 80 of this Act. |
| 11 | | (b) An employee, agent, representative, or designee of a |
| 12 | | covered entity, who is itself a covered entity, is exempt from |
| 13 | | this Act and need not develop its own cybersecurity program to |
| 14 | | the extent that the employee, agent, representative, or |
| 15 | | designee is covered by the cybersecurity program of the covered |
| 16 | | entity. |
| 17 | | (c) A covered entity that does not directly or indirectly |
| 18 | | operate, maintain, utilize or control any information systems, |
| 19 | | and that does not, and is not required to, directly or |
| 20 | | indirectly control, own, access, generate, receive or possess |
| 21 | | nonpublic information shall be exempt from the requirements of |
| 22 | | Sections 10, 15, 20, 25, 30, 35, 40, 50, 60, 70, 75, and 80 of |
| 23 | | this Act. |
| 24 | | (d) A covered entity under Article VIIC of the Illinois |
| 25 | | Insurance Code that does not and is not required to directly or |
| 26 | | indirectly control, own, access, generate, receive or possess |
|
| | HB2829 | - 21 - | LRB101 10631 JLS 55737 b |
|
|
| 1 | | nonpublic information other than information relating to its |
| 2 | | corporate parent company (or affiliates) shall be exempt from |
| 3 | | the requirements of Sections 10, 15, 20, 25, 30, 35, 40, 50, |
| 4 | | 60, 70, 75, and 80 of this Act. |
| 5 | | (e) A covered entity that qualifies for any of the |
| 6 | | exemptions pursuant to this Section shall file a notice of |
| 7 | | exemption in the form set forth as required by the Secretary |
| 8 | | within 30 days of the determination that the covered entity is |
| 9 | | exempt. |
| 10 | | (f) If a covered entity, as of its most recent fiscal year |
| 11 | | end, ceases to qualify for an exemption, such covered entity |
| 12 | | shall have 180 days from such fiscal year end to comply with |
| 13 | | all applicable requirements of this Act.
|
| 14 | | Section 100. Enforcement. This Act shall be enforced by the |
| 15 | | Secretary pursuant to the Secretary's authority under this Act |
| 16 | | and any applicable laws administered by the Secretary.
|
| 17 | | Section 105. Transitional periods. |
| 18 | | (a) Transitional period. Covered entities shall have 180 |
| 19 | | days from the effective date of this Act to comply with the |
| 20 | | requirements set forth in this Act, except as otherwise |
| 21 | | specified. |
| 22 | | (b) The following provisions shall include additional |
| 23 | | transitional periods. Covered entities shall have: |
| 24 | | (1) One year from the effective date of this Act to |
|
| | HB2829 | - 22 - | LRB101 10631 JLS 55737 b |
|
|
| 1 | | comply with the requirements of subsection (b) of Section |
| 2 | | 20, Sections 25, 45, 60, and subsection (b) of Section 70. |
| 3 | | (2) Eighteen months from the effective date of this Act |
| 4 | | to comply with the requirements of Sections 30, 40, 65, |
| 5 | | subsection (a) of Section 70, and Section 75 of this Act. |
| 6 | | (3) Two years from the effective date of this Act to |
| 7 | | comply with the requirements of Section 55 of this Act.
|
| 8 | | Section 110. Annual filing. A covered entity shall annually |
| 9 | | prepare and submit to the Secretary a certification of |
| 10 | | compliance with this Act under subsection (b) of Section 85 |
| 11 | | beginning November 1, 2020.
|
| 12 | | Section 115. Severability. The provisions of this Act are |
| 13 | | severable under Section 1.31 of the Statute on Statutes.
|
| 14 | | Section 999. Effective date. This Act takes effect January |
| 15 | | 1, 2020.
|