Section 33-105 of the Insurance Article, Maryland Annotated Code, requires a carrier to notify the Commissioner as promptly as possible, but no more than 3 business days from a determination that a cybersecurity event has occurred when either of the following criteria has been met:
(1) (i) the State is the carrier’s state of domicile; and
(ii) the cybersecurity event has a reasonable likelihood of harming a consumer residing in the State or any material part of the normal operations of the carrier; or
(2) the carrier reasonably believes that the nonpublic information involved is of 250 or more consumers residing in the State and either of the following circumstances is present:
(i) a cybersecurity event impacting the carrier has occurred for which notice must be provided to a government body, self–regulatory agency, or any other supervisory body under state or federal law; or
(ii) a cybersecurity event has occurred that has a reasonable likelihood of materially harming:
1. a consumer residing in the State; or
2. a material part of the normal operation of the carrier.
The statute further states that a carrier shall provide the information in electronic form as directed by the Commissioner. This is the electronic form to be completed. Note that a carrier has a continuing obligation to update and supplement initial and subsequent notifications to the Commissioner regarding the cybersecurity event.
Answer the questions below, providing as much information as is reasonably possible. If information is not available at the time of the initial notification, provide a supplemental response using the case number assigned to this matter.