Missouri Cybersecurity Event Notification Form

This electronic form shall be used by licensees to provide information to the Director of the Missouri Department of Commerce and Insurance (“Director” of the “DCI”) concerning the occurrence of cybersecurity events involving nonpublic information for which notification to the Director is required under section 375.1410, RSMo.

Licensees are strongly encouraged to review the definitions found in section 375.1402, RSMo and the exclusions found in section 375.1417, RSMo prior to reporting a cybersecurity event.

As described in section 375.1410.2, RSMo, licensees shall provide as much of the following information as practicable, except that licensees shall not release nonpublic information (as defined in section 375.1402, RSMo) of the consumer unless given written authority by the consumer or otherwise required by law. Licensees may respond using attachments by indicating as such in the fields below and attaching the responsive document(s) to this form.

Licensees shall have a continuing obligation to update initial and subsequent notifications to the Director regarding material changes to previously provided information relating to the cybersecurity event.

Questions regarding this electronic form should be sent to cyberbreach@insurance.mo.gov. DO NOT send nonpublic information to this email address, as all cybersecurity event notifications and updates should be submitted using this electronic form.

Licensees providing information on this electronic form do not need to log in when submitting a notification.

1. Is this an initial or subsequent notification to the Director?

Initial Notification

Subsequent Notification

2. If this is a subsequent notification, on what date(s) have previous notification(s) been made?

3. Company Name

4. State of Domicile / Home State

5. NAIC Number (if applicable)

6. Missouri License Number

7. Is this notification being made by a Company or a Licensee?

Company

Licensee

9. Estimated Cybersecurity Event Occurrence Period

Start Date

End Date

10. Cybersecurity Event Discovery Date

11. Describe how information was exposed, lost, stolen, or breached, including the specific roles and responsibilities of third-party service providers, if any.

12. Describe how the cybersecurity event was discovered.

13. Has any exposed, lost, stolen, or breached information been recovered? If so, how was this done?

14. Identify the source of the cybersecurity event.

15. Has the licensee filed a police report or notified any regulatory, government, or law enforcement agencies? If so, when was such notification provided? (If yes, please attach documentation of report/notification in the attachment section below unless already provided to the DCI)

16. Is a notice to impacted Missouri consumers required by law, including section 407.1500, RSMo?

Yes

Unknown

17. Describe the specific types of information acquired without authorization.

“Specific types of information” means particular data elements including, for example, types of medical information, types of financial information, or types of information allowing identification of the consumer.

18. Estimated Number of Total Missouri Consumers Affected by the Cybersecurity Event

19. Estimated Number of Total United States Consumers Affected by the Cybersecurity Event

20. Describe the results of any internal review identifying a lapse in either automated controls or internal procedures, or confirming that all automated controls or internal procedures were followed. Attach the results of any internal review in the attachment section below.

21. Describe efforts being undertaken to remediate the situation that permitted the cybersecurity event to occur.

Licensee Contact Name (an individual familiar with the cybersecurity event and authorized to act for the Licensee)

Licensee Contact Job Title

Licensee Contact Email Address

Licensee Contact Phone Number

Extension (Optional)

Attachments

Licensees must attach the following with appropriate labeling in the file names as part of this notification:

1) A copy of the licensee’s privacy policy,
2) A statement outlining the steps the licensee will take to investigate and notify consumers affected by the cybersecurity event,
3) A copy of any report/notification referenced in question 15, above,
4) A copy of any internal review report referenced in question 20, above,
5) A copy of the notice sent to consumers under section 407.1500, RSMo, as applicable, and
6) Any other attachments referenced in this notification.

Max file size: 20 MB. Allowed file extension(s): jpg, jpeg, png, pdf, doc, docx.

I attest, to the best of my knowledge, that the information submitted on this form is true and correct to the best of my information and belief. By submitting this form, I am acknowledging that I am authorized to submit this form on behalf of the licensee. I further understand and agree that section 375.1415, RSMo affords confidential treatment to certain information submitted to the DCI. I understand that Missouri law, including section 375.1415.1, RSMo, also gives the Director the authority to use the documents, materials, or other information furnished by a licensee or someone acting on the licensee’s behalf in furtherance of regulatory or legal actions brought as a part of the Director’s duties.

Name of Individual Completing the Attestation