On March 11, the Governor of Indiana signed
SB 220 (the “Act”) which will add cyber incident notification guidelines for financial institutions. The Act defined the term "corporation" as the following entities organized in Indiana, including a (i) bank; (ii) trust company; (iii) corporate fiduciary; (iv) savings bank; (v) savings association; (vi) industrial loan and investment company with federal deposit insurance; (vii) credit union; and (viii) bank of discount and deposit.
According to the Act, a corporation will be required to inform the director of the department about a reportable cyber incident or notification incident following the same protocol mandated by the corporation's federal regulatory body or deposit insurance provider. If a corporation does not have a federal regulatory body or deposit insurance provider, it must report the cyber incident to the director of the department using the procedures outlined in U.S.C. 12 CFR 748.1(c), which despite typically applying to federally insured credit unions, will also apply to corporations. The Act will go into effect on July 1.
