A new Indiana law passed last year which flew under our radar, but has important implications for most of our Clients. Indiana Code 28-10-3-2 introduced new state reporting requirements for Indiana financial institutions, it requires a “corporation” (defined below) to notify the DFI’s director of a reportable cyber incident or notification incident “in accordance with the same procedures required by the corporation’s federal supervisory authority or federal insurer.” If the institution has no federal supervisor/insurer, it must notify the DFI using the same procedures in 12 CFR 748.1(c). Indiana’s law simply says: when you notify federally, notify the DFI too, on the same basis.

For this code, “corporation” includes Indiana-chartered banks, trust companies, corporate fiduciaries, savings banks/associations, FDIC-insured industrial loan & investment companies, credit unions, and banks of discount and deposit. Our understanding of this is that it applies to state-chartered institutions, but we are not lawyers, so it is important to run this by your legal department. Furthermore, we would consider it best practice for any financial institution in any state to report to both federal and state regulators to avoid issues.

So, how should you respond to this new code? The first part is done, identifying the new code and requirements. Second, you should document this by updating your incident response plan to include the law and language (see below). Finally, once we have identified and documented the changes, we should broadcast awareness to the rest of the Incident Response team, so they are aware of the changes, and consider incorporating this into your next tabletop test.

Indiana Code 28-10-3-2:
Sec. 2. Notwithstanding IC 24-4.9 or any other law, a corporation shall notify the director of the department of a reportable cyber incident or notification incident in accordance with the same procedures required by the corporation’s federal supervisory authority or federal insurer. A corporation without a federal supervisory authority or federal insurer shall notify the director of the department of the reportable cyber incident in accordance with the same procedures set forth in 12 CFR 748.1(c) for federally insured credit unions, regardless of whether the corporation is a federally insured credit union.

Contact Us if you have any clarifying questions and we can point you in the right direction!