Information security program required elements

Ark. Code Ann. § 23-39-522 — under Mortgage Loan Companies and Loan Brokers.

Ark. Code Ann. § 23-39-522

(a) In order for a financial institution to develop, implement, and maintain an information security program, the financial institution shall comply with this section.

(b) (1) A financial institution shall designate a qualified individual responsible for overseeing and implementing the financial institution's information security program and enforcing an information security program.(2) (A) The qualified individual may be employed by the financial institution, an affiliate, or a service provider.(B) If a financial institution designates an individual employed by an affiliate or a service provider, the financial institution shall:(i) Retain responsibility for compliance with this section;(ii) Designate a senior member of the financial institution's personnel to be responsible for direction and oversight of the qualified individual; and(iii) Require the service provider or affiliate to maintain an information security program that protects the financial institution in accordance with the requirements of this section.

(1) A financial institution shall designate a qualified individual responsible for overseeing and implementing the financial institution's information security program and enforcing an information security program.

(2) (A) The qualified individual may be employed by the financial institution, an affiliate, or a service provider.(B) If a financial institution designates an individual employed by an affiliate or a service provider, the financial institution shall:(i) Retain responsibility for compliance with this section;(ii) Designate a senior member of the financial institution's personnel to be responsible for direction and oversight of the qualified individual; and(iii) Require the service provider or affiliate to maintain an information security program that protects the financial institution in accordance with the requirements of this section.

(A) The qualified individual may be employed by the financial institution, an affiliate, or a service provider.

(B) If a financial institution designates an individual employed by an affiliate or a service provider, the financial institution shall:(i) Retain responsibility for compliance with this section;(ii) Designate a senior member of the financial institution's personnel to be responsible for direction and oversight of the qualified individual; and(iii) Require the service provider or affiliate to maintain an information security program that protects the financial institution in accordance with the requirements of this section.

(i) Retain responsibility for compliance with this section;

(ii) Designate a senior member of the financial institution's personnel to be responsible for direction and oversight of the qualified individual; and

(iii) Require the service provider or affiliate to maintain an information security program that protects the financial institution in accordance with the requirements of this section.

(c) (1) A financial institution shall base the financial institution's information security program on a risk assessment that:(A) Identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of the customer information; and(B) Assesses the sufficiency of any safeguards in place to control these risks.(2) The risk assessment shall be written and include:(A) Criteria for the evaluation and categorization of identified security risks or threats the financial institution faces;(B) Criteria for the assessment of the confidentiality, integrity, and availability of the financial institution's information systems and customer information, including the adequacy of the existing controls in the context of the identified risks or threats the financial institution faces; and(C) Requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the information security program will address the risks.(3) A financial institution shall periodically perform additional risk assessments that:(A) Reexamine the reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of the customer information; and(B) Reassess the sufficiency of any safeguards in place to control these risks.

(1) A financial institution shall base the financial institution's information security program on a risk assessment that:(A) Identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of the customer information; and(B) Assesses the sufficiency of any safeguards in place to control these risks.

(A) Identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of the customer information; and

(B) Assesses the sufficiency of any safeguards in place to control these risks.

(2) The risk assessment shall be written and include:(A) Criteria for the evaluation and categorization of identified security risks or threats the financial institution faces;(B) Criteria for the assessment of the confidentiality, integrity, and availability of the financial institution's information systems and customer information, including the adequacy of the existing controls in the context of the identified risks or threats the financial institution faces; and(C) Requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the information security program will address the risks.

(A) Criteria for the evaluation and categorization of identified security risks or threats the financial institution faces;

(B) Criteria for the assessment of the confidentiality, integrity, and availability of the financial institution's information systems and customer information, including the adequacy of the existing controls in the context of the identified risks or threats the financial institution faces; and

(C) Requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the information security program will address the risks.

(3) A financial institution shall periodically perform additional risk assessments that:(A) Reexamine the reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of the customer information; and(B) Reassess the sufficiency of any safeguards in place to control these risks.

(A) Reexamine the reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of the customer information; and

(B) Reassess the sufficiency of any safeguards in place to control these risks.

(d) A financial institution shall design and implement safeguards to control the risks the financial institution identifies through the risk assessment as required under subsection (c) of this section, including without limitation:(1) Implementing and periodically reviewing access controls, including technical and, as appropriate, physical controls, to:(A) Authenticate and permit access only to authorized users to protect against the unauthorized acquisition of customer information; and(B) Limit authorized users' access only to customer information that the authorized user needs to perform the authorized user's duties and functions, or in the case of customers, to access the customer's own customer information;(2) Identifying and managing the data, personnel, devices, systems, and facilities that enable the financial institution to achieve business purposes according to the financial institution's relative importance to business objectives and the financial institution's risk strategy;(3) (A) Protecting by encryption all customer information held or transmitted by the financial institution both in transit over external networks and at rest.(B) To the extent the financial institution determines that encryption of customer information, either in transit over external networks or at rest, is infeasible, the financial institution may instead secure the customer information using effective alternative compensating controls reviewed and approved by the financial institution's qualified individual;(4) Adopting secure development practices for in-house developed applications utilized by the financial institution for transmitting, accessing, or storing customer information and procedures for evaluating, assessing, or testing the security of externally developed applications the financial institution utilizes to transmit, access, or store customer information;(5) Implementing multifactor authentication for an individual accessing an information system, unless the financial institution's qualified individual has approved in writing the use of reasonably equivalent or more secure access controls;(6) Developing, implementing, and maintaining procedures for the secure disposal of customer information in any format no later than two (2) years after the last date the customer information is used in connection with the provision of a financial product or service to the customer, unless:(A) The customer information is:(i) Necessary for business operations or for other legitimate business purposes; or(ii) Otherwise required to be retained by state law or rule, or federal law or regulation; or(B) Targeted disposal is not reasonably feasible due to the manner in which the customer information is maintained;(7) Periodically reviewing the financial institution's data retention policy to minimize the unnecessary retention of data;(8) Adopting procedures for change management; and(9) Implementing policies, procedures, and controls designed to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by these users.

(1) Implementing and periodically reviewing access controls, including technical and, as appropriate, physical controls, to:(A) Authenticate and permit access only to authorized users to protect against the unauthorized acquisition of customer information; and(B) Limit authorized users' access only to customer information that the authorized user needs to perform the authorized user's duties and functions, or in the case of customers, to access the customer's own customer information;

(A) Authenticate and permit access only to authorized users to protect against the unauthorized acquisition of customer information; and

(B) Limit authorized users' access only to customer information that the authorized user needs to perform the authorized user's duties and functions, or in the case of customers, to access the customer's own customer information;

(2) Identifying and managing the data, personnel, devices, systems, and facilities that enable the financial institution to achieve business purposes according to the financial institution's relative importance to business objectives and the financial institution's risk strategy;

(3) (A) Protecting by encryption all customer information held or transmitted by the financial institution both in transit over external networks and at rest.(B) To the extent the financial institution determines that encryption of customer information, either in transit over external networks or at rest, is infeasible, the financial institution may instead secure the customer information using effective alternative compensating controls reviewed and approved by the financial institution's qualified individual;

(A) Protecting by encryption all customer information held or transmitted by the financial institution both in transit over external networks and at rest.

(B) To the extent the financial institution determines that encryption of customer information, either in transit over external networks or at rest, is infeasible, the financial institution may instead secure the customer information using effective alternative compensating controls reviewed and approved by the financial institution's qualified individual;

(4) Adopting secure development practices for in-house developed applications utilized by the financial institution for transmitting, accessing, or storing customer information and procedures for evaluating, assessing, or testing the security of externally developed applications the financial institution utilizes to transmit, access, or store customer information;

(5) Implementing multifactor authentication for an individual accessing an information system, unless the financial institution's qualified individual has approved in writing the use of reasonably equivalent or more secure access controls;

(6) Developing, implementing, and maintaining procedures for the secure disposal of customer information in any format no later than two (2) years after the last date the customer information is used in connection with the provision of a financial product or service to the customer, unless:(A) The customer information is:(i) Necessary for business operations or for other legitimate business purposes; or(ii) Otherwise required to be retained by state law or rule, or federal law or regulation; or(B) Targeted disposal is not reasonably feasible due to the manner in which the customer information is maintained;

(A) The customer information is:(i) Necessary for business operations or for other legitimate business purposes; or(ii) Otherwise required to be retained by state law or rule, or federal law or regulation; or

(i) Necessary for business operations or for other legitimate business purposes; or

(ii) Otherwise required to be retained by state law or rule, or federal law or regulation; or

(B) Targeted disposal is not reasonably feasible due to the manner in which the customer information is maintained;

(7) Periodically reviewing the financial institution's data retention policy to minimize the unnecessary retention of data;

(8) Adopting procedures for change management; and

(9) Implementing policies, procedures, and controls designed to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by these users.

(e) (1) A financial institution shall regularly test or otherwise monitor the effectiveness of the safeguards key controls, systems, and procedures of the safeguards required under this section, including those to detect actual and attempted attacks on, or intrusions into, information systems.(2) (A) For information systems, monitoring and testing shall include continuous monitoring or periodic penetration testing and vulnerability assessments.(B) Absent effective continuous monitoring or other systems to detect, on an ongoing basis, changes in information systems that may create vulnerabilities, the financial institution shall conduct:(i) Annual penetration testing of a financial institution's information systems determined each given year based on relevant identified risks according to the risk assessment; and(ii) Vulnerability assessments, including a systemic scan or review of an information system reasonably designed to identify publicly known security vulnerabilities in the financial institution's information systems based on the risk assessment, at least every six (6) months, and whenever there are:(a) Material changes to the financial institution's operations or business arrangements; and(b) Circumstances the financial institution knows or has reason to know may have a material impact on the financial institution's information security program.

(1) A financial institution shall regularly test or otherwise monitor the effectiveness of the safeguards key controls, systems, and procedures of the safeguards required under this section, including those to detect actual and attempted attacks on, or intrusions into, information systems.

(2) (A) For information systems, monitoring and testing shall include continuous monitoring or periodic penetration testing and vulnerability assessments.(B) Absent effective continuous monitoring or other systems to detect, on an ongoing basis, changes in information systems that may create vulnerabilities, the financial institution shall conduct:(i) Annual penetration testing of a financial institution's information systems determined each given year based on relevant identified risks according to the risk assessment; and(ii) Vulnerability assessments, including a systemic scan or review of an information system reasonably designed to identify publicly known security vulnerabilities in the financial institution's information systems based on the risk assessment, at least every six (6) months, and whenever there are:(a) Material changes to the financial institution's operations or business arrangements; and(b) Circumstances the financial institution knows or has reason to know may have a material impact on the financial institution's information security program.

(A) For information systems, monitoring and testing shall include continuous monitoring or periodic penetration testing and vulnerability assessments.

(B) Absent effective continuous monitoring or other systems to detect, on an ongoing basis, changes in information systems that may create vulnerabilities, the financial institution shall conduct:(i) Annual penetration testing of a financial institution's information systems determined each given year based on relevant identified risks according to the risk assessment; and(ii) Vulnerability assessments, including a systemic scan or review of an information system reasonably designed to identify publicly known security vulnerabilities in the financial institution's information systems based on the risk assessment, at least every six (6) months, and whenever there are:(a) Material changes to the financial institution's operations or business arrangements; and(b) Circumstances the financial institution knows or has reason to know may have a material impact on the financial institution's information security program.

(i) Annual penetration testing of a financial institution's information systems determined each given year based on relevant identified risks according to the risk assessment; and

(ii) Vulnerability assessments, including a systemic scan or review of an information system reasonably designed to identify publicly known security vulnerabilities in the financial institution's information systems based on the risk assessment, at least every six (6) months, and whenever there are:(a) Material changes to the financial institution's operations or business arrangements; and(b) Circumstances the financial institution knows or has reason to know may have a material impact on the financial institution's information security program.

(a) Material changes to the financial institution's operations or business arrangements; and

(b) Circumstances the financial institution knows or has reason to know may have a material impact on the financial institution's information security program.

(f) A financial institution shall implement policies and procedures to ensure that personnel are able to enact the financial institution's information security program by:(1) Providing the financial institution's personnel with security awareness training that is updated as necessary to reflect risks identified by the risk assessment;(2) Utilizing qualified information security personnel employed by the financial institution or an affiliate or a service provider sufficient to manage the financial institution's information security risks and to perform or oversee the information security program;(3) Providing information security personnel with security updates and training sufficient to address relevant security risks; and(4) Verifying that key information security personnel take steps to maintain current knowledge of changing information security threats and countermeasures.

(1) Providing the financial institution's personnel with security awareness training that is updated as necessary to reflect risks identified by the risk assessment;

(2) Utilizing qualified information security personnel employed by the financial institution or an affiliate or a service provider sufficient to manage the financial institution's information security risks and to perform or oversee the information security program;

(3) Providing information security personnel with security updates and training sufficient to address relevant security risks; and

(4) Verifying that key information security personnel take steps to maintain current knowledge of changing information security threats and countermeasures.

(g) A financial institution shall oversee service providers by:(1) Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue;(2) Requiring the financial institution's service providers by contract to implement and maintain the safeguards referenced under subdivision (g)(1) of this section; and(3) Periodically assessing the financial institution's service providers based on the risk they present and the continued adequacy of their safeguards.

(1) Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue;

(2) Requiring the financial institution's service providers by contract to implement and maintain the safeguards referenced under subdivision (g)(1) of this section; and

(3) Periodically assessing the financial institution's service providers based on the risk they present and the continued adequacy of their safeguards.

(h) A financial institution shall evaluate and adjust the financial institution's information security program to reflect:(1) The results of the testing and monitoring required by subsection (e) of this section;(2) Any material change to the financial institution's operations or business arrangements or other circumstances;(3) The results of risk assessments performed under subdivision (c)(3) of this section; and(4) Any other circumstances that the financial institution knows or has reason to know may have a material impact on the financial institution's information security program.

(1) The results of the testing and monitoring required by subsection (e) of this section;

(2) Any material change to the financial institution's operations or business arrangements or other circumstances;

(3) The results of risk assessments performed under subdivision (c)(3) of this section; and

(4) Any other circumstances that the financial institution knows or has reason to know may have a material impact on the financial institution's information security program.

(i) (1) A financial institution shall establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in the financial institution's control.(2) The incident response plan under subdivision (i)(1) of this section shall address:(A) The goals of the incident response plan;(B) The internal processes for responding to a security event;(C) The definition of clear roles, responsibilities, and levels of decision-making authority;(D) External and internal communications and information sharing;(E) Identification of requirements for the remediation of any identified weaknesses in information systems and associated controls;(F) Documentation and reporting regarding security events and related incident response activities; and(G) The evaluation and revision as necessary of the incident response plan following a security event.

(1) A financial institution shall establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in the financial institution's control.

(2) The incident response plan under subdivision (i)(1) of this section shall address:(A) The goals of the incident response plan;(B) The internal processes for responding to a security event;(C) The definition of clear roles, responsibilities, and levels of decision-making authority;(D) External and internal communications and information sharing;(E) Identification of requirements for the remediation of any identified weaknesses in information systems and associated controls;(F) Documentation and reporting regarding security events and related incident response activities; and(G) The evaluation and revision as necessary of the incident response plan following a security event.

(A) The goals of the incident response plan;

(B) The internal processes for responding to a security event;

(C) The definition of clear roles, responsibilities, and levels of decision-making authority;

(D) External and internal communications and information sharing;

(E) Identification of requirements for the remediation of any identified weaknesses in information systems and associated controls;

(F) Documentation and reporting regarding security events and related incident response activities; and

(G) The evaluation and revision as necessary of the incident response plan following a security event.

(j) (1) The financial institution's qualified individual shall report in writing at least annually to the financial institution's board of directors or equivalent governing body.(2) If a board of directors or equivalent governing body does not exist, the report required under subdivision (j)(1) of this section shall be timely presented to a senior officer responsible for the financial institution's information security program.(3) The report required under subdivision (j)(1) of this section shall include:(A) The overall status of the information security program and the financial institution's compliance with this section and associated rules; and(B) Material matters related to the information security program, addressing issues such as risk assessment, risk management and control decisions, service provider arrangements, results of testing, security events or violations and management's responses to security events or violations, and recommendations for changes in the information security program.

(1) The financial institution's qualified individual shall report in writing at least annually to the financial institution's board of directors or equivalent governing body.

(2) If a board of directors or equivalent governing body does not exist, the report required under subdivision (j)(1) of this section shall be timely presented to a senior officer responsible for the financial institution's information security program.

(3) The report required under subdivision (j)(1) of this section shall include:(A) The overall status of the information security program and the financial institution's compliance with this section and associated rules; and(B) Material matters related to the information security program, addressing issues such as risk assessment, risk management and control decisions, service provider arrangements, results of testing, security events or violations and management's responses to security events or violations, and recommendations for changes in the information security program.

(A) The overall status of the information security program and the financial institution's compliance with this section and associated rules; and

(B) Material matters related to the information security program, addressing issues such as risk assessment, risk management and control decisions, service provider arrangements, results of testing, security events or violations and management's responses to security events or violations, and recommendations for changes in the information security program.

(k) A financial institution shall provide notice to the Securities Commissioner about notification events according to subdivisions (l)(1) and (2) of this section.

(l) (1) Upon discovery of a notification event as described in subdivision (l)(3) of this section, if the notification event involves the information of any consumers in this state, the financial institution shall notify the commissioner as soon as possible and no later than forty-five (45) days after discovery of the notification event.(2) The notice required under subdivision (l)(1) of this section shall:(A) Be made in a format specified by the commissioner; and(B) Include the following information:(i) The name and contact information of the reporting financial institution;(ii) (a) A description of the types of information that were involved in the notification event.(b) If the information is possible to determine under subdivision (l)(2)(B)(ii)(a) of this section, the notice required under subdivision (l)(1) of this section shall contain the date or date range of the notification event;(iii) The number of consumers affected or potentially affected by the notification event;(iv) A general description of the notification event; and(v) (a) Whether a law enforcement official has provided the financial institution with a written determination that notifying the public of the notification event would impede a criminal investigation or cause damage to national security, and a means for the commissioner to contact the law enforcement official.(b) A law enforcement official under subdivision (l)(2)(B)(v)(a) of this section may request an initial delay of up to thirty (30) days following the date when notice was provided to the commissioner.(c) The delay under subdivision (l)(2)(B)(v)(b) of this section may be extended for an additional period of up to sixty (60) days if the law enforcement official seeks an extension in writing.(d) An additional delay beyond the delay under subdivision (l)(2)(B)(v)(b) of this section may be permitted only if the State Securities Department determines that public disclosure of a notification event continues to impede a criminal investigation or cause damage to national security.(3) (A) A notification event under this section shall be treated as discovered as of the first day on which the notification event is known to the financial institution.(B) The financial institution under subdivision (l)(3)(A) of this section shall be deemed to have knowledge of a notification event if the notification event is known to a person, other than the person committing the notification event, who is the financial institution's employee, officer, or other agent.

(1) Upon discovery of a notification event as described in subdivision (l)(3) of this section, if the notification event involves the information of any consumers in this state, the financial institution shall notify the commissioner as soon as possible and no later than forty-five (45) days after discovery of the notification event.

(2) The notice required under subdivision (l)(1) of this section shall:(A) Be made in a format specified by the commissioner; and(B) Include the following information:(i) The name and contact information of the reporting financial institution;(ii) (a) A description of the types of information that were involved in the notification event.(b) If the information is possible to determine under subdivision (l)(2)(B)(ii)(a) of this section, the notice required under subdivision (l)(1) of this section shall contain the date or date range of the notification event;(iii) The number of consumers affected or potentially affected by the notification event;(iv) A general description of the notification event; and(v) (a) Whether a law enforcement official has provided the financial institution with a written determination that notifying the public of the notification event would impede a criminal investigation or cause damage to national security, and a means for the commissioner to contact the law enforcement official.(b) A law enforcement official under subdivision (l)(2)(B)(v)(a) of this section may request an initial delay of up to thirty (30) days following the date when notice was provided to the commissioner.(c) The delay under subdivision (l)(2)(B)(v)(b) of this section may be extended for an additional period of up to sixty (60) days if the law enforcement official seeks an extension in writing.(d) An additional delay beyond the delay under subdivision (l)(2)(B)(v)(b) of this section may be permitted only if the State Securities Department determines that public disclosure of a notification event continues to impede a criminal investigation or cause damage to national security.

(A) Be made in a format specified by the commissioner; and

(B) Include the following information:(i) The name and contact information of the reporting financial institution;(ii) (a) A description of the types of information that were involved in the notification event.(b) If the information is possible to determine under subdivision (l)(2)(B)(ii)(a) of this section, the notice required under subdivision (l)(1) of this section shall contain the date or date range of the notification event;(iii) The number of consumers affected or potentially affected by the notification event;(iv) A general description of the notification event; and(v) (a) Whether a law enforcement official has provided the financial institution with a written determination that notifying the public of the notification event would impede a criminal investigation or cause damage to national security, and a means for the commissioner to contact the law enforcement official.(b) A law enforcement official under subdivision (l)(2)(B)(v)(a) of this section may request an initial delay of up to thirty (30) days following the date when notice was provided to the commissioner.(c) The delay under subdivision (l)(2)(B)(v)(b) of this section may be extended for an additional period of up to sixty (60) days if the law enforcement official seeks an extension in writing.(d) An additional delay beyond the delay under subdivision (l)(2)(B)(v)(b) of this section may be permitted only if the State Securities Department determines that public disclosure of a notification event continues to impede a criminal investigation or cause damage to national security.

(i) The name and contact information of the reporting financial institution;

(ii) (a) A description of the types of information that were involved in the notification event.(b) If the information is possible to determine under subdivision (l)(2)(B)(ii)(a) of this section, the notice required under subdivision (l)(1) of this section shall contain the date or date range of the notification event;

(a) A description of the types of information that were involved in the notification event.

(b) If the information is possible to determine under subdivision (l)(2)(B)(ii)(a) of this section, the notice required under subdivision (l)(1) of this section shall contain the date or date range of the notification event;

(iii) The number of consumers affected or potentially affected by the notification event;

(iv) A general description of the notification event; and

(v) (a) Whether a law enforcement official has provided the financial institution with a written determination that notifying the public of the notification event would impede a criminal investigation or cause damage to national security, and a means for the commissioner to contact the law enforcement official.(b) A law enforcement official under subdivision (l)(2)(B)(v)(a) of this section may request an initial delay of up to thirty (30) days following the date when notice was provided to the commissioner.(c) The delay under subdivision (l)(2)(B)(v)(b) of this section may be extended for an additional period of up to sixty (60) days if the law enforcement official seeks an extension in writing.(d) An additional delay beyond the delay under subdivision (l)(2)(B)(v)(b) of this section may be permitted only if the State Securities Department determines that public disclosure of a notification event continues to impede a criminal investigation or cause damage to national security.

(a) Whether a law enforcement official has provided the financial institution with a written determination that notifying the public of the notification event would impede a criminal investigation or cause damage to national security, and a means for the commissioner to contact the law enforcement official.

(b) A law enforcement official under subdivision (l)(2)(B)(v)(a) of this section may request an initial delay of up to thirty (30) days following the date when notice was provided to the commissioner.

(c) The delay under subdivision (l)(2)(B)(v)(b) of this section may be extended for an additional period of up to sixty (60) days if the law enforcement official seeks an extension in writing.

(d) An additional delay beyond the delay under subdivision (l)(2)(B)(v)(b) of this section may be permitted only if the State Securities Department determines that public disclosure of a notification event continues to impede a criminal investigation or cause damage to national security.

(3) (A) A notification event under this section shall be treated as discovered as of the first day on which the notification event is known to the financial institution.(B) The financial institution under subdivision (l)(3)(A) of this section shall be deemed to have knowledge of a notification event if the notification event is known to a person, other than the person committing the notification event, who is the financial institution's employee, officer, or other agent.

(A) A notification event under this section shall be treated as discovered as of the first day on which the notification event is known to the financial institution.

(B) The financial institution under subdivision (l)(3)(A) of this section shall be deemed to have knowledge of a notification event if the notification event is known to a person, other than the person committing the notification event, who is the financial institution's employee, officer, or other agent.

(m) A financial institution shall establish a written plan addressing business continuity and disaster recovery.