Investor Presentaiton
QUESTION:
Under Section 38-99-20(A), the Act requires a Risk Assessment.
Can this be a "self assessment" done in-house?
Will licensees be required to use a third party vendor to
conduct the assessment?
No, the Act does not require a licensee to use a third party vendor. There is nothing in the
Act that precludes a licensee from conducting a self-assessment or from hiring a third
party vendor to conduct the assessment. However, the assessment must be performed in
accordance with the Act.
The Act provides that the licensee must make a determination based on the size and
complexity of the Licensee how to effectively conduct a Risk Assessment that:
(1) Identifies reasonably foreseeable internal or external threats that could result in
the unauthorized access to or transmission, disclosure, misuse, alteration, or
destruction of nonpublic information including the security of information systems
and nonpublic information that are accessible to or held by third-party service
providers;
(2) Assesses the likelihood and potential damage of these threats, considering the
sensitivity of the nonpublic information;
(3) Assesses the sufficiency of policies, procedures, information systems, and other
safeguards in place to manage these threats, taking into consideration threats in
each relevant area of the licensee's operations... etc., and complies with the
other sections of the Act.View entire presentation