State of Illinois
2019 and 2020


Introduced , by Rep. Anne Stava-Murray


New Act

    Creates the Financial Institution Cybersecurity Act. Provides that persons and entities operating under the authority of the Secretary of Financial and Professional Regulation under the Illinois Banking Act, the Illinois Insurance Code, the Savings Bank Act, the Illinois Credit Union Act, the Corporate Fiduciary Act, and the Residential Mortgage License Act of 1987 must maintain a cybersecurity program to protect the confidentiality of their information systems. Requires the implementation and maintenance of written policies to protect information systems. Makes provisions for testing, risk assessment, audit trails, and third-party service provider policies. Provides for supervision by the Secretary of Financial and Professional Regulation. Requires annual certifications beginning November 1, 2020. Effective January 1, 2020.

LRB101 10631 JLS 55737 b






HB2829LRB101 10631 JLS 55737 b

1    AN ACT concerning regulation.
2    Be it enacted by the People of the State of Illinois,
3represented in the General Assembly:
4    Section 1. Short title. This Act may be cited as the
5Financial Institution Cybersecurity Act.
6    Section 5. Definitions. In this Act:
7    (a) "Affiliate" means any person that controls, is
8controlled by or is under common control with another person.
9For purposes of this definition, "control" means the
10possession, direct or indirect, of the power to direct or cause
11the direction of the management and policies of a person,
12whether through the ownership of stock of such person or
14    (b) "Authorized user" means any employee, contractor,
15agent or other person that participates in the business
16operations of a covered entity and is authorized to access and
17use any information systems and data of the covered entity.
18    (c) "Covered entity" means any person operating under or
19required to operate under the Illinois Banking Act, the
20Illinois Insurance Code, the Savings Bank Act, the Illinois
21Credit Union Act, the Corporate Fiduciary Act, and the
22Residential Mortgage License Act of 1987.
23    (d) "Cybersecurity event" means any act or attempt,



HB2829- 2 -LRB101 10631 JLS 55737 b

1successful or unsuccessful, to gain unauthorized access to,
2disrupt or misuse an information system or information stored
3on such information system.
4    (e) "Information system" means a discrete set of electronic
5information resources organized for the collection,
6processing, maintenance, use, sharing, dissemination or
7disposition of electronic information, as well as any
8specialized system such as industrial or process controls
9systems, telephone switching and private branch exchange
10systems, and environmental control systems.
11    (f) "Multi-factor authentication" means authentication
12through verification of at least 2 of the following types of
13authentication factors:
14        (1) knowledge factors, such as a password; or
15        (2) possession factors, such as a token or text message
16    on a mobile phone; or
17        (3) inherence factors, such as a biometric
18    characteristic.
19    (g) "Nonpublic information" means all electronic
20information that is not publicly available information and is:
21        (1) business related information of a covered entity
22    the tampering with which, or unauthorized disclosure,
23    access or use of which, would cause a material adverse
24    impact to the business, operations or security of the
25    covered entity;
26        (2) any information concerning an individual which



HB2829- 3 -LRB101 10631 JLS 55737 b

1    because of name, number, personal mark, or other identifier
2    can be used to identify such individual, in combination
3    with any one or more of the following data elements: (i)
4    social security number, (ii) drivers' license number or
5    non-driver identification card number, (iii) account
6    number, credit or debit card number, (iv) any security
7    code, access code or password that would permit access to
8    an individual's financial account, or (v) biometric
9    records;
10        (3) any information or data, except age or gender, in
11    any form or medium created by or derived from a health care
12    provider or an individual and that relates to (i) the past,
13    present or future physical, mental or behavioral health or
14    condition of any individual or a member of the individual's
15    family, (ii) the provision of health care to any
16    individual, or (iii) payment for the provision of health
17    care to any individual.
18    (h) "Penetration testing" means a test methodology in which
19assessors attempt to circumvent or defeat the security features
20of an information system by attempting penetration of databases
21or controls from outside or inside the covered entity's
22information systems.
23    (i) "Person" means any individual or any non-governmental
24entity, including but not limited to any non-governmental
25partnership, corporation, branch, agency, or association.
26    (j) "Publicly available information" means any information



HB2829- 4 -LRB101 10631 JLS 55737 b

1that a covered entity has a reasonable basis to believe is
2lawfully made available to the general public from: federal,
3State, or local government records; widely distributed media;
4or disclosures to the general public that are required to be
5made by federal, State, or local law.
6    For the purposes of this subsection, a covered entity has a
7reasonable basis to believe that information is lawfully made
8available to the general public if the covered entity has taken
9steps to determine:
10        (1) that the information is of the type that is
11    available to the general public; and
12        (2) whether an individual can direct that the
13    information not be made available to the general public
14    and, if so, that such individual has not done so.
15    (k) "Risk assessment" means the risk assessment that each
16covered entity is required to conduct under Section 45 of this
18    (l) "Risk-based authentication" means any risk-based
19system of authentication that detects anomalies or changes in
20the normal use patterns of a person and requires additional
21verification of the person's identity when such deviations or
22changes are detected, such as through the use of challenge
24    (m) "Secretary" means the Secretary of Financial and
25Professional Regulation.
26    (n) "Senior officer" means the senior individual or



HB2829- 5 -LRB101 10631 JLS 55737 b

1individuals (acting collectively or as a committee)
2responsible for the management, operations, security,
3information systems, compliance or risk of a covered entity,
4including a branch or agency of a foreign banking organization
5subject to this Act.
6    (o) "Third-party service provider" means a person that (i)
7is not an affiliate of the covered entity, (ii) provides
8services to the covered entity, and (iii) maintains, processes
9or otherwise is permitted access to nonpublic information
10through its provision of services to the covered entity.
11    Section 10. Cybersecurity program.
12    (a) Each covered entity shall maintain a cybersecurity
13program designed to protect the confidentiality, integrity and
14availability of the covered entity's information systems.
15    (b) The cybersecurity program shall be based on the covered
16entity's risk assessment and designed to perform the following
17core cybersecurity functions:
18        (1) identify and assess internal and external
19    cybersecurity risks that may threaten the security or
20    integrity of nonpublic information stored on the covered
21    entity's information systems;
22        (2) use defensive infrastructure and the
23    implementation of policies and procedures to protect the
24    covered entity's information systems, and the nonpublic
25    information stored on those information systems, from



HB2829- 6 -LRB101 10631 JLS 55737 b

1    unauthorized access, use or other malicious acts;
2        (3) detect cybersecurity events;
3        (4) respond to identified or detected cybersecurity
4    events to mitigate any negative effects;
5        (5) recover from cybersecurity events and restore
6    normal operations and services; and
7        (6) fulfill applicable regulatory reporting
8    obligations.
9    (c) A covered entity may meet the requirements of this Act
10by adopting the relevant and applicable provisions of a
11cybersecurity program maintained by an affiliate, provided
12that such provisions satisfy the requirements of this Act, as
13applicable to the covered entity.
14    (d) All documentation and information relevant to the
15covered entity's cybersecurity program shall be made available
16to the superintendent upon request.
17    Section 15. Cybersecurity policy. Each covered entity
18shall implement and maintain a written policy or policies,
19approved by a senior officer or the covered entity's board of
20directors (or an appropriate committee thereof) or equivalent
21governing body, setting forth the covered entity's policies and
22procedures for the protection of its information systems and
23nonpublic information stored on those information systems. The
24cybersecurity policy shall be based on the covered entity's
25risk assessment and address the following areas to the extent



HB2829- 7 -LRB101 10631 JLS 55737 b

1applicable to the covered entity's operations:
2    (a) information security;
3    (b) data governance and classification;
4    (c) asset inventory and device management;
5    (d) access controls and identity management;
6    (e) business continuity and disaster recovery planning and
8    (f) systems operations and availability concerns;
9    (g) systems and network security;
10    (h) systems and network monitoring;
11    (i) systems and application development and quality
13    (j) physical security and environmental controls;
14    (k) customer data privacy;
15    (l) vendor and third-party service provider management;
16    (m) risk assessment; and
17    (n) incident response.
18    Section 20. Chief information security officer.
19    (a) Chief information security officer. Each covered
20entity shall designate a qualified individual responsible for
21overseeing and implementing the covered entity's cybersecurity
22program and enforcing its cybersecurity policy (for purposes of
23this Act, "chief information security officer"). The chief
24information security officer may be employed by the covered
25entity, one of its affiliates or a third-party service



HB2829- 8 -LRB101 10631 JLS 55737 b

1provider. To the extent this requirement is met using a
2third-party service provider or an affiliate, the covered
3entity shall:
4        (1) retain responsibility for compliance with this
5    Act;
6        (2) designate a senior member of the covered entity's
7    personnel responsible for direction and oversight of the
8    third-party service provider; and
9        (3) require the third-party service provider to
10    maintain a cybersecurity program that protects the covered
11    entity in accordance with the requirements of this Act.
12    (b) Report. The chief information security officer of each
13covered entity shall report in writing at least annually to the
14covered entity's board of directors or equivalent governing
15body. If no such board of directors or equivalent governing
16body exists, the report shall be timely presented to a senior
17officer of the covered entity responsible for the covered
18entity's cybersecurity program. The chief information security
19officer shall report on the covered entity's cybersecurity
20program and material cybersecurity risks. The chief
21information security officer shall consider to the extent
23        (1) the confidentiality of nonpublic information and
24    the integrity and security of the covered entity's
25    information systems;
26        (2) the covered entity's cybersecurity policies and



HB2829- 9 -LRB101 10631 JLS 55737 b

1    procedures;
2        (3) material cybersecurity risks to the covered
3    entity;
4        (4) overall effectiveness of the covered entity's
5    cybersecurity program; and
6        (5) material cybersecurity events involving the
7    covered entity during the time period addressed by the
8    report.
9    Section 25. Penetration testing and vulnerability
10assessments. The cybersecurity program for each covered entity
11shall include monitoring and testing, developed in accordance
12with the covered entity's risk assessment, designed to assess
13the effectiveness of the covered entity's cybersecurity
14program. The monitoring and testing shall include continuous
15monitoring or periodic penetration testing and vulnerability
16assessments. Absent effective continuous monitoring, or other
17systems to detect, on an ongoing basis, changes in information
18systems that may create or indicate vulnerabilities, covered
19entities shall conduct:
20    (a) annual penetration testing of the covered entity's
21information systems determined each given year based on
22relevant identified risks in accordance with the risk
23assessment; and
24    (b) bi-annual vulnerability assessments, including any
25systematic scans or reviews of information systems reasonably



HB2829- 10 -LRB101 10631 JLS 55737 b

1designed to identify publicly known cybersecurity
2vulnerabilities in the covered entity's information systems
3based on the risk assessment.
4    Section 30. Audit trail.
5    (a) Each covered entity shall securely maintain systems
6that, to the extent applicable and based on its Risk
8        (1) are designed to reconstruct material financial
9    transactions sufficient to support normal operations and
10    obligations of the covered entity; and
11        (2) include audit trails designed to detect and respond
12    to cybersecurity events that have a reasonable likelihood
13    of materially harming any material part of the normal
14    operations of the covered entity.
15    (b) Each covered entity shall maintain records required by
16paragraph(1) of subsection (a) for not fewer than 5 years and
17shall maintain records required by paragraph (2) of subsection
18(a) for not fewer than 3 years.
19    Section 35. Access privileges. As part of its cybersecurity
20program, based on the covered entity's risk assessment each
21covered entity shall limit user access privileges to
22information systems that provide access to Nonpublic
23Information and shall periodically review such access



HB2829- 11 -LRB101 10631 JLS 55737 b

1    Section 40. Application security.
2    (a) Each covered entity's cybersecurity program shall
3include written procedures, guidelines and standards designed
4to ensure the use of secure development practices for in-house
5developed applications utilized by the covered entity, and
6procedures for evaluating, assessing or testing the security of
7externally developed applications utilized by the covered
8entity within the context of the covered entity's technology
10    (b) All such procedures, guidelines and standards shall be
11periodically reviewed, assessed and updated as necessary by the
12chief information security officer (or a qualified designee) of
13the covered entity.
14    Section 45. Risk assessment.
15    (a) Each covered entity shall conduct a periodic Risk
16Assessment of the covered entity's information systems
17sufficient to inform the design of the cybersecurity program as
18required by this Act. Such risk assessment shall be updated as
19reasonably necessary to address changes to the covered entity's
20information systems, nonpublic information or business
21operations. The covered entity's risk assessment shall allow
22for revision of controls to respond to technological
23developments and evolving threats and shall consider the
24particular risks of the covered entity's business operations



HB2829- 12 -LRB101 10631 JLS 55737 b

1related to cybersecurity, nonpublic information collected or
2stored, information systems utilized and the availability and
3effectiveness of controls to protect nonpublic information and
4information systems.
5    (b) The risk assessment shall be carried out in accordance
6with written policies and procedures and shall be documented.
7Such policies and procedures shall include:
8        (1) criteria for the evaluation and categorization of
9    identified cybersecurity risks or threats facing the
10    covered entity;
11        (2) criteria for the assessment of the
12    confidentiality, integrity, security and availability of
13    the covered entity's information systems and nonpublic
14    information, including the adequacy of existing controls
15    in the context of identified risks; and
16        (3) requirements describing how identified risks will
17    be mitigated or accepted based on the risk assessment and
18    how the cybersecurity program will address the risks.
19    Section 50. Cybersecurity personnel and intelligence.
20    (a) In addition to the requirements set forth in subsection
21(a) of Section 20, each covered entity shall:
22        (1) utilize qualified cybersecurity personnel of the
23    covered entity, an affiliate or a third-party service
24    provider sufficient to manage the covered entity's
25    cybersecurity risks and to perform or oversee the



HB2829- 13 -LRB101 10631 JLS 55737 b

1    performance of the core cybersecurity functions specified
2    in subsection (b) of Section 10 of this Act;
3        (2) provide cybersecurity personnel with cybersecurity
4    updates and training sufficient to address relevant
5    cybersecurity risks; and
6        (3) verify that key cybersecurity personnel take steps
7    to maintain current knowledge of changing cybersecurity
8    threats and countermeasures.
9    (b) A covered entity may choose to utilize an affiliate or
10qualified third-party service provider to assist in complying
11with the requirements set forth in this Act, subject to the
12requirements set forth in Section 55 of this Act.
13    Section 55. Third-party service provider security policy.
14    (a) A covered entity shall implement written policies and
15procedures designed to ensure the security of information
16systems and nonpublic information that are accessible to, or
17held by, third-party service providers. Such policies and
18procedures shall be based on the risk assessment of the covered
19entity and shall address to the extent applicable:
20        (1) the identification and risk assessment of
21    third-party service providers;
22        (2) minimum cybersecurity practices required to be met
23    by such third-party service providers in order for them to
24    do business with the covered entity;
25        (3) due diligence processes used to evaluate the



HB2829- 14 -LRB101 10631 JLS 55737 b

1    adequacy of cybersecurity practices of such third-party
2    service providers; and
3        (4) periodic assessment of such third-party service
4    providers based on the risk they present and the continued
5    adequacy of their cybersecurity practices.
6    (b) Such policies and procedures shall include relevant
7guidelines for due diligence and contractual protections
8relating to third-party service providers including to the
9extent applicable guidelines addressing:
10        (1) the third-party service provider's policies and
11    procedures for access controls, including its use of
12    multi-factor authentication as required by Section 60 of
13    this Act, to limit access to relevant information systems
14    and nonpublic information;
15        (2) the third-party service provider's policies and
16    procedures for use of encryption as required by Section 75
17    of this Act to protect nonpublic information in transit and
18    at rest;
19        (3) notice to be provided to the covered entity in the
20    event of a cybersecurity event directly impacting the
21    covered entity's information systems or the covered
22    entity's nonpublic information being held by the
23    third-party service provider; and
24        (4) representations and warranties addressing the
25    third-party service provider's cybersecurity policies and
26    procedures that relate to the security of the covered



HB2829- 15 -LRB101 10631 JLS 55737 b

1    entity's information systems or nonpublic information.
2    (c) An agent, employee, representative or designee of a
3covered entity who is itself a covered entity need not develop
4its own third-party information security policy pursuant to
5this Section if the agent, employee, representative or designee
6follows the policy of the covered entity that is required to
7comply with this Act.
8    Section 60. Multi-factor authentication.
9    (a) Based on its risk assessment, each covered entity shall
10use effective controls, which may include multi-factor
11authentication or risk-based authentication, to protect
12against unauthorized access to nonpublic information or
13information systems.
14    (b) Multi-factor authentication shall be utilized for any
15individual accessing the covered entity's internal networks
16from an external network, unless the covered entity's chief
17information security officer has approved in writing the use of
18reasonably equivalent or more secure access controls.
19    Section 65. Limitations on data retention. As part of its
20cybersecurity program, each covered entity shall include
21policies and procedures for the secure disposal on a periodic
22basis of any nonpublic information identified in paragraphs (2)
23and (3) of subsection (g) of Section 5 that is no longer
24necessary for business operations or for other legitimate



HB2829- 16 -LRB101 10631 JLS 55737 b

1business purposes of the covered entity, except where such
2information is otherwise required to be retained by law or
3rule, or where targeted disposal is not reasonably feasible due
4to the manner in which the information is maintained.
5    Section 70. Training and monitoring. As part of its
6cybersecurity program, each covered entity shall:
7    (a) implement risk-based policies, procedures and controls
8designed to monitor the activity of authorized users and detect
9unauthorized access or use of, or tampering with, Nonpublic
10Information by such authorized users; and
11    (b) provide regular cybersecurity awareness training for
12all personnel that is updated to reflect risks identified by
13the covered entity in its risk assessment.
14    Section 75. Encryption of nonpublic information.
15    (a) As part of its cybersecurity program, based on its risk
16assessment, each covered entity shall implement controls,
17including encryption, to protect nonpublic information held or
18transmitted by the covered entity both in transit over external
19networks and at rest.
20        (1) To the extent a covered entity determines that
21    encryption of nonpublic information in transit over
22    external networks is infeasible, the covered entity may
23    instead secure such nonpublic information using effective
24    alternative compensating controls reviewed and approved by



HB2829- 17 -LRB101 10631 JLS 55737 b

1    the covered entity's chief information security officer.
2        (2) To the extent a covered entity determines that
3    encryption of nonpublic information at rest is infeasible,
4    the covered entity may instead secure such nonpublic
5    information using effective alternative compensating
6    controls reviewed and approved by the covered entity's
7    chief information security officer.
8    (b) To the extent that a covered entity is utilizing
9compensating controls under subsection (a), the feasibility of
10encryption and effectiveness of the compensating controls
11shall be reviewed by the chief information security officer at
12least annually.
13    Section 80. Incident response plan.
14    (a) As part of its cybersecurity program, each covered
15entity shall establish a written incident response plan
16designed to promptly respond to, and recover from, any
17cybersecurity event materially affecting the confidentiality,
18integrity or availability of the covered entity's information
19systems or the continuing functionality of any aspect of the
20covered entity's business or operations.
21    (b) Such incident response plan shall address the following
23        (1) the internal processes for responding to a
24    cybersecurity event;
25        (2) the goals of the incident response plan;



HB2829- 18 -LRB101 10631 JLS 55737 b

1        (3) the definition of clear roles, responsibilities
2    and levels of decision-making authority;
3        (4) external and internal communications and
4    information sharing;
5        (5) identification of requirements for the remediation
6    of any identified weaknesses in information systems and
7    associated controls;
8        (6) documentation and reporting regarding
9    cybersecurity events and related incident response
10    activities; and
11        (7) the evaluation and revision as necessary of the
12    incident response plan following a cybersecurity event.
13    Section 85. Notices to Secretary.
14    (a) Notice of cybersecurity event. A covered entity shall
15notify the superintendent as promptly as possible but in no
16event later than 72 hours from a determination that a
17cybersecurity event has occurred that is either of the
19        (1) cybersecurity events impacting the covered entity
20    of which notice is required to be provided to any
21    government body, self-regulatory agency or any other
22    supervisory body; or
23        (2) cybersecurity events that have a reasonable
24    likelihood of materially harming any material part of the
25    normal operations of the covered entity.



HB2829- 19 -LRB101 10631 JLS 55737 b

1    (b) Annually each covered entity shall submit to the
2Secretary a written statement covering the prior calendar year.
3This statement shall be submitted by February 15 in the form
4required by the Secretary, certifying that the covered entity
5is in compliance with the requirements in this Act. A covered
6entity shall maintain for examination by the Secretary all
7records, schedules and data supporting this certificate for a
8period of 5 years. To the extent a covered entity has
9identified areas, systems or processes that require material
10improvement, updating or redesign, the covered entity shall
11document the identification and the remedial efforts planned
12and underway to address such areas, systems or processes. Such
13documentation must be available for inspection by the
15    Section 90. Confidentiality. Information provided by a
16covered entity pursuant to this Act is subject to exemptions
17from disclosure provided under the Illinois Banking Act and the
18Illinois Insurance Code, the Savings Bank Act, the Illinois
19Credit Union Act, the Corporate Fiduciary Act, and the
20Residential Mortgage License Act of 1987.
21    Section 95. Exemptions.
22    (a) A covered entity with:
23        (1) fewer than 10 employees, including any independent
24    contractors, of the covered entity or its affiliates



HB2829- 20 -LRB101 10631 JLS 55737 b

1    located in Illinois or responsible for business of the
2    covered entity; or
3        (2) less than $5,000,000 in gross annual revenue in
4    each of the last 3 fiscal years from Illinois business
5    operations of the covered entity and its affiliates; or
6        (3) less than $10,000,000 in year-end total assets,
7    calculated in accordance with generally accepted
8    accounting principles, including assets of all affiliates,
9    shall be exempt from the requirements of Sections 20, 25,
10    30, 40, 50, 60, 70, 75, and 80 of this Act.
11    (b) An employee, agent, representative, or designee of a
12covered entity, who is itself a covered entity, is exempt from
13this Act and need not develop its own cybersecurity program to
14the extent that the employee, agent, representative, or
15designee is covered by the cybersecurity program of the covered
17    (c) A covered entity that does not directly or indirectly
18operate, maintain, utilize or control any information systems,
19and that does not, and is not required to, directly or
20indirectly control, own, access, generate, receive or possess
21nonpublic information shall be exempt from the requirements of
22Sections 10, 15, 20, 25, 30, 35, 40, 50, 60, 70, 75, and 80 of
23this Act.
24    (d) A covered entity under Article VIIC of the Illinois
25Insurance Code that does not and is not required to directly or
26indirectly control, own, access, generate, receive or possess



HB2829- 21 -LRB101 10631 JLS 55737 b

1nonpublic information other than information relating to its
2corporate parent company (or affiliates) shall be exempt from
3the requirements of Sections 10, 15, 20, 25, 30, 35, 40, 50,
460, 70, 75, and 80 of this Act.
5    (e) A covered entity that qualifies for any of the
6exemptions pursuant to this Section shall file a notice of
7exemption in the form set forth as required by the Secretary
8within 30 days of the determination that the covered entity is
10    (f) If a covered entity, as of its most recent fiscal year
11end, ceases to qualify for an exemption, such covered entity
12shall have 180 days from such fiscal year end to comply with
13all applicable requirements of this Act.
14    Section 100. Enforcement. This Act shall be enforced by the
15Secretary pursuant to the Secretary's authority under this Act
16and any applicable laws administered by the Secretary.
17    Section 105. Transitional periods.
18    (a) Transitional period. Covered entities shall have 180
19days from the effective date of this Act to comply with the
20requirements set forth in this Act, except as otherwise
22    (b) The following provisions shall include additional
23transitional periods. Covered entities shall have:
24        (1) One year from the effective date of this Act to



HB2829- 22 -LRB101 10631 JLS 55737 b

1    comply with the requirements of subsection (b) of Section
2    20, Sections 25, 45, 60, and subsection (b) of Section 70.
3        (2) Eighteen months from the effective date of this Act
4    to comply with the requirements of Sections 30, 40, 65,
5    subsection (a) of Section 70, and Section 75 of this Act.
6        (3) Two years from the effective date of this Act to
7    comply with the requirements of Section 55 of this Act.
8    Section 110. Annual filing. A covered entity shall annually
9prepare and submit to the Secretary a certification of
10compliance with this Act under subsection (b) of Section 85
11beginning November 1, 2020.
12    Section 115. Severability. The provisions of this Act are
13severable under Section 1.31 of the Statute on Statutes.
14    Section 999. Effective date. This Act takes effect January
151, 2020.