Ongoing Reporting. In order to monitor the Licensed Respondents’ corporate governance related to the IT and Cybersecurity Program, and the specific requirements and standards discussed herein, Respondents shall provide to the Executive Committee the following documentation and/or information according to the following terms: a. The Licensed Respondents’ patch and vulnerability management policies, procedures, and standards within 60 days of the Effective Date of this Agreement; b. The corporate governance framework related to the IT and Cybersecurity Program within sixty (60) calendar days of the Effective Date of this Agreement; c. Any material written updates or changes to the corporate governance framework related to the enterprise-wide IT and Cybersecurity Program within sixty (60) calendar days of the conclusion of calendar years 2024, 2025, and 2026; and d. For a period of three (3) years from the Effective Date of this Agreement, any Security Event, as that term is defined in 16 C.F.R. § 314.2(p), within thirty (30) calendar days of any Licensed Respondent’s determination that a Security Event has occurred, including: i. The facts of the incident; ii. The number of consumers impacted, broken down by state; iii. Amount of harm experienced by consumers, broken down by state; iv. The steps any applicable Respondent has taken to correct the incident; and v. The steps any applicable Respondent has taken to make consumers whole.
Appears in 4 contracts
Sources: Settlement Agreement, Settlement Agreement, Settlement Agreement