HB2829 Summary: Financial Institution Cybersecurity Act

• Creates the Financial Institution Cybersecurity Act requiring financial institutions regulated by the Secretary of Financial and Professional Regulation to maintain comprehensive cybersecurity programs protecting confidentiality, integrity, and availability of information systems.

• Mandates written cybersecurity policies, risk assessments, penetration testing, vulnerability assessments, audit trails, access controls, encryption of nonpublic information, and incident response plans based on each entity's risk assessment.

• Requires designation of a Chief Information Security Officer to oversee cybersecurity programs and report annually to the board of directors on cybersecurity risks, policies, and material cybersecurity events.

• Establishes third-party service provider security requirements, multi-factor authentication for external network access, cybersecurity personnel with current training, and employee cybersecurity awareness training.

• Requires covered entities to notify the Secretary within 72 hours of cybersecurity events and submit annual compliance certifications beginning November 1, 2020; provides exemptions for small entities (fewer than 10 employees, less than $5 million revenue, or less than $10 million in assets) and extended compliance timelines of 180 days to 2 years depending on requirement type.