Alaska Stat. § 21.23.260
(b) [Effective January 1, 2026.] A licensee's information security program must
(c) In developing, implementing, and maintaining a licensee's information security program, the licensee shall
(1) [Effective January 1, 2026.] based on the licensee's risk assessment conducted under AS 21.23.250(a), implement the following security measures if the licensee determines that the security measure is appropriate:
(11) [Effective January 1, 2026.] establish a written incident response plan designed to promptly respond to, and recover from, a cybersecurity event that compromises the confidentiality, integrity, or availability of nonpublic information in the licensee's possession, the licensee's information systems, or the continuing functionality of an aspect of the licensee's business or operations; the incident response plan must address the following:
(d) [Effective January 1, 2026.] A licensee's board of directors or an appropriate committee of the licensee's board of directors shall, at a minimum, require that
(2) at least once a year, the licensee's executive management or the executive management's delegate report to the licensee's board of directors or an appropriate committee of the licensee's board of directors the following in writing:
(f) Each licensee who is an insurer domiciled in this state shall
(g) [Effective January 1, 2026.] In this section,
(2) “multi-factor authentication” means authentication through verification of at least two of the following types of authentication factors: