Ala. Code § 27-62-4 (2026)
(b) The information security program of a licensee shall be designed to do all of the following:
(c) The licensee shall do all of the following:
(4) Assess the sufficiency of policies, procedures, information systems, and other safeguards in place to manage these threats, including consideration of threats in each relevant area of the operations of the licensee, including all of the following:
(d) Based on its risk assessment, the licensee shall do all of the following:
(2) Determine which security measures listed in this subdivision are appropriate and, if appropriate, do the following to implement the security measures:
(e) If the licensee has a board of directors, the board or an appropriate committee of the board, at a minimum, shall do all of the following:
(2) Require the executive management of the licensee or its delegates to report in writing at least annually, all of the following:
(f)
(h)
(2) The incident response plan shall address all of the following areas:
(Act 2019-98, §§4, 14.)