Ind. Code § 27-2-27-22
(a) In the case of a cybersecurity event involving nonpublic information that:
(2) is in the possession, custody, or control of a licensee that:
(B) does not have a direct contractual relationship with the affected consumers;
the assuming insurer shall notify its affected ceding insurers and the commissioner of its state of domicile within three (3) business days after making the determination that a cybersecurity event has occurred and the ceding insurers that have a direct contractual relationship with affected consumers shall fulfill the consumer notification requirements imposed under IC 24-4.9 and any other notification requirements relating to a cybersecurity event imposed under section 21(c) through 21(f) of this chapter.
(b) In the case of a cybersecurity event involving nonpublic information that is in the possession, custody, or control of a third party service provider of a licensee that is an assuming insurer:
As added by P.L.130-2020, SEC.10.