Common use of Systems Security Clause in Contracts

Systems Security. ‌ Insurer shall maintain policies, procedures and practices related to system security and integrity that are in line with national industry standards and best practices. Insurer shall regularly, no less frequently than annually, review and update its policies, procedures and practices for the following areas: a. Telework and remote access; b. External data loss risk management; c. Internal data loss risk management; and d. Information and data security. Insurer shall provide ninety (90) Calendar Days’ prior notice of any planned, significant system changes, including changes or upgrades to claims processing, customer service, enrollment or operating systems or any other systems that may materially impact services provided under this Contract. Insurer shall notify FHKC within three (3) Business Days of identification of any issues impacting Insurer’s claims processing related to this Contract. Insurer’s mail gateways shall be capable of, and Insurer shall send, encrypted emails to FHKC when PHI or PII is involved. Insurer shall also ensure its mail gateways are capable of receiving FHKC’s encrypted emails. Insurer’s use of an email gateway using a Transport Layer Security connection satisfies this requirement. Insurer shall obtain a National Institute of Standards and Technology (NIST) compliant information security risk assessment conducted by an independent third party at least every three (3) years with the first assessment obtained within the first Contract Year unless such an assessment was completed within two (2) years prior to the Contract Effective Date. An independent assessment following the NIST SP800-30 guidance, or its successor, satisfies this requirement. 6-1 Security Incidents‌ Insurer shall report all security incidents to FHKC in accordance with Attachment B. Insurer shall be liable for financial consequences in the amount of five hundred dollars ($500) per Calendar Day for failure to provide all necessary information to FHKC in the format and timeframe required. Financial consequences apply to each Calendar Day beyond the due date until provided to FHKC in the required format, inclusive of the day provided to FHKC.