c. State regulators that collect, store, and transmit confi- dential information or PII about insurers or producers are responsible for safeguarding that information and notifying affected parties promptly in the event of a security breach. d. Cyber security regulations for insurers and producers should be flexible and consistent with the National Institute of Standards and Technology (NIST) security standards. e. All insurers and producers that are connected to the inter- net must meet a minimum cyber security standard. f. Regulators should conduct insurer examinations to evaluate cyber security vulnerability. g. An effective cyber security program includes a plan for insurers, producers, and regulators to respond to a cyber security breach. h. Insurers, producers, and regulators should ensure that third parties and service providers have safeguards in place to protect PII. i. Management of cyber security should be part of an insurer’s or producer’s enterprise risk management (ERM) program. j. Information technology audits that identify a cyber security risk should be reviewed with the organization’s board of directors. k. Insurers and producers must keep informed about current and emerging cyber security risks. l. Employee training about cyber security is essential for insur- ers and producers