4. a. Within 120 days after the effective date of P.L.2017, c.133 (C. 58:31-1 et seq.), each water purveyor shall develop a cybersecurity program, in accordance with requirements established by the New Jersey Cybersecurity and Communications Integration Cell , as rules and regulations adopted pursuant to the “Administrative Procedure Act,” P.L.1968, c.410 (C. 52:14B-1 et seq.), that defines and implements organization accountabilities and responsibilities for cyber risk management activities, and establishes policies, plans, processes, and procedures for identifying and mitigating cyber risk to its public community water system. As part of the cybersecurity program, a water purveyor shall: identify the individual chiefly responsible for ensuring that the policies, plans processes, and procedures established pursuant to this section are executed in a timely manner; conduct risk assessments and implement appropriate controls to mitigate identified risks to the public community water system; maintain situational awareness of cyber threats and vulnerabilities to the public community water system; and create and exercise incident response and recovery plans. No later than 180 days after the effective date of P.L.2021, c.262 (C. 58:31-4.1 et al.), a water purveyor shall update its cybersecurity program to conform to the requirements of section 3 of P.L.2021, c.262 (C. 58:31-4.1).

A water purveyor shall submit a copy of the cybersecurity program developed pursuant to this subsection to the New Jersey Cybersecurity and Communications Integration Cell, in a form and manner as determined by the New Jersey Cybersecurity and Communications Integration Cell. A cybersecurity program submitted pursuant to this subsection shall not be considered a government record under P.L.1963, c.73 (C. 47:1A-1 et seq.), and shall not be made available for public inspection.

b. Within 60 days after developing the cybersecurity program required pursuant to subsection a. of this section, each water purveyor shall join the New Jersey Cybersecurity and Communications Integration Cell and create a cybersecurity incident reporting process.

c. (Deleted by amendment, P.L.2021, c.262).

d. No later than 180 days after the effective date of P.L.2021, c.262 (C. 58:31-4.1 et al.), each water purveyor shall obtain a cybersecurity insurance policy that meets any applicable standards adopted by the board.

L.2017, c.133, s.4; amended 2021, c.262, s.2.