(1) In the event of a major cybersecurity incident, as defined in policy established by the office of cybersecurity in accordance with RCW 43.105.450, state agencies must report that incident to the office of cybersecurity within 24 hours of discovery of the incident.

(2) State agencies must provide the office of cybersecurity with contact information for any external parties who may have material information related to the cybersecurity incident.

(3) Once a cybersecurity incident is reported to the office of cybersecurity, the office of cybersecurity must investigate the incident to determine the degree of severity and facilitate any necessary incident response measures that need to be taken to protect the enterprise.

(4) The chief information security officer or the chief information security officer's designee shall serve as the state's point of contact for all major cybersecurity incidents.

(5) The office of cybersecurity must create policy to implement this section.