Are you prepared to meet your state deadlines?
At least 22 states have strengthened cybersecurity requirements for the insurance industry, adopting data security laws based on the NAIC’s Insurance Data Security Model Law. And more are coming.
The model law serves as a blueprint for state-level laws regulating insurance companies, in response to federal calls for regulatory oversight.
Compliance deadlines vary. In many states, rules around data security and incident notification are already in effect.
The new regulations require your insurance business to:
- Conduct annual risk assessments
- Maintain an information security program
- Notify the insurance commissioner of cybersecurity events — within three days in most states
- Notify consumers affected by a cybersecurity event
Let Wipfli help you get into compliance
Our cybersecurity professionals have direct experience in the insurance industry and in providing the solutions needed to comply with the new laws. To better meet your business’s exact needs, we offer these solutions:
- Helping you understand how to comply: We help you develop the foundation of your information security program. By performing an NAIC gap assessment, we can work with you to create a roadmap for compliance. We also provide security officer coaching on how to comply with your state’s law, as well as templates for security program policies, risk assessments, response procedures, third-party risk classification and more.
- Giving you the tools to self-manage your program: Our second solution includes the above, plus a network threat assessment, external penetration test, employee security awareness training and a full risk assessment so you can further ensure compliance and mitigate risks. This solution sets you up to manage your program internally.
- Outsourcing the development and oversight of your program through a fractional model: A virtual chief Information security officer (vCISO) can provide the strategic capabilities needed for a sound, effective cybersecurity operation. For smaller organizations, a full-time CISO may be cost prohibitive. A vCISO can provide the gravitas and high-level monitoring your information security program requires when your resources are limited.
- Outsourcing the implementation and management of your program: Our most comprehensive solution provides you with an online compliance portal, vendor management, managed detection and response, vCISO services, mobile device management, annual risk assessment updates, incident response tabletop exercises and more. In this solution, Wipfli implements and then manages components of your program on an ongoing basis, freeing your staff up to focus on other priorities.
Our team
Greg Foster, CPA
Greg Foster is a partner with over 30 years of practice in public accounting. His experience includes providing insurance, banking, credit union and securities clients with various services including financial statement audits, public and private securities registrations and mergers and acquisitions. As leader of the insurance services group, Greg oversees a variety of services to insurance companies including traditional insurers and reinsurers as well as captives, risk retention groups, reinsurance pools and similar arrangements.
Ken Kulawiak
Ken Kulawiak is a senior manager in Wipfli’s cybersecurity and technology management practice. He specializes in helping organizations mature their information security posture by reducing risks to a strategic level. To meet the rigorous expectations of customers, regulators, and business partners, Ken works with clients to ensure their holistic information security program and risk management practices continue to evolve to ensure confidentiality, integrity, and availability of the organizations data.
