Wipfli logo
Insights - Articles, Blogs and on-demand webcasts

Articles & E-Books


Cyber regulations reach insurance industry with NAIC insurance data security model law

Nov 03, 2023

Six years after the release of the National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law, at least 22 states have adopted their version of an insurance data security act — and more are coming.

Compliance deadlines vary across the country, but the initial implementation dates are now in effect in many states, focused especially on the rules around data security and notification requirements.

The regulations impose requirements on insurers to:

  • Conduct annual risk assessments.
  • Maintain an information security program.
  • Develop and manage a cybersecurity incident response plan.
  • Notify the insurance commissioner of cybersecurity events — within three days in most states.
  • Notify consumers affected by a cybersecurity event.

Insurance industry led on model law

States are patterning their laws after the National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law. NAIC developed the model law in 2017 in response to federal calls for regulatory oversight. The model was created in an effort to standardize regulations across the U.S.

Where are insurance data security laws already in place?

So far, 22 states have enacted the NAIC Insurance Data Security Model Law.

Who needs to comply?

In states that have enacted legislation, the law applies to licensees of the state insurance bureau. This includes (with some exceptions) insurance industry companies, agencies, agents, public adjusters and brokers.

Under the NAIC model law, the regulations apply to insurers with 10 employees or more. However, some states have softened that requirement.

In Wisconsin, for example, the law applies to licensed insurers with more than $10 million in year-end total assets, more than $5 million in gross revenue and at least 50 employees. Wisconsin has also made licensees exempt from the law if they can prove compliance with regulations under HIPAA or the Gramm-Leach-Bliley Act. Learn more here.

What are the insurance data security law requirements?

While state laws lay out general requirements for the protection of consumers’ nonpublic information, insurers are responsible for designing an ISP appropriate for the size and complexity of their business, the scope of their activities and the nature of the information they hold. Requirements include:

  • Risk assessment: As a first step, insurers need to conduct an initial risk assessment. This includes identifying reasonably foreseeable internal and external threats, assessing potential damage and determining how well their systems and safeguards manage those threats.
  • Information security program: The laws require insurers to maintain a comprehensive written information security program with appropriate physical, technical and administrative controls.
  • Incident response plan: As part of the ISP, insurers need an incident response plan outlining how they will respond to and recover from a cybersecurity event.

    Generally, the laws require prompt investigation once an organization is made aware that a cybersecurity event may have occurred. If an actual event occurs, the laws stipulate further rules and thresholds for notifying your state insurance commissioner and affected consumers.

  • Oversight of third-party service providers: Insurers will be required to exercise due diligence when working with third-party service providers and implement measures to protect systems and information. Most laws are set to phase in, giving insurers an extra year to meet this final requirement.

What insurance industry companies need to do now

Insurers need to review their information security programs and get ready to comply with the new laws that are either already here or are coming soon to their state.

Recognize that while the laws do create more regulatory requirements, compliance can help your organization improve its overall cybersecurity posture. Consumers expect you to protect their data, and this framework can help you do that.

How Wipfli can help

Many initial information security program compliance deadlines have already passed, and more are coming up this year. Let Wipfli help you get into compliance with data security model law in your state(s).

  • Depending on your business’s needs, we offer a range of solutions. Let our team help you:
  • Develop the foundation of your information security program and coach your team on how to comply with your state’s law.
  • Complete a risk assessment to evaluate the effectiveness of your cybersecurity safeguards.
  • Deploy technology to meet technical requirements.
  • Implement managed detection and response to proactively monitor your network and defend against active threats.
  • Maintain your ISP and stay compliant.

Our cybersecurity professionals bring experience in the insurance industry and can help your organization design and monitor a compliant program. Learn more.

Related content:


Tom Wojcinski
View Profile
Greg Foster, CPA
Southeast Market Leader
View Profile