Wipfli logo
Insights - Articles, Blogs and on-demand webcasts

Articles & E-Books


Cyber regulations reach insurance industry with NAIC insurance data security model law

Mar 09, 2022

At least 18 states have adopted their version of an insurance data security act — and more are coming. The U.S. Treasury has recommended all states implement insurance cybersecurity regulations in 2022.

Compliance deadlines vary across the country. In some states, rules around data security and notification requirements are already in effect.

The new regulations impose requirements on insurers to:

  • Conduct annual risk assessments
  • Maintain an information security program
  • Investigate cybersecurity events
  • Notify the insurance commissioner of cybersecurity events — within three days in most states
  • Notify consumers affected by a cybersecurity event

Insurance industry led on model law

States are patterning their laws after the National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law. NAIC developed the model law in 2017, in response to federal calls for regulatory oversight. The model was created in an effort to standardize regulations across the U.S.

Where insurance data security laws are already in place?

So far, 18 states have enacted the NAIC Insurance Data Security Model Law. Below, shading indicates states where the initial information security program (ISP) compliance deadline has already passed:

State 1st ISP compliance deadline
Alabama May 2020
Connecticut April 2021
Delaware July 2020
Hawaii July 2022
Indiana June 2021
Iowa January 2023
Louisiana August 2021
Maine January 2022
Michigan January 2022
Minnesota August 2022
Mississippi July 2020
New Hampshire January 2021
North Dakota August 2022
Ohio March 2020
South Carolina July 2019
Tennesse July 2022
Virginia July 2022
Wisconsin November 2022

Note for New York: Before the NAIC model law was complete, New York had already passed alternate legislation covering all financial services firms.

Who needs to comply?

In states that have enacted legislation, the law applies to licensees of the state insurance bureau. This includes (with some exceptions) insurance industry companies, agencies, agents, public adjusters and brokers.

Under the NAIC model law, the regulations apply to insurers with 10 employees or more. However, some states have softened that requirement.

In Wisconsin, for example, the law applies to licensed insurers with more than $10 million in year-end total assets, more than $5 million in gross revenue and at least 50 employees. Wisconsin has also made licensees exempt from the law if they can prove compliance with regulations under HIPAA or the Gramm-Leach-Bliley Act. Learn more here.

What are the insurance data security law requirements?

While state laws lay out general requirements for the protection of consumers’ nonpublic information, insurers are responsible for designing an ISP appropriate for the size and complexity of their business, the scope of their activities and the nature of the information they hold. Requirements include: 

  • Risk assessment: As a first step, insurers need to conduct an initial risk assessment. This includes identifying reasonably foreseeable internal and external threats, assessing potential damage and determining how well their systems and safeguards manage those threats.
  • Information security program: The laws require insurers to maintain a comprehensive written information security program with appropriate physical, technical and administrative controls.
  • Incident response plan: As part of the ISP, insurers need an incident response plan outlining how they will respond to and recover from a cybersecurity event.

    Generally, the laws require prompt investigation once an organization is made aware that a cybersecurity event may have occurred. If an actual event occurs, the laws stipulate further rules and thresholds for notifying your state insurance commissioner and affected consumers.
  • Oversight of third-party service providers: Insurers will be required to exercise due diligence when working with third-party service providers and implement measures to protect systems and information. Most laws are set to phase in, giving insurers an extra year to meet this final requirement.

What insurance industry companies need to do now

Insurers need to review their information security programs and get ready to comply with the new laws that are either already here or are coming soon to their state.

Recognize that while the laws do create more regulatory requirements, compliance can help your organization improve its overall cybersecurity posture. Consumers expect you to protect their data, and this framework can help you do that

How Wipfli can help

Many initial information security program compliance deadlines have already passed, and more are coming up this year. Let Wipfli help you get into compliance with data security model law in your state(s).

Depending on your business’s needs, we offer a range of solutions. Let our team help you:

  • Develop the foundation of your information security program and coach your team on how to comply with your state’s law.
  • Complete a risk assessment to evaluate the effectiveness of your cybersecurity safeguards.
  • Deploy technology to meet technical requirements.
  • Implement managed detection and response to proactively monitor your network and defend against active threats.
  • Maintain your ISP and stay compliant.

Our cybersecurity professionals bring experience in the insurance industry and can help your organization design a compliant program. Learn more.

Related content:


Tom Wojcinski, CISA, CRISC
View Profile
Greg Foster, CPA
Southeast Market Leader
View Profile