Wipfli logo

Insurance data security law compliance

Are you prepared to meet your state deadlines?

At least 22 states have strengthened cybersecurity requirements for the insurance industry, adopting data security laws based on the NAIC’s Insurance Data Security Model Law. And more are coming.

The model law serves as a blueprint for state-level laws regulating insurance companies, in response to federal calls for regulatory oversight.

Compliance deadlines vary. In many states, rules around data security and incident notification are already in effect.

The new regulations require your insurance business to:

  • Conduct annual risk assessments
  • Maintain an information security program
  • Notify the insurance commissioner of cybersecurity events — within three days in most states
  • Notify consumers affected by a cybersecurity event

Let Wipfli help you get into compliance

Our cybersecurity professionals have direct experience in the insurance industry and in providing the solutions needed to comply with the new laws. To better meet your business’s exact needs, we offer these solutions:

  • Helping you understand how to comply: We help you develop the foundation of your information security program. By performing an NAIC gap assessment, we can work with you to create a roadmap for compliance. We also provide security officer coaching on how to comply with your state’s law, as well as templates for security program policies, risk assessments, response procedures, third-party risk classification and more.
  • Giving you the tools to self-manage your program: Our second solution includes the above, plus a network threat assessment, external penetration test, employee security awareness training and a full risk assessment so you can further ensure compliance and mitigate risks. This solution sets you up to manage your program internally.
  • Outsourcing the development and oversight of your program through a fractional model: A virtual chief Information security officer (vCISO) can provide the strategic capabilities needed for a sound, effective cybersecurity operation. For smaller organizations, a full-time CISO may be cost prohibitive. A vCISO can provide the gravitas and high-level monitoring your information security program requires when your resources are limited.
  • Outsourcing the implementation and management of your program:  Our most comprehensive solution provides you with an online compliance portal, vendor management, managed detection and response, vCISO services, mobile device management, annual risk assessment updates, incident response tabletop exercises and more. In this solution, Wipfli implements and then manages components of your program on an ongoing basis, freeing your staff up to focus on other priorities.