Wisconsin is the latest state to codify a set of cybersecurity regulations that requires insurance companies to develop policies to protect the personal data and privacy of individuals.
Wisconsin Governor Tony Evers recently signed Act 73, which formalizes the state’s adoption of The National Association of Insurance Commissioner (NAIC)’s model data security law and the associated cybersecurity framework. The framework provides a structure of standards, guidelines, and practices to aid organizations, regulators, and customers with critical infrastructures in effectively managing their cyber risks.
With some exceptions, the Wisconsin law will require anybody licensed by the state's Office of the Commissioner of Insurance (OCI) to develop an information security program that protects its systems and data.
Within one year, licensees must also conduct a risk assessment and address any areas that put their consumer's data or their IT systems at risk. Insurance organizations will be required to develop written security programs, detail incident response plans, provide employee training, and conduct oversight by the insurer’s board of directors and of third party service providers. The Model Law, which was initially introduced in 2017 and updated in 2018, further calls for insurers to timely report and investigate data breaches and certify their compliance efforts annually.
MSSPs Supporting Insurance Clientele
Managed security service providers (MSSPs) working in the insurance vertical should take particular note of the NAIC model in Wisconsin and other states that have adopted the standard. Those states include recent adopters Iowa, Maine and North Dakota along with Alabama, Connecticut, Delaware, Louisiana, Michigan, Mississippi, New Hampshire, Ohio, South Carolina and Virginia.
MSSPs will also want to monitor cybersecurity in states that have yet to pass similar laws, including Hawaii, Idaho, Illinois, Iowa, Minnesota and Rhode Island, which have similar bills pending.
Wisconsin’s Act 73 includes input from all participating state insurance commissioners, industry stakeholders, and consumer representatives. Wisconsin's Office of the Commissioner of Insurance (OCI) worked under the administrations of Evers and former Governor Walker to develop a version of this model law that tailored to Wisconsin residents and organizations.
“From ransomware to data breaches, insurers and consumers are at an increasing risk of experiencing a serious cybersecurity incident," Wisconsin Insurance Commissioner Mark Afable said. “The new consumer protections in this Act will help protect personal data and keep Wisconsin insurance companies secure."
Risk Assessment & Security Program Requirements
Based on the outcome of a required risk assessment, the security program designed must take into account:
- Size and complexity of the licensee.
- Nature and scope of the licensee's activities, including its use of third-party service providers.
- Sensitivity of the nonpublic information.
Licensees must also draft a written incident response plan that details mitigations and recovery from a cybersecurity event that comprises:
- The confidentiality, integrity, or availability of nonpublic information.
- The licensee's information systems.
- The continuing functionality of any aspect of the licensee's business or operations.
The response plan must address:
- Internal process for responding to a cybersecurity event.
- Roles, duties, and decision-making authority of those responding to such an event.
- Requirements for the remediation of identified weaknesses in the information systems.
- Evaluation and revision of the incident response plan following a cybersecurity event.
- Licensees with fewer than 50 employees, less than $10 million in total year-end assets, or less than $5 million in gross annual revenue, are exempt from the law, a JD Supra report said.
“As we become even more dependent on technology, Wisconsin insurers are committed to protecting our customer's personal information," said Connie O'Connell, Executive Director of the Wisconsin Council of Life Insurers. “Our agents and companies recognize the serious threat of potential cyber attacks and strongly support adopting these critical protections."
The Wisconsin law is effective as of November 1, 2022.