Information data security has been a hot topic for the insurance industry in recent years, particularly the development of information security programs (“ISPs”) by insurers, producers, and other insurance licensees. New York was the first state to adopt insurance data security requirements in 2017. Since then, 21 states, including Wisconsin, have adopted some form of insurance data security law, generally mirroring the National Association of Insurance Commissioners Insurance Data Security Model Law (the “Model Law”), which was also promulgated in 2017. Additionally, at least two other jurisdictions have insurance data security laws pending as of November 2022 (Pennsylvania and the District of Columbia).
One of the primary requirements of the New York regulations and the Model Law is that licensees (generally defined as all persons licensed or required to be licensed under the insurance laws of, and domiciled in, the particular state) must create and implement an ISP. Under the Model Law, ISPs are required to:
(1) Protect the security and confidentiality of Nonpublic Information and the security of the Information System;
(2) Protect against any threats or hazards to the security or integrity of Nonpublic Information and the Information System;
(3) Protect against unauthorized access to or use of Nonpublic Information, and minimize the likelihood of harm to any Consumer; and
(4) Define and periodically reevaluate a schedule for retention of Nonpublic Information and a mechanism for its destruction when no longer needed.
Model Law Section 4(B). Licensees must design their ISPs commensurate with the size, complexity, nature, and scope of the licensee’s insurance activities. Model Law Section 4(A).
Unique to New York, any person licensed under New York’s insurance law is required to certify annually that they comply with New York’s ISP requirements. 23 NYCRR 500.17(b). The Model Law, on the other hand, only requires that insurers certify ISP compliance with their domestic state insurance regulator. Under the Model Law, other licensees, such as producers, are not required to make any formal certification. Model Law Section 4(I).
Wisconsin recently enacted 2021 Wisconsin Act 73, which takes a middle-ground approach to ISP certification. Specifically, Wis. Stat. § 601.952(8) requires that any licensee domiciled in Wisconsin annually submit certification of ISP compliance by March 1 of each year. Wisconsin adopted the Model Law definition of licensees noted above, which includes any persons licensed or required to be licensed under Wisconsin’s insurance code that are domiciled in Wisconsin (including insurers, producers, etc.). Wis. Stat. § 601.95(7). Wisconsin is the first state other than New York to require non-insurer licensees to certify ISP compliance.
The Wisconsin Office of the Commissioner of Insurance (OCI) has provided some guidance regarding the annual ISP certification on their website. OCI’s website clarifies that: (1) insurers will complete their certification as part of the insurer’s annual financial submissions; (2) intermediary firms (i.e., business entity producers) must submit the certification form online; and (3) individual producers are not required to submit a certification form based on the presumption that individuals meet the “fewer than 50 employees” exemption under Wis. Stat. § 601.952(9)(a)(3).
Intermediary firms domiciled in Wisconsin may be exempt from the annual cybersecurity certification if the firm meets any of the following criteria: (1) has less than $10 million in year-end total assets; (2) has less than $5 million in gross annual revenue; or (3) has few than 50 employees (including independent contractors) who work at least 30 hours per week for the licensee. Wis. Stat. § 601.952(9)(a). Intermediary firms domiciled in Wisconsin may also be exempt from the certification requirements, and the Wisconsin insurance data security laws generally, if the firm maintains an ISP in connection with FINRA requirements, Farm Credit Administration requirements or HIPAA. Wis. Stat. § 601.951(2).
However, all exempt intermediary firms are still required to make the cybersecurity certification as outlined above by March 1, 2023. According to OCI, the firm will be able to claim the applicable exemption(s) for its business when submitting the form online. OCI has yet to decide if it will require such exempt firms to annually certify to their exemption.
Accordingly, Wisconsin-domiciled intermediary firms are encouraged to consult with regulatory counsel to review the firm’s particular ISP needs and related certification requirements.