The Act creates subchapter IX of chapter 601 and requires that OCI licensees develop and maintain an information security program, take certain steps to promptly investigate cybersecurity events, and notify OCI and consumers when a cybersecurity breach has occurred. A copy of 2021 Wis. Act 73 may be found here . OCI issued a bulletin regarding this new law on September 30, 2021 which can be found here.
Key Implementation Dates
November 1, 2021
Act 73 takes effect on this date with the exception of some portions noted below. Beginning on November 1, 2021, licensees are expected to meet the requirements as set forth by Wis.Stat. § 601.953 and Wis. Stat § 601.954 regarding the investigation and notification of a cybersecurity event.
Under Wis.Stat. § 601.953(1) if a licensee learns that a cybersecurity event involving its information systems has occurred, the licensee must conduct a prompt investigation that, at a minimum, includes the following:
- An assessment of the nature and the scope of the event;
- Identification of any non-public information that may have been involved; and
- The performance of reasonable measures to restore security;
Wis. Stat § 601.954 outlines the requirements for licensees to provide notice to OCI of a cybersecurity event involving nonpublic information.
Notification must be provided as promptly as possible but no later than three business days after the determination that a cybersecurity event involving nonpublic information has occurred. Insurers may file a cybersecurity event notification here.
November 1, 2022
Licensees must have implemented the requirements of Wis. Stat. § 601.952 by this date. That provision requires that licensees develop, implement, and maintain a comprehensive information security program designed to protect the licensee's information systems and nonpublic information. The security program shall be based on a risk assessment conducted by the licensee that complies with Wis. Stat. § 601.952(2).
The requirements of Wis. Stat. § 601.952 do not apply to licensees:
- Who have less than $10 million in total assets; or
- Less than $5 million in gross annual revenue; or
- Fewer than 50 employees which includes independent contractors that work at least 30 hours per week.
March 1, 2023
Wis. Stat § 601.952(8) requires that licensees provide an annual certification to OCI that the licensee is in compliance with the information security program requirements of Wis. Stat. § 601.952. Licensees must maintain records that support the certification for at least five years and shall produce the records when requested by OCI. The certification requirement only applies to licensees who are domiciled in the state of Wisconsin. Annual certifications are required to be provided to OCI not later than March 1 every year beginning in 2023.
November 1, 2023
By this date, licensees are also required to exercise due diligence in selecting third-party service providers and make reasonable efforts to ensure that third-party service providers employ appropriate security measures and reporting of cybersecurity events as required by Wis.Stat. § 601.952(6).
Other Exceptions to the Cybersecurity Law
Licensees are considered exempt from most requirements of Act 73. These licensees include:
- The licensee is affiliated with a depository institution and complies with interagency security guidelines as set forth in 15 USC 6801 and 6805;
- The licensee is affiliated with a broker or dealer and complies with FINRA information security program requirements;
- A licensee is affiliated with an entity established pursuant to the federal Farm Credit Act and complies with information security program requirements set forth by the Farm Credit Administration;
- A licensee who is subject to HIPAA privacy rules as set forth in 45 CFR parts 160 and 164 and who maintains nonpublic information in the same manner as protected health information.
Licensees who are exempt will be expected to file the annual certification with OCI to indicate that they are in compliance with the law by meeting one of the other cybersecurity program requirements as noted above.
Reporting of a Cybersecurity Event
A licensee shall notify the Commissioner no later than three (3) business days after determining that a cybersecurity event involving nonpublic information has occurred.
To report a Cybersecurity Event via our website, please click on the following link: Report a Cybersecurity Event
That notification to OCI must include:
- The date and source of the cybersecurity event.
- A description as to how the cybersecurity event was discovered.
- A description as to how nonpublic information was exposed including the specific data elements exposed, and an explanation and status of recovery efforts of the information.
- The number of consumers affected.
- A description of the efforts to address the cause of the cybersecurity event.
- The results of any internal review of the cybersecurity event.
- Whether the licensee notified a governmental body or supervisory entity.
- A copy of the licensee's policy and steps the licensee will take to investigate and notify affected consumers.
- The name of the contact person who is familiar with the cybersecurity event and authorized to act on behalf of the licensee.
Licensees should not wait to provide notice to OCI until an investigation has been completed and all of this detailed information is known. The law requires a licensee to supplement this information as additional information becomes available and notice must be given within three business days of learning of the cybersecurity event even if the full details of the event are unknown at that time.
Report a NEW Cybersecurity Event Update an Existing Cybersecurity Event
Questions concerning Act 73 or the reporting of a cybersecurity event can be sent to OCICyberReport@wisconsin.gov