Insurance Cybersecurity

​​​​​​​​​Last Updated: September 30, 2021

Insurers and insurance producers often have access to highly sensitive consumer financial and health information collected as part of the underwriting and claims processes. This ​personally identifiable information (PII) is entrusted to the industry by the public. With cybersecurity events from ransomware to data breaches on the rise, insurers and consumers are at an increased risk of experiencing a serious cybersecurity incident. 

In July of 2021, Governor Evers signed 2021 Wis. Act 73 into law which imposes new requirements related to insurance data security.  Act 73 was derived from model legislation developed by the National As​sociation of Insurance Commissioners (NAIC) incorporating input from all participating state insurance commissioners, industry stakeholders, and consumer representatives. Wisconsin's Office of the Commissioner of Insurance (OCI) worked under the administrations of both Governor Evers and former Governor Walker to develop a version of this model law that would best serve Wisconsinites.​


The Act creates subchapter IX of chapter 601 and requires that OCI licensees develop and maintain an information security program, take certain steps to promptly investigate cybersecurity events, and notify OCI and consumers when a cybersecurity breach has occurred. A copy of 2021 Wis. Act 73 may be found here . OCI issued a bulletin regarding this new law on September 30, 2021 which can be found here



Key Implementation Dates

November 1, 2021
Act 73 takes effect on this date with the exception of some portions noted below. Beginning on November 1, 2021, licensees are expected to meet the requirements as set forth by Wis.Stat. § 601.953 and Wis. Stat § 601.954 regarding the investigation and notification of a cybersecurity event.

Under Wis.Stat. § 601.953(1) if a licensee learns that a cybersecurity event involving its information systems has occurred, the licensee must conduct a prompt investigation that, at a minimum, includes the following:

  • An assessment of the nature and the scope of the event;
  • Identification of any non-public information that may have been involved; and
  • The performance of reasonable measures to restore security;

Wis. Stat § 601.954 outlines the requirements for licensees to provide notice to OCI of a cybersecurity event involving nonpublic information. 

Notification must be provided as promptly as possible but no later than three business days after the determination that a cybersecurity event involving nonpublic information has occurred. Insurers may file a cybersecurity event notification here.​

November 1, 2022
Licensees must have implemented the requirements of Wis. Stat. § 601.952 by this date. That provision requires that licensees develop, implement, and maintain a comprehensive information security program designed to protect the licensee's information systems and nonpublic information. The security program shall be based on a risk assessment conducted by the licensee that complies with Wis. Stat. § 601.952(2).

The requirements of Wis. Stat. § 601.952 do not apply to licensees:

  • Who have less than $10 million in total assets; or
  • Less than $5 million in gross annual revenue; or
  • Fewer than 50 employees which includes independent contractors that work at least 30 hours per week.

March 1, 2023
Wis. Stat § 601.952(8) requires that licensees provide an annual certification to OCI that the licensee is in compliance with the information security program requirements of Wis. Stat. § 601.952. Licensees must maintain records that support the certification for at least five years and shall produce the records when requested by OCI. The certification requirement only applies to licensees who are domiciled in the state of Wisconsin.  Annual certifications are required to be provided to OCI not later than March 1 every year beginning in 2023.

November 1, 2023
By this date, licensees are also required to exercise due diligence in selecting third-party service providers and make reasonable efforts to ensure that third-party service providers employ appropriate security measures and reporting of cybersecurity events as required by Wis.Stat. § 601.952(6). 


Other Exceptions to the Cybersecurity Law

Licensees are considered exempt from most requirements of Act 73. These licensees include:

  • The licensee is affiliated with a depository institution and complies with interagency security guidelines as set forth in 15 USC 6801 and 6805;
  • The licensee is affiliated with a broker or dealer and complies with FINRA information security program requirements;
  • A licensee is affiliated with an entity established pursuant to the federal Farm Credit Act and complies with information security program requirements set forth by the Farm Credit Administration;
  • A licensee who is subject to HIPAA privacy rules as set forth in 45 CFR parts 160 and 164 and who maintains nonpublic information in the same manner as protected health information.

Licensees who are exempt will be expected to file the annual certification with OCI to indicate that they are in compliance with the law by meeting one of the other cybersecurity program requirements as noted above.


Reporting of a Cybersecurity Event

A licensee shall notify the Commissioner no later than three (3) business days after determining that a cybersecurity event involving nonpublic information has occurred.

To report a Cybersecurity Event via our website, please click on the following link: Report a Cybersecurity Event

That notification to OCI must include:

  • The date and source of the cybersecurity event.
  • A description as to how the cybersecurity event was discovered.
  • ​A description as to how nonpublic information was exposed including the specific data elements exposed, and an explanation and status of recovery efforts of the information.
  • The number of consumers affected.
  • A description of the efforts to address the cause of the cybersecurity event.
  • The results of any internal review of the cybersecurity event.
  • Whether the licensee notified a governmental body or supervisory entity.
  • A copy of the licensee's policy and steps the licensee will take to investigate and notify affected consumers.
  • The name of the contact person who is familiar with the cybersecurity event and authorized to act on behalf of the licensee.

Licensees should not wait to provide notice to OCI until an investigation has been completed and all of this detailed information is known. The law requires a licensee to supplement this information as additional information becomes available and notice must be given within three business days of learning of the cybersecurity event even if the full details of the event are unknown at that time.


Forms

Report a NEW Cybersecurity Event 

Update an Existing Cybersecurity Event 



Contact Information

Questions concerning Act 73 or the reporting of a cybersecurity event can be sent to OCICyberReport@wisconsin.gov 

Wisconsin insurance consumers will be better protected thanks to 2021 Wisconsin Act 73. Governor Tony Evers signed this important law on July 15, 2021.

The law modernizes, defines, and toughens existing security measures that Wisconsin insurance carriers must take to protect consumer information. Under the new law, insurance carriers must:

  • Identify internal or external threats that could result in unauthorized access, transmission, disclosure, misuse, or destruction of consumers' private information.
  • Develop, implement, and maintain an information security program based on its individual risk assessment with a designated employee in charge of the information security program.
  • Investigate any cybersecurity breach and notify the Insurance Commissioner of a cybersecurity event if the licensee is a domiciled insurer or if more than 250 Wisconsinites are impacted.

To raise greater awareness among consumers about cybersecurity, OCI recommends that consumers familiarize themselves with the NAIC's Cybersecurity Consumer Protections​.


Lock down your assets, secure your data

We increasingly rely on the internet to work, bank, shop, and socialize. Our health and financial information is stored online and devices are connected to control everything from home security systems to thermostats and TVs. While convenient, these connections open the door for possible malicious activity. Help manage your cybersecurity risks with these tips ​ from the National Association of Insurance Commissioners (NAIC).

  • Keep tabs on your information and your children's information
  • Avoid carrying your Social Security number in your wallet or purse
  • Monitor your accounts and credit score regularly
  • Ask your bankers, credit card companies, and financial advisors about their policies around fraud protection
  • Consider the personal information you share on social media


How can I keep my information safe online?

There are basic steps you can take to secure your information and data.

  • Be alert to impersonators by being careful about who you trust online
  • Safely dispose of personal information by shredding documents using a cross-cut shredder
  • Use strict privacy settings on your computer, devices and browsers
  • Keep passwords private and complex
  • Be careful when sharing personal information on social media
  • Be cautious of what you download from the internet
  • If your social security number is requested by a vendor, ask why it's needed and how it will be used and protected

Keeping your information safe also means ensuring your devices, including smart phones, laptops, desktops, tablets​, and other devices are secure:

  • Update your software regularly
  • Use antivirus or anti-malware software to protect against malicious software that disrupts computer operations, gathers sensitive information, gains access to private computers, or displays unwanted advertising
  • Password protect your laptop to prevent unknown users from accessing it
  • Avoid opening emails or attachments from unknown senders
  • Back up your files to an encrypted flash drive or external hard drive

The Federal Deposit Insurance Corporation (FDIC) offers a Cybersecurity Checklist ​ to help you protect your computer and money from online criminals.


Identity Theft Insurance

The cybersecurity insurance and identity theft insurance market is growing and may be useful to you or your business depending on the types of information you collect and store.

Some home and auto policies now offer identity theft protection, which includes access to credit monitoring and repair services in the event of a breach. This coverage only refunds the costs associated with restoring your identity. It does not cover losses if a credit or debit card is used to make purchases or get cash; restoring these losses would depend on the coverage policies of your credit card company and bank.

Your insurance agent may be able to help provide more information about assessing your risks and whether additional coverage is needed on home or auto policies.


Cybersecurity Insurance Business Coverage

Despite high profile data breaches of large companies, small companies are also targets for hackers as they possess sensitive information but typically have less security than larger companies. Cybersecurity insurance provides coverage for compromised security or privacy breaches at work. Business cybersecurity policies tend to be highly customized and therefore, costly.

There are steps you can take to help secure your business:

  • Start by conducting a security and self-risk assessment. Determine what to protect, what protection exists, and where there are gaps. This also means developing a plan to protect your property and data, operational information, and client data. Finally, identify the tools you need to protect this information.
  • Implement sound cybersecurity procedures and training for employees. Educate employees on smart use of social media, how to spot suspicious emails, and not connecting to public Wi-Fi on a company device.
  • If your small business has a disaster recovery plan , consider cybersecurity insurance as part of it. If you don't have such a plan, consider creating one. Developing procedures and identifying threats is important but you also must understand your vulnerabilities. You might consider testing such as an internal phishing campaign against employees to check your company's vulnerability.
  • Always back up important business systems and data. Implement settings encouraging regular password changes, restrictions on the websites employees can access as well as strong security software.