OCI > Insurance Cybersecurity

Insurance Cybersecurity

Last Updated: January 10, 2024

Insurers and insurance producers often have access to highly sensitive consumer financial and health information collected as part of the underwriting and claims processes. This personally identifiable information (PII) is entrusted to the industry by the public. With cybersecurity events from ransomware to data breaches on the rise, insurers and consumers are at an increased risk of experiencing a serious cybersecurity incident.

In July of 2021, Governor Evers signed 2021 Wis. Act 73 into law which imposes new requirements related to insurance data security. Act 73 was derived from model legislation developed by the National Association of Insurance Commissioners (NAIC) incorporating input from all participating state insurance commissioners, industry stakeholders, and consumer representatives. Wisconsin's Office of the Commissioner of Insurance (OCI) worked under the administrations of both Governor Evers and former Governor Walker to develop a version of this model law that would best serve Wisconsinites.

Insurers and Other Licensed Entities

The Act created subchapter IX of chapter 601 and required that OCI licensees develop and maintain an information security program, take certain steps to promptly investigate cybersecurity events, and notify OCI and consumers when a cybersecurity breach has occurred. A copy of 2021 Wis. Act 73 may be found here . OCI issued a bulletin regarding this new law on September 30, 2021.

Questions concerning Act 73 or the reporting of a cybersecurity event can be sent to OCICyberReport@wisconsin.gov

Exceptions to the Cybersecurity Law

Licensees are considered exempt from most requirements of Act 73. These licensees include:

The licensee is affiliated with a broker or dealer and complies with FINRA information security program requirements;
A licensee is affiliated with an entity established pursuant to the federal Farm Credit Act and complies with information security program requirements set forth by the Farm Credit Administration;
A licensee who is subject to HIPAA privacy rules as set forth in 45 CFR parts 160 and 164 and who maintains nonpublic information in the same manner as protected health information.

Licensees who are exempt will be expected to file the annual certification with OCI to indicate that they are in compliance with the law by meeting one of the other cybersecurity program requirements as noted above.

Reporting or Updating a Cybersecurity Event

Report a New Cybersecurity Event

A licensee shall notify the Commissioner no later than three (3) business days after determining that a cybersecurity event involving nonpublic information has occurred.

That notification to OCI must include:

The date and source of the cybersecurity event.
A description as to how the cybersecurity event was discovered.
A description as to how nonpublic information was exposed including the specific data elements exposed, and an explanation and status of recovery efforts of the information.
The number of consumers affected.
A description of the efforts to address the cause of the cybersecurity event.
The results of any internal review of the cybersecurity event.
Whether the licensee notified a governmental body or supervisory entity.
A copy of the licensee's policy and steps the licensee will take to investigate and notify affected consumers.
The name of the contact person who is familiar with the cybersecurity event and authorized to act on behalf of the licensee.

Licensees should not wait to provide notice to OCI until an investigation has been completed and all of this detailed information is known. The law requires a licensee to supplement this information as additional information becomes available and notice must be given within three business days of learning of the cybersecurity event even if the full details of the event are unknown at that time.

Report a NEW Cybersecurity Event

Update to a Cybersecurity Event Report

After receipt of the initial report, licensees are required to submit additional updates as more information becomes available.

Update an Existing Cybersecurity Event

Annual Certification

Wis. Stat § 601.952(8) requires that licensees provide an annual certification to OCI that the licensee is in compliance with the information security program requirements of Wis. Stat. § 601.952. Licensees must maintain records that support the certification for at least five years and shall produce the records when requested by OCI. The certification requirement only applies to licensees who are domiciled in the state of Wisconsin. Annual certifications are required to be provided to OCI not later than March 1 every year beginning in 2023.

Insurers

The certification form will be included in insurers' annual financial packets.
Entities that use the Financial Filing Portal may file their certification there.

Intermediary firms and other business entities licensed by Agent Licensing

Must submit a certification form.
Certify compliance with the information security program requirements .

Individual Producers

Not required to submit a certification form; the exemption for licensees that have fewer than 50 employees would apply.

Annual Certification Form FAQs

Other Cybersecurity Information for Insurers

Log4j Vulnerability

On December 10, 2021, the U. S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency and the National Security Agency announced a critical remote code vulnerability in may versions of Apache's Log4j software. Log4j is a java-based logging utility incorporated in frameworks, websites, and applications, and is widely used by major cloud services and well-known software vendors and manufacturers. Threat actors are actively exploiting these vulnerabilities and successful exploitation can be used to deploy ransomware, steal data, and disrupt operations.

Licensees should assess risk to their organization, customers, consumers, and third-party service providers based upon the evolving information and take action to mitigate the risk. The Cybersecurity and Infrastructure Security Agency is maintaining and regularly updating a webpage dedicated to this vulnerability to provide emerging guidance.

OCI reminds licensees to report cybersecurity events to OCICyberReport@wisconsin.gov that meet the criteria under Wis. Stat. § 601.953 (1) within three business days after determination that a cybersecurity event has occurred.

Consumers

Consumer Protection and 2021 Wisconsin Act 73

Wisconsin insurance consumers are better protected thanks to 2021 Wisconsin Act 73. Governor Tony Evers signed this important law on July 15, 2021.

The law modernizes, defines, and toughens existing security measures that Wisconsin insurance carriers must take to protect consumer information. Under the law, insurance carriers must:

Identify internal or external threats that could result in unauthorized access, transmission, disclosure, misuse, or destruction of consumers' private information.
Develop, implement, and maintain an information security program based on its individual risk assessment with a designated employee in charge of the information security program.
Investigate any cybersecurity breach and notify the Insurance Commissioner of a cybersecurity event if the licensee is a domiciled insurer or if more than 250 Wisconsinites are impacted.

To raise greater awareness among consumers about cybersecurity, OCI recommends that consumers familiarize themselves with the NAIC's Cybersecurity Consumer Protections.

Keep Your Information Safe Online

We increasingly rely on the internet to work, bank, shop, and socialize. Our health and financial information is stored online and devices are connected to control everything from home security systems to thermostats and TVs. While convenient, these connections open the door for possible malicious activity. Help manage your cybersecurity risks with these tips from the National Association of Insurance Commissioners (NAIC).

Secure Your Information

Keep tabs on your information and your children's information
Avoid carrying your Social Security number in your wallet or purse
Monitor your accounts and credit score regularly
Ask your bankers, credit card companies, and financial advisors about their policies around fraud protection
Consider the personal information you share on social media

Secure Your Data

Be alert to impersonators by being careful about who you trust online
Safely dispose of personal information by shredding documents using a cross-cut shredder
Use strict privacy settings on your computer, devices and browsers
Keep passwords private and complex
Be careful when sharing personal information on social media
Be cautious of what you download from the internet
If your social security number is requested by a vendor, ask why it's needed and how it will be used and protected

Secure Your Devices

Keeping your information safe also means ensuring your devices, including smart phones, laptops, desktops, tablets, and other devices are secure:

Update your software regularly
Use antivirus or anti-malware software to protect against malicious software that disrupts computer operations, gathers sensitive information, gains access to private computers, or displays unwanted advertising
Password protect your laptop to prevent unknown users from accessing it
Avoid opening emails or attachments from unknown senders
Back up your files to an encrypted flash drive or external hard drive

The Federal Deposit Insurance Corporation (FDIC) offers Cybersecurity Tips to help you protect your computer and money from online criminals.

Identity Theft Insurance

The cybersecurity insurance and identity theft insurance market is growing and may be useful to you or your business depending on the types of information you collect and store.

Some home and auto policies now offer identity theft protection, which includes access to credit monitoring and repair services in the event of a breach. This coverage only refunds the costs associated with restoring your identity. It does not cover losses if a credit or debit card is used to make purchases or get cash; restoring these losses would depend on the coverage policies of your credit card company and bank.

Your insurance agent may be able to help provide more information about assessing your risks and whether additional coverage is needed on home or auto policies.

Cybersecurity Insurance Business Coverage

Despite high profile data breaches of large companies, small companies are also targets for hackers as they possess sensitive information but typically have less security than larger companies. Cybersecurity insurance provides coverage for compromised security or privacy breaches at work. Business cybersecurity policies tend to be highly customized and therefore, costly.

There are steps you can take to help secure your business:

Start by conducting a security and self-risk assessment. Determine what to protect, what protection exists, and where there are gaps. This also means developing a plan to protect your property and data, operational information, and client data. Finally, identify the tools you need to protect this information.
Implement sound cybersecurity procedures and training for employees. Educate employees on smart use of social media, how to spot suspicious emails, and not connecting to public Wi-Fi on a company device.
If your small business has a disaster recovery plan , consider cybersecurity insurance as part of it. If you don't have such a plan, consider creating one. Developing procedures and identifying threats is important but you also must understand your vulnerabilities. You might consider testing such as an internal phishing campaign against employees to check your company's vulnerability.
Always back up important business systems and data. Implement settings encouraging regular password changes, restrictions on the websites employees can access as well as strong security software.