November 1, 2021
Act 73 took effect on this date with the exception of some portions noted below. Beginning on November 1, 2021, licensees were expected to meet the requirements as set forth by Wis.Stat. § 601.953 and Wis. Stat § 601.954 regarding the investigation and notification of a cybersecurity event.
Under Wis.Stat. § 601.953(1) if a licensee learns that a cybersecurity event involving its information systems has occurred, the licensee must conduct a prompt investigation that, at a minimum, includes the following:
An assessment of the nature and the scope of the event;
Identification of any non-public information that may have been involved; and
The performance of reasonable measures to restore security;
Wis. Stat § 601.954 outlines the requirements for licensees to provide notice to OCI of a cybersecurity event involving nonpublic information.
Notification must be provided as promptly as possible but no later than three business days after the determination that a cybersecurity event involving nonpublic information has occurred.
Learn about reporting a cybersecurity event.
November 1, 2022
Licensees must have implemented the requirements of Wis. Stat. § 601.952 by this date. That provision requires that licensees develop, implement, and maintain a comprehensive information security program designed to protect the licensee's information systems and nonpublic information. The security program shall be based on a risk assessment conducted by the licensee that complies with Wis. Stat. § 601.952(2).
The requirements of Wis. Stat. § 601.952 do not apply to licensees:
Who have less than $10 million in total assets; or
Less than $5 million in gross annual revenue; or
Fewer than 50 employees which includes independent contractors that work at least 30 hours per week.
March 1, 2023
Wis. Stat § 601.952(8) requires that licensees provide an annual certification to OCI that the licensee is in compliance with the information security program requirements of Wis. Stat. § 601.952. Licensees must maintain records that support the certification for at least five years and shall produce the records when requested by OCI. The certification requirement only applies to licensees who are domiciled in the state of Wisconsin. Annual certifications are required to be provided to OCI not later than March 1 every year beginning in 2023. Learn about annual certification.
November 1, 2023
By this date, licensees were also required to exercise due diligence in selecting third-party service providers and make reasonable efforts to ensure that third-party service providers employ appropriate security measures and reporting of cybersecurity events as required by Wis.Stat. § 601.952(6).