Enter Your Selected Article ID:
 

WISCONSIN RESIDENT PRODUCERS REQUIRED TO SUBMIT ANNUAL CYBERSECURITY CERTIFICATION BY MARCH 1, 2023

Information data security has been a hot topic for the insurance industry in recent years, particularly the development of information security programs (“ISPs”) by insurers, producers, and other insurance licensees. New York was the first state to adopt insurance data security requirements in 2017. Since then, 21 states, including Wisconsin, have adopted some form of insurance data security law, generally mirroring the National Association of Insurance Commissioners Insurance Data Security Model Law (the “Model Law”), which was also promulgated in 2017. Additionally, at least two other jurisdictions have insurance data security laws pending as of November 2022 (Pennsylvania and the District of Columbia).

One of the primary requirements of the New York regulations and the Model Law is that licensees (generally defined as all persons licensed or required to be licensed under the insurance laws of, and domiciled in, the particular state) must create and implement an ISP. Under the Model Law, ISPs are required to:

(1) Protect the security and confidentiality of Nonpublic Information and the security of the Information System;

(2) Protect against any threats or hazards to the security or integrity of Nonpublic Information and the Information System;

(3) Protect against unauthorized access to or use of Nonpublic Information, and minimize the likelihood of harm to any Consumer; and

(4) Define and periodically reevaluate a schedule for retention of Nonpublic Information and a mechanism for its destruction when no longer needed.

Model Law Section 4(B). Licensees must design their ISPs commensurate with the size, complexity, nature, and scope of the licensee’s insurance activities. Model Law Section 4(A).

Unique to New York, any person licensed under New York’s insurance law is required to certify annually that they comply with New York’s ISP requirements. 23 NYCRR 500.17(b). The Model Law, on the other hand, only requires that insurers certify ISP compliance with their domestic state insurance regulator. Under the Model Law, other licensees, such as producers, are not required to make any formal certification. Model Law Section 4(I).

Wisconsin recently enacted 2021 Wisconsin Act 73, which takes a middle-ground approach to ISP certification. Specifically, Wis. Stat. § 601.952(8) requires that any licensee domiciled in Wisconsin annually submit certification of ISP compliance by March 1 of each year. Wisconsin adopted the Model Law definition of licensees noted above, which includes any persons licensed or required to be licensed under Wisconsin’s insurance code that are domiciled in Wisconsin (including insurers, producers, etc.). Wis. Stat. § 601.95(7). Wisconsin is the first state other than New York to require non-insurer licensees to certify ISP compliance.

Download PDF
(Adobe PDF File)

In this issue...

OHIO APPELLATE DECISION TACKLES EXCLUDED COVERAGE FOR MARIJUANA USE

Posted on 3/20/2023
One area where uncertainty abounds is in connection with the marijuana, or cannabis, industry.

THE ILLINOIS BIOMETRIC INFORMATION PRIVACY ACT: AN UPDATE ON EMERGING INSURANCE ISSUES

Posted on 3/20/2023
This article addresses some of the subsequent treatment of insurance issues by the courts and some additional matters of importance coming up.

NAIC PASSES PET INSURANCE MODEL ACT

Posted on 3/20/2023
At the Summer 2022 National Association of Insurance Commissioners (NAIC) Meeting in Portland, Oregon, the Executive (EX) Committee and Plenary voted to adopt the Pet Insurance Model Act (“model act”).

WISCONSIN RESIDENT PRODUCERS REQUIRED TO SUBMIT ANNUAL CYBERSECURITY CERTIFICATION BY MARCH 1, 2023

Posted on 3/20/2023
Information data security has been a hot topic for the insurance industry in recent years, particularly the development of information security programs (“ISPs”) by insurers, producers, and other insurance licensees.

A SUMMARY OF ILLINOIS INSURANCE EFFECTIVE JANUARY 1, 2023

Posted on 3/20/2023
Below is a list of Illinois insurance legislation that became law effective on January 1, 2023.

The Wisconsin Office of the Commissioner of Insurance (OCI) has provided some guidance regarding the annual ISP certification on their website. OCI’s website clarifies that: (1) insurers will complete their certification as part of the insurer’s annual financial submissions; (2) intermediary firms (i.e., business entity producers) must submit the certification form online; and (3) individual producers are not required to submit a certification form based on the presumption that individuals meet the “fewer than 50 employees” exemption under Wis. Stat. § 601.952(9)(a)(3).

Intermediary firms domiciled in Wisconsin may be exempt from the annual cybersecurity certification if the firm meets any of the following criteria: (1) has less than $10 million in year-end total assets; (2) has less than $5 million in gross annual revenue; or (3) has few than 50 employees (including independent contractors) who work at least 30 hours per week for the licensee. Wis. Stat. § 601.952(9)(a). Intermediary firms domiciled in Wisconsin may also be exempt from the certification requirements, and the Wisconsin insurance data security laws generally, if the firm maintains an ISP in connection with FINRA requirements, Farm Credit Administration requirements or HIPAA. Wis. Stat. § 601.951(2).

However, all exempt intermediary firms are still required to make the cybersecurity certification as outlined above by March 1, 2023. According to OCI, the firm will be able to claim the applicable exemption(s) for its business when submitting the form online. OCI has yet to decide if it will require such exempt firms to annually certify to their exemption.

Accordingly, Wisconsin-domiciled intermediary firms are encouraged to consult with regulatory counsel to review the firm’s particular ISP needs and related certification requirements.