Wisconsin has become the latest state to adopt the National Association of Insurance Commissioner's (NAIC) model of cybersecurity law. Governor Tony Evers signed the new cybersecurity regulation into law on July 15, 2021, and it can be found in the Wisconsin Statutes. The new legislation is designed to protect consumers from the growing risk of cybersecurity threats such as ransomware and data breaches.
Act 73 will help insurance companies better protect personally identifiable information (PII) and protected health information (PHI) from hackers and other online threat actors. Wisconsin joins 15 other states that have adopted the NAIC model cybersecurity legislation. One of the most recent adopters of a similar statute was Iowa, which was signed into law on April 30, 2021.
Other states that have passed new cybersecurity laws recently include Colorado, California, and Virginia. All these laws represent an attempt by state legislatures to get out in front and protect potential victims of cyberattacks. It's imperative for insurance providers in Wisconsin to familiarize themselves with the new law and take steps to become compliant.
Wisconsin's new cybersecurity law lays out insurance investigation procedures, standards for the data security programs, and notification requirements in the event of a cybersecurity incident. Below, we look at the steps Wisconsin insurers are required to take to be in compliance.
Develop and Implement a Security Program
Under the new law, Wisconsin insurers are required to develop and implement a security program containing physical, technical, and administrative safeguards to protect their information systems and private information. This is the first requirement. According to the new legislation, the security program must take the following into account:
The companies are also to carry out a risk assessment and design an adequate security program based on the outcome. The risk assessment will help insurers identify and deal with areas that may put their information systems or consumer data at risk. That way, insurers will be able to create an effective deterrent against unauthorized access to non-public information and protect against security threats.
Implement an Incident Response Plan
Secondly, Wisconsin insurers are required to draft an incident response plan to ensure a quick response — and recovery — from a cybersecurity incident. The incident response plan must cover any event that compromises the integrity, confidentiality, or the availability of private information, the company's IT infrastructure, or company operations. The plan must address the following:
The incident response plan must address specified items and is required to be in writing. In addition to preparing a written incident response plan, Wisconsin insurers are also required to notify all consumers affected by any future data breaches promptly.
Oversight Committee
The third requirement pertains to matters oversight. Wisconsin's new cybersecurity regulation requires oversight by a company's board of directors or an appropriate committee. Companies will also need to submit an annual report, in writing, to the oversight committee vis-à-vis the overall status of the company's security program and compliance with the Act.
Act 73 will come into effect on November 1, 2021, which is the beginning of the fourth month from the date of publication. Therefore, the provisions of Wisconsin's new cybersecurity law must be implemented by insurance providers in the state by the first day of November 2022.
From 2023, Wisconsin insurance companies will be required to submit a written certificate of compliance to the Commissioner of Insurance before March 1 every year. The law also mandates insurers to maintain all the data, schedules, and records supporting the certification for a period of five years at the minimum.
Act 73 will be exclusively enforced by the Office of the Commissioner of Insurance (OCI), which also happens to be the investigative authority. In the event of a cybersecurity incident with the potential to harm the consumer or disrupt normal business operations, the Commissioner must be notified within 72 hours. The notice should include the nature of the attack and the number of consumers affected.
Wisconsin's new cybersecurity law gives the Commissioner the power to investigate and examine any insurance provider in the state, determine compliance, and take the necessary steps to enforce its requirements. That being said, the goal of Act 73 is to protect the insured, and compliance is good business. It shouldn't take the threat of legal repercussions for Wisconsin insurers to comply with the new law.
Is your company required to comply with the recently enacted Wisconsin cybersecurity law? Well, if you are in the business of selling insurance, it's highly likely that this particular regulation affects you. Anyone licensed by Wisconsin's Office of the Commissioner of Insurance, including insurance companies and agents, is required to be compliant.
However, there are a few exemptions. For instance, companies with fewer than 50 employees, less than $5 million in total yearly revenue, or below $10 million in total year-end assets, are exempt from compliance. Additionally, compliance with the federal Farm Credit Administration, HIPAA, and federal guidelines for depository institutions could also exempt you from Act 73.
As technology continues to evolve and advance, individuals and businesses are becoming increasingly dependent on its perks. However, technological advances are accompanied by the concerning reality of cyberthreats. The government — at both the state and federal levels — is taking steps to curtail the proliferation of cyberattacks. Apart from Wisconsin, other states are also enacting new cybersecurity laws.
But it's not just up to the government to take cybersecurity more seriously, companies and private individuals have to step up as well. Having a cybersecurity-focused IT services company such as Orbis Solutions can help you keep your data and information systems secure at all times. Contact us today for cybersecurity solutions in the Las Vegas area.
Get the clarity your Las Vegas organization needs to get your IT back on track. Completely risk-free, with no-obligation.
