Wisconsin Cybersecurity: Inside The New Regulations

Wisconsin has become the latest state to adopt the National Association of Insurance Commissioner's (NAIC) model of cybersecurity law.

Wisconsin's New Cybersecurity Regulations

Wisconsin has become the latest state to adopt the National Association of Insurance Commissioner's (NAIC) model of cybersecurity law. Governor Tony Evers signed the new cybersecurity regulation into law on July 15, 2021, and it can be found in the Wisconsin Statutes. The new legislation is designed to protect consumers from the growing risk of cybersecurity threats such as ransomware and data breaches.

 Act 73 will help insurance companies better protect personally identifiable information (PII) and protected health information (PHI) from hackers and other online threat actors. Wisconsin joins 15 other states that have adopted the NAIC model cybersecurity legislation. One of the most recent adopters of a similar statute was Iowa, which was signed into law on April 30, 2021.

Other states that have passed new cybersecurity laws recently include Colorado, California, and Virginia. All these laws represent an attempt by state legislatures to get out in front and protect potential victims of cyberattacks. It's imperative for insurance providers in Wisconsin to familiarize themselves with the new law and take steps to become compliant.

What Wisconsin Cybersecurity Law Requires

Wisconsin's new cybersecurity law lays out insurance investigation procedures, standards for the data security programs, and notification requirements in the event of a cybersecurity incident. Below, we look at the steps Wisconsin insurers are required to take to be in compliance.

Develop and Implement a Security Program

Under the new law, Wisconsin insurers are required to develop and implement a security program containing physical, technical, and administrative safeguards to protect their information systems and private information. This is the first requirement. According to the new legislation, the security program must take the following into account:

  • The size of the insurance company.
  • The scope and nature of the company's business activities, including the use of third-party service providers.
  • The sensitivity of the data in the company's possession.

The companies are also to carry out a risk assessment and design an adequate security program based on the outcome. The risk assessment will help insurers identify and deal with areas that may put their information systems or consumer data at risk. That way, insurers will be able to create an effective deterrent against unauthorized access to non-public information and protect against security threats.

Implement an Incident Response Plan

Secondly, Wisconsin insurers are required to draft an incident response plan to ensure a quick response — and recovery — from a cybersecurity incident. The incident response plan must cover any event that compromises the integrity, confidentiality, or the availability of private information, the company's IT infrastructure, or company operations. The plan must address the following:

  • The internal processes for responding to a threat.
  • The roles and responsibilities of those responding to a cybersecurity incident.
  • How to remediate the identified vulnerabilities in the information systems.
  • Appraisal and revision of the incident response plan after an attack.

The incident response plan must address specified items and is required to be in writing. In addition to preparing a written incident response plan, Wisconsin insurers are also required to notify all consumers affected by any future data breaches promptly.

Oversight Committee

The third requirement pertains to matters oversight. Wisconsin's new cybersecurity regulation requires oversight by a company's board of directors or an appropriate committee. Companies will also need to submit an annual report, in writing, to the oversight committee vis-à-vis the overall status of the company's security program and compliance with the Act.

When Does The New Law Come Into Effect?

Act 73 will come into effect on November 1, 2021, which is the beginning of the fourth month from the date of publication. Therefore, the provisions of Wisconsin's new cybersecurity law must be implemented by insurance providers in the state by the first day of November 2022.

From 2023, Wisconsin insurance companies will be required to submit a written certificate of compliance to the Commissioner of Insurance before March 1 every year. The law also mandates insurers to maintain all the data, schedules, and records supporting the certification for a period of five years at the minimum.

Who's In Charge Of Enforcing Wisconsin's New Cybersecurity Law?

Act 73 will be exclusively enforced by the Office of the Commissioner of Insurance (OCI), which also happens to be the investigative authority. In the event of a cybersecurity incident with the potential to harm the consumer or disrupt normal business operations, the Commissioner must be notified within 72 hours. The notice should include the nature of the attack and the number of consumers affected.

Wisconsin's new cybersecurity law gives the Commissioner the power to investigate and examine any insurance provider in the state, determine compliance, and take the necessary steps to enforce its requirements. That being said, the goal of Act 73 is to protect the insured, and compliance is good business. It shouldn't take the threat of legal repercussions for Wisconsin insurers to comply with the new law.

Are There Any Exemptions To Act 73?

Is your company required to comply with the recently enacted Wisconsin cybersecurity law? Well, if you are in the business of selling insurance, it's highly likely that this particular regulation affects you. Anyone licensed by Wisconsin's Office of the Commissioner of Insurance, including insurance companies and agents, is required to be compliant.

However, there are a few exemptions. For instance, companies with fewer than 50 employees, less than $5 million in total yearly revenue, or below $10 million in total year-end assets, are exempt from compliance. Additionally, compliance with the federal Farm Credit Administration, HIPAA, and federal guidelines for depository institutions could also exempt you from Act 73.

Wrapping Up

As technology continues to evolve and advance, individuals and businesses are becoming increasingly dependent on its perks. However, technological advances are accompanied by the concerning reality of cyberthreats. The government — at both the state and federal levels — is taking steps to curtail the proliferation of cyberattacks. Apart from Wisconsin, other states are also enacting new cybersecurity laws.

But it's not just up to the government to take cybersecurity more seriously, companies and private individuals have to step up as well. Having a cybersecurity-focused IT services company such as Orbis Solutions can help you keep your data and information systems secure at all times. Contact us today for cybersecurity solutions in the Las Vegas area.

Client Success Stories

Still On The Fence About Switching IT Services Provider? Check Out These Real Success Stories From Real People

“Orbis’ experienced team assessed our situation, listened to our concerns, and educated us to the ever-changing world of technology. Not only are they professionals at what they do, they’re a pleasure to work with and always have a unique, personal approach to our needs.”
Jane Doe
“Thank you Orbis Solutions for providing me and my staff with your monthly Tech Tips. As a Las Vegas business owner I don't have time to keep up with changing technology and your tips are always on point. Always professional and attentive to our growing business needs.”
Jane Doe
“We are a small business in Las Vegas, and therefore do not have the revenue to staff full time IT personnel. So last year, we partnered with Orbis Solutions Inc. and they are the “IT Department” for our company.”
Jane Doe
~ Las Vegas CPA Firm
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram