Insurance Cybersecurity Certifications: A State Roundup
Many states require insurance providers registered to do business in their states to complete annual certifications of compliance. The deadline in New Hampshire is comping up, and is on March 1. Alabama, Delaware, Louisiana, Michigan, Mississippi, Ohio, and South Carolina deadline was February 15. (The deadline under Virginia’s new law will be February 15 as well, starting in 2023.) The deadline in Indiana and New York is April 15.
This certification requirement is captured in the model National Insurance Data Security Law endorsed by the National Association of Insurance Commissioners. That model law, and those states that have implemented it, require insurers not only to have information security programs in place, but also to attest compliance. There are some exemptions, including for small businesses with fewer than ten employees, licensees subject to and in compliance with HIPAA requirements, and employees, agents, and representatives of licensees. As part of the certification process, companies typically need to submit written confirmation that they comply with the law, and thus have, among other things:
A comprehensive written information security program commensurate with the company’s size and complexity
A written incident response plan
Appropriate oversight by the company’s board of directors
Once submitted, companies must maintain the records and data supporting their certifications. In most states that retention period is five years.
Putting it Into Practice: When fulfilling certification obligations, companies should keep in mind the underlying requirements to which they are certifying. Now, in the midst of certification season, is a good reminder to regularly take stock of ongoing compliance obligations and efforts.