Ready or Not: New Wisconsin Cybersecurity Law—Act 73—Imposes Cybersecurity Requirements on Insurance Providers

PDF
July 16, 2021
Molly Arranz
SmithAmundsen Data Privacy & Security Alert

Authors

Practice Areas

Subscribe

Ready or Not: New Wisconsin Cybersecurity Law—Act 73—Imposes Cybersecurity Requirements on Insurance ProvidersIn reaction to the continued uptick in high profile data incidents, yesterday, Wisconsin Governor Evers signed into law Act 73, a law establishing cybersecurity requirements for the insurance industry’s protection of data collected. With a stroke of a pen, Wisconsin joins the growing number of states imposing cybersecurity regulations on insurance providers.

Insurance Commissioner Mark Afable explained that these new protections “will help protect personal data and keep Wisconsin Insurance companies secure.” This continued wave of cyber-hygiene requirements is no surprise. Years ago, the National Association of Insurance Commissioners (the NAIC) created its model rule in the hopes that all 50 states would have laws similar to Wisconsin Act 73 in place.

Wisconsin’s new law protects “nonpublic information” collected and processed by insurers. In order to comply, insurers are required to complete a risk assessment and utilize the results to tailor and create an information security program. Additionally, licensees must implement a comprehensive incident response plan, in the event of a cybersecurity event, and map out how they will provide notice in a timely fashion to those consumers affected. The law also requires licensees to exercise appropriate diligence in selecting their third-party service providers.

Licensees have a year to conduct a risk assessment and to address the vulnerabilities and risks identified. There are also exceptions to the application of this new law. However, threat actors remain on the offensive everyday so time is of the essence. Plus, the law empowers the Office of the Commissioner of Insurance to examine and investigate the affairs of a licensee to determine violations of the requirements. Therefore, it remains a best practice for all insurance providers to take these steps and remain committed to protecting the personal information of consumers.

Now is the time for insurance companies to implement or assess their cybersecurity plans and review their compliance checklists, to get in line.