[co-author: James O'Reilly*]
Over half of US states require annual compliance certifications from insurance providers. While the filing time frames for this year draw to a close, companies may want to keep them in mind not only for next year, but as a reminder of the information security programs that are expected to be in place.
When we last wrote about this, in 2021, only nine states (Alabama, Delaware, Louisiana, Michigan, Mississippi, New Hampshire, Ohio, South Carolina, and Virginia) had adopted certification obligations. Since then, 17 more states have followed suit, adopting the Insurance Data Security Model law (from which the obligations stem). These states are Alaska, Connecticut, Hawaii, Illinois, Indiana, Iowa, Kentucky, Maine, Maryland, Minnesota, North Dakota, Oklahoma, Pennsylvania, Rhode Island, Tennessee, Vermont, and Wisconsin. Additionally, while New York has not adopted the NAIC model law, it imposes a similar annual filing requirement.
Filing deadlines are set out below:
Those who might need to certify are those registered under the various state insurance laws. This includes insurance companies and insurance professionals, like agents and brokers. When making their filing, covered entities must certify that they have an Information Security Program in place. That program must include risk management and incident response procedures, as well as board oversight. Certification records and supporting materials need to be retained for five years after submission.
*James O'Reilly is a Cybersecurity and Privacy Fellow in the firm’s Chicago office.
Putting it Into Practice: Those with insurance certification obligations should keep in mind the varying filing deadlines, as well as the accompanying obligations like having a compliant information security program in place.
