Michigan Sets Cybersecurity Standard for State Insurance Industry

Michigan Sets Cybersecurity Standard for State Insurance Industry

For the past year, Michigan law has required insurers doing business in the state to put the cybersecurity needs of their customers first. By adopting a version of the National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law, the state became the fifth in the nation to prioritize consumers’ personal security.

Michigan Responds to Cyber-Attacks on Insurance Industry

In 2018, the National Association of Insurance Commissioners (NAIC) responded to an apparent increase in cyber-attacks against industry websites. Those attacks hurt consumers and economically impacted public and private sector insurers, prompting swift action. The NAIC created and approved the Insurance Data Security Model Law and distributed it to the state legislatures for consideration.

Michigan responded to the call. On December 27, 2018, then-Governor Rick Snyder signed the Michigan version of the Model Law, Michigan House Bill 6491. The Michigan Act adds industry-specific requirements for licensed insurance providers in the state over and above both the state’s general cybersecurity requirements and the federal consumer protection laws.  

Requirements for Insurance Industry Cybersecurity

Under the new law, which went into effect earlier this year, licensed insurance providers are held to a higher standard when it comes to cybersecurity attacks. The new standard safeguards consumers’ private information to prevent identity theft. It requires them to:

  • Create and implement a comprehensive information security program including administrative, technical, and physical safeguards
  • Perform a risk assessment to determine how to implement protections including multi-factor authentication, penetration testing, and encrypted data
  • Prepare a formal cybersecurity incident response plan
  • Hold third-party service providers to account for their own informational security measures by January 20, 2023
  • Report every data breach to the Superintendent within 10 business days of the cybersecurity breach

What the Insurance-Industry Cybersecurity Standards on Consumers

Michigan residents may be happy to hear that their private personal information is protected, but the new standards aren’t exactly a tool for consumers. The law expressly says customers cannot sue their insurers if they violate the standards. However, it does require licensed insurers to notify customers of any cybersecurity event that could cause “substantial loss or injury” or identity theft “without unreasonable delay.” These notices must:

  • Be sent in writing and electronically or by telephone (with some exceptions)
  • Include notice to nationwide credit agencies anytime the data breach affects more than 1,000 residents

Provisio Technology Solutions Help Insurers Comply with the New Standards

The Michigan insurance cybersecurity standards apply to any licensed insurer with at least 25 employees (including independent contractors). That means that everyone from local franchise owners to large industry leaders are scrambling to put the necessary standards in place.

At Provisio Technology Solutions, our web developers understand the new law, and what it takes to create meaningful cybersecurity protections for your customers. We can help you perform the required risk assessment and develop comprehensive information security programs and cybersecurity event response plans. Then we can update your website’s infrastructure and security protocols to ensure that your customer portal or payment options aren’t opening you up to cyber-attacks and regulatory trouble.

But cybersecurity doesn’t stop at the computer. The new law also requires physical and administrative processes that are designed with security in mind. We will work with your staff to train them in cybersecurity best practices and help them to implement your new plan. We can also perform audits of your existing cybersecurity processes to see where you might be falling short.

The new law may have been passed at the end of 2018, but it goes into effect January 20, 2021. That gives insurers 1 year to put these additional protections in place, and makes now the perfect time to meet with our developers and get the risk assessment underway. If you are a licensed insurer, contact us today Contact us to set up a free consultation.