Wisconsin domiciled insurers should be aware of the new law, understand if it impacts their organization and update their operations to comply accordingly. Compliance with this law will primarily affect the IT function, but will have implications throughout insurance organizations.
Wisconsin Act 73 does have some additional exemptions compared to the original NAIC Insurance Data Security Model Act promulgated in 2017, in that licensees who are subject to and maintain nonpublic information in accordance with the HIPAA Privacy Rule are exempt to all but 601.954 (1) –notification of an event to the commissioner.
While the law provides certain exemptions, we suggest to our clients that they assess compliance with all aspects of this law; because meeting regulatory expectations through an exemption is not the same as complying with all parts of a regulation. One could expect, upon notification of a cybersecurity event, the Office of the Commissioner of Insurance to gain an understanding of how that organization complied with all sections of Act 73 regardless of exemption status. In addition, many of the sections of the law reflect industry leading practices relating to cybersecurity, the implementation of which would increase an organization’s cybersecurity maturity and preparedness to detect a cybersecurity event, respond to that event and recover normal operations.
We are here to help: we can assist you with a compliance assessment to understand your gaps and remediate issues.