KC
Kapacyber
ComplianceInsurance Agencies8 min read

The NAIC Insurance Data Security Model Law — A Plain-English Guide

25+ states have adopted it. More are following. Here's what your agency must do, who's exempt, and what happens if you're not ready when your state's deadline arrives.

The National Association of Insurance Commissioners (NAIC) adopted the Insurance Data Security Model Law in 2017. It sets out specific cybersecurity requirements for any "licensee" — which includes carriers, but also independent agencies, producers, brokers, and adjusters — that handles consumer non-public information.

The Model Law isn't federal. Each state must adopt it (often with modifications) for it to apply. As of 2025, more than 25 states have adopted versions of it, with more states queued up. If your agency operates in any adopted state, the requirements apply to you.

Who Is Covered

In practice, virtually every independent agency handling consumer policies is covered. Specific state thresholds vary, but typical applicability triggers include:

  • Operating in any state that has adopted the Model Law
  • Holding a state insurance licence as an agency, producer, broker, or adjuster
  • Handling consumer NPI (which includes nearly all policy data, applications, and claims)

Some states have employee-count or revenue thresholds for small-agency exemptions — but those exemptions are narrower than most agencies assume, and the trend is toward narrowing them further.

States That Have Adopted

As of recent NAIC tracking, the following states have adopted the Model Law (in modified or substantially similar form):

Alabama
Alaska
Connecticut
Delaware
Hawaii
Idaho
Indiana
Iowa
Kentucky
Louisiana
Maine
Michigan
Minnesota
Mississippi
New Hampshire
North Carolina
North Dakota
Ohio
Rhode Island
South Carolina
Tennessee
Vermont
Virginia
Wisconsin

State adoption changes regularly. Confirm with your state department of insurance for the current list and any state-specific modifications.

What Your WISP Must Contain

The Model Law requires a written information security programme that covers the following elements. Specific requirements vary state-to-state (some states omit certain elements; others add their own), but the core is consistent.

1

Written Information Security Programme (WISP)

Documented, board- or owner-approved, commensurate with the size and complexity of the agency.

2

Annual risk assessment

Documented evaluation of internal and external threats to non-public information (NPI). Refreshed annually.

3

Designated Qualified Individual

A named person responsible for the security programme — owner, principal, COO, or outsourced partner.

4

Access controls and authentication

Least-privilege access, named accounts (no shared logins), and authentication standards including MFA for any remote or admin access to NPI.

5

Encryption of NPI

Encryption in transit and at rest for client policy data, applications, and any other NPI the agency holds.

6

Vendor / third-party due diligence

Written contracts requiring service providers to maintain appropriate safeguards, plus periodic review.

7

Incident response plan

Written, tested plan for detecting and containing breaches, plus internal communications protocols.

8

Employee training programme

Annual security awareness training plus ongoing reinforcement (phishing simulations, periodic updates).

9

72-hour breach notification

Notification to the state insurance commissioner within 72 hours of determining a cyber event has occurred.

10

Annual certification of compliance

Insurance commissioner submission attesting to programme implementation, signed by the Qualified Individual.

Exemptions — Read Carefully

Most adopted states include limited exemptions. Common ones:

  • Agencies with fewer than a stated number of employees (often 10 or 25, varies by state)
  • Agencies below a stated annual revenue threshold (often $5M, varies by state)
  • Producers covered under a HIPAA-compliant entity's programme
  • Producers operating under another licensee's WISP umbrella (with documentation)

Two warnings about exemptions: (1) they apply to the substantive WISP build, but breach-notification obligations typically still apply even to exempt agencies; (2)exemption thresholds are being lowered or removed in newer state adoptions — don't assume yesterday's exemption holds tomorrow.

The 72-Hour Clock

If a cybersecurity event occurs, you have 72 hours from determining the event has occurred to notify the state insurance commissioner. Some states require notification to other regulators or to affected consumers in parallel.

Practical takeaway: 72 hours sounds long until you're actually in an incident. Forensics take days. Determining scope takes days. That clock rewards agencies that have already engaged a forensic firm, identified their breach counsel, and mapped their notification obligationsbefore something happens.

What Happens if You're Not Compliant

Three layers of fallout:

1. State enforcement. Penalties of up to $10,000 per violation in many adopted states, plus state attorney general action. Repeat violations and large breaches attract bigger numbers.

2. Loss of carrier appointments. Carriers increasingly require agencies to attest to specific cyber controls (MFA, EDR, training, WISP). Misrepresentation on that attestation, or a breach that exposes the misrepresentation, can result in carrier deappointment. Without carriers, an agency has nothing to sell.

3. E&O claim denial.Your professional-liability policy almost certainly requires you to maintain reasonable cyber controls. If a breach occurs and you can't produce a compliant WISP, your E&O insurer may deny the claim.

What to Do Now

If your state has adopted the Model Law (or is about to), the playbook is straightforward:

  • Confirm whether your state's adoption applies to your agency size and structure
  • Designate a Qualified Individual in writing
  • Conduct (or refresh) a written risk assessment
  • Build or update your WISP to cover the required elements
  • Roll out MFA on email, AMS, carrier portals, and admin accounts immediately if not already in place
  • Document vendor due diligence on your AMS, CRM, and any third party touching client NPI
  • Run security awareness training and a baseline phishing simulation
  • Tabletop your incident-response plan with the principal and operations lead

The Bottom Line

The Model Law isn't hypothetical. It's adopted, it's being enforced, and it's spreading. Agencies that wait for their state to publish a deadline before starting are agencies that pay rush-job prices to come into compliance — and risk a breach in the gap.

For specific applicability and current state status, consult qualified legal counsel and your state department of insurance. This article is general information, not legal advice.

Related reading: cyber insurance requirements in 2025, the BEC guide, and third-party vendor risk management.

Free WISP-Readiness Assessment for Agencies

We map your agency to the Model Law requirements and hand you a one-page roadmap. Insurance principals only.

Get Free Assessment
← Back to Security Insights