Purpose-built managed security for agencies under the NAIC Insurance Data Security Model Law. A WISP that actually holds up, MFA on every carrier portal, 72-hour breach readiness — and a security advisor who already speaks insurance.
WISP elements covered out of the box
Pre-built breach notification workflow
Carrier portals, email, and admin accounts
Monitoring and incident response coverage
The Reckoning
Your carrier appointments are now your cyber report card.
Three things changed for independent agencies in the past five years, and your business hasn't quite caught up to them yet.
One: the NAIC Insurance Data Security Model Law. Twenty-five-plus states have adopted it, more every legislative session. It requires a written information security program, multi-factor authentication everywhere it counts, vendor due diligence, an incident response plan, and breach notification to your state insurance commissioner within 72 hours. It is not GLBA — it is stricter, faster, and aimed squarely at your operations.
Two: your carriers got serious about cyber. The big national carriers — and most regional ones — now require you to attest to specific cyber controls when you renew your appointment. The questionnaires get longer every year. The answers get checked. Agencies have been deappointed for failing to meet basic controls.
Three: your E&O carrier wants the same things, with teeth. If you can't produce a documented WISP, evidence of MFA, and a tested incident response plan after a breach, your claim is at risk of denial. The endorsement you bought to sleep at night may not pay when it counts.
None of this is hypothetical. Mid-size agencies are paying ransoms in the $200k–$500k range. State AGs are issuing fines. Roll-up acquirers are walking away from diligence over cyber posture. The cost of "we'll get to it" is no longer abstract.
Mapped to the NAIC Model Law
The 10 WISP Elements — Built In, Not Bolted On
Every required element of your Written Information Security Program is delivered as part of our service. No piecemeal projects, no “phase two”.
Written Information Security Program
Documented, sized to your agency, reviewed annually.
Designated Security Officer
Qualified individual responsible for the WISP — we serve as your virtual security officer.
Annual Risk Assessment
Documented, in writing, with remediation tracking.
Access Controls
Role-based access to your AMS, carrier portals, and email — least privilege everywhere.
Encryption of NPI
Data encrypted in transit and at rest. Laptops encrypted by default.
Multi-Factor Authentication
Phishing-resistant MFA on email, AMS, carrier portals, and every admin account.
Vendor Due Diligence
Written contracts and security questionnaires for every third party touching client data.
Incident Response Plan
Documented playbook, tested, with named roles for the 72-hour notification window.
Employee Training
Onboarding + quarterly refresher, plus phishing simulation campaigns measured over time.
72-Hour Breach Notification
Pre-built notification workflow to meet the regulator deadline without scrambling.
Not sure which elements you're missing today?
Get a Free WISP Readiness CheckWhat Actually Hits Agencies
Five Threats Every Principal Should Lose Sleep Over
Not theoretical scenarios from a vendor deck — the attacks playing out across agencies right now.
Business Email Compromise (BEC)
The #1 financial loss vector for agenciesAttackers intercept agent–carrier communications and redirect premium payments, commission checks, or claim disbursements. The FBI consistently flags insurance among the top BEC targets every year. One intercepted email can cost you a six-figure commission run.
Ransomware Locking Your AMS
Can shut down the agency for daysWhen your Applied Epic, AMS360, or Hawksoft instance is encrypted, you can't write new business, can't service existing clients, and can't issue certificates. Mid-size agencies have paid $200k–$500k ransoms in the past two years — and that's before the regulator gets involved.
Carrier Portal Credential Theft
Mass NPI exposurePhishing your agents for carrier portal credentials lets attackers steal client policy data — SSNs, drivers' licences, medical info, financials — across hundreds of clients in minutes. That data feeds dark-web markets for years.
Wholesaler / Vendor Chain Attacks
Reputation contagionAn attacker who compromises a wholesale broker or surplus lines wholesaler downstream from you can pivot into your agency. Vendor due diligence is a NAIC requirement — and a survival tactic.
Insider Error & Misdelivery
The boring breach that triggers notificationMost reportable incidents aren't sophisticated attacks — they're an employee emailing a policy file to the wrong client. Without DLP, access controls, and training, this happens monthly.
Sound Familiar?
The Things Keeping Agency Principals Up at Night
Eight conversations we've had with agency owners in the past 90 days. If any of these sound like your inbox or your last partners' meeting, you're not alone.
E&O renewal anxiety
“Our E&O carrier sent us a 17-page cyber questionnaire and I have no idea how to answer half of it.”
Carrier deappointment risk
“Our biggest carrier added a new cyber attestation to the appointment review and we're not sure we'd pass.”
BEC near-miss
“Someone almost wired $43,000 to a fake supplier last month — the email looked exactly right.”
Regulatory uncertainty
“I keep hearing about the NAIC Model Law in our state but no one can tell me what to actually do.”
Local-IT gap
“Our IT guy is great with the network but he can't explain what's in our written information security program.”
Diligence pressure
“We're starting to talk to a roll-up buyer and they're asking for cyber documentation we don't have.”
AMS reliability fears
“Our Applied Epic instance went down for 36 hours last quarter and we still don't know why.”
Ransomware in the rearview
“I read about a 12-person agency two states over paying a $250k ransom. I don't sleep great anymore.”
We Speak Agency
No translator required.
Most MSSPs make you explain how an agency works before they can secure it. We start with the workflows: producer-to-carrier, agent-to-client, the chain from the AMS to the carrier portal to the wholesaler. We know how an E&O renewal questionnaire reads and what it actually wants. We know which carrier portals finally enforced MFA last quarter and which still don't.
That fluency matters because the controls that look reasonable on paper are often the ones that actually break your team's workflow. Our defaults are tuned for how agencies actually run — not how a Fortune 500 IT department imagines they should.
Talk to someone who gets itAMS Platforms We Work With
Carrier Portals & Tools
Travelers Agent Portal · Chubb · Liberty Mutual · Nationwide · Hartford · Progressive · Safeco · Erie · Auto-Owners · Cincinnati · regional carriers · surplus lines wholesalers (RPS, Burns & Wilcox, AmWINS) · IVANS Connect · Tarmika · Trellis.
Is Your State In?
States That Have Adopted the NAIC Model Law
If you operate in any of these states, the requirements are already on you. If you're not on the list yet, adoption is almost certainly coming.
Adoption list as of 2026 and updated periodically. Some states adopt the model in modified form; we map your specific state's version to your WISP during onboarding. Not legal advice — consult your insurance regulatory counsel for state-specific obligations.
Right-Sized For Your Agency
Three Plans That Fit How Agencies Actually Buy
Month-to-month. No setup fees. No multi-year contracts.
Solo / Sub-10 Producers
Essential
$375/mo
- Endpoint protection (EDR)
- Email security + MFA enforcement
- M365 / Google Workspace backup
- Quarterly security training
10–25 Producers
Business Plus
$799/mo
- Everything in Essential
- WISP build + annual review
- 24/7 monitoring & incident response
- Vendor due-diligence support
- Quarterly phishing simulations
- 72-hour breach response playbook
25–50+ / Wholesale
Complete
$1,399/mo
- Everything in Business Plus
- Virtual CISO support (quarterly principal review)
- Carrier-questionnaire response prep
- Roll-up diligence readiness package
- Phishing-resistant MFA (security keys)
Multi-location agencies and wholesale brokers — contact us for custom pricing.
Quick Answers
What Agency Principals Actually Search For
The questions we get asked most often — and the search queries that lead agency owners to our door. Plain-English answers, no jargon.
What is the NAIC Insurance Data Security Model Law?
+
A model law published by the National Association of Insurance Commissioners (NAIC) that requires licensed insurance entities — including independent agencies and brokers — to build and maintain a written information security program (WISP), perform annual risk assessments, enforce multi-factor authentication, conduct vendor due diligence, document an incident response plan, and notify the state insurance commissioner of any cybersecurity event within 72 hours. As of 2026, 25+ states have adopted it in some form.
What does a WISP for an insurance agency need to include?
+
Ten elements: a written program document, a designated qualified individual (security officer), an annual documented risk assessment, access controls and identity management, encryption of non-public information (NPI) in transit and at rest, multi-factor authentication on all systems holding NPI, written vendor due diligence and contracts, an incident response plan, ongoing employee security training, and the breach notification workflow to meet your state's 72-hour clock.
Does my insurance agency need MFA on Applied Epic / AMS360 / Hawksoft / EZLynx?
+
Yes. The NAIC Model Law explicitly requires MFA for any individual accessing information systems containing non-public information — which is every agency management system in use today. The same applies to carrier portals, M365 / Google Workspace, and any third-party tool storing client data.
Who counts as a Qualified Individual under the NAIC Model Law?
+
A named, accountable person responsible for overseeing the agency's information security program. For most independent agencies, this role is outsourced to a managed security partner that acts as the virtual security officer — building and maintaining the WISP, reporting to the principal, and signing off on the annual compliance certification.
What's the difference between the GLBA Safeguards Rule and the NAIC Model Law?
+
GLBA Safeguards (federal, FTC-enforced) is the baseline data-protection requirement for financial institutions, including insurance. The NAIC Model Law (state-by-state adoption) is stricter and insurance-specific: it adds mandatory MFA, 72-hour breach notification to the state commissioner, annual compliance certification, and explicit vendor due diligence. If your state has adopted the Model Law, you must satisfy both.
What happens if my agency has a breach and isn't compliant?
+
Three layers of fallout: (1) state-level fines up to $10,000 per violation in most NAIC-aligned states plus state attorney general action; (2) loss of carrier appointments — carriers increasingly require attestation to cyber controls and will deappoint after a breach if the controls weren't in place; (3) E&O claim denial — your professional-liability carrier may refuse to pay a breach claim if you can't produce a compliant WISP and evidence of the controls you attested to on renewal.
How much does cybersecurity for an independent insurance agency typically cost?
+
For a 10–25 producer agency, expect $800–$1,500/month for ongoing managed security including the WISP build, MFA enforcement, EDR on all devices, email security, 24/7 monitoring, and incident response. Smaller agencies (under 10 producers) sit at $375–$600/month. Wholesale brokers and specialty firms with higher complexity typically land in the $1,500–$3,000/month range.
What is a carrier appointment cybersecurity questionnaire and how do I answer it?
+
Most national carriers (Travelers, Chubb, Liberty Mutual, Hartford, Nationwide, etc.) now include a cyber-controls attestation in their annual appointment review. They ask about MFA, encryption, backup procedures, training programs, vendor controls, and incident response. The questions get longer every year and the answers get verified. We pre-build standard responses mapped to your actual environment so you can complete each carrier's form in under an hour instead of three days.
Can a buyer in an agency acquisition reject us over weak cybersecurity?
+
Yes — and this is now common. Hub International, Acrisure, BroadStreet Partners, Patriot Growth, and most other roll-up acquirers run cyber-posture diligence as part of their standard checklist. Findings include lack of a WISP, no MFA on AMS / carrier portals, no documented vendor due diligence, and no tested incident response plan. We've seen multiples adjusted downward and deals walked over each of these.
What is non-public information (NPI) in an insurance agency context?
+
Under the NAIC Model Law, NPI includes any information identifying a consumer that's not publicly available — Social Security numbers, driver's licence numbers, financial account information, medical/health information collected for policy underwriting, claim history, beneficiary details, and biometric data. Effectively every client record in your AMS contains NPI.
What's the 72-hour breach notification clock and when does it start?
+
Under the NAIC Model Law, you must notify your state insurance commissioner within 72 hours of determining that a cybersecurity event affecting NPI has occurred. The clock starts at determination, not at attack. Most agencies aren't equipped to investigate, scope, and report inside 72 hours without a pre-built playbook — which is one of the reasons the requirement was written that way.
Do small insurance agencies (under 10 employees) need to comply?
+
Depends on your state's specific version. Some states include exemptions for agencies with fewer than 10 employees or under a revenue threshold. Many states do not exempt small agencies, and several use 'handles consumer NPI' as the trigger — which every agency does. Even where the exemption applies, your carriers and E&O insurer often require similar controls regardless.
Honest Answers
What Principals Actually Ask Us
We have GLBA covered — isn't that enough?
GLBA Safeguards is the federal floor. The NAIC Insurance Data Security Model Law is stricter, with 72-hour breach notification, mandatory MFA, and annual compliance certification to your state insurance commissioner. If your state has adopted it, GLBA alone is no longer sufficient.
Our AMS provider handles security, right?
They handle their platform. Your client data, your employee devices, your email tenant, your vendor chain, and your written WISP are all your responsibility — and your liability. Applied Systems even had a data exposure incident in 2022 affecting agency client data.
Our E&O policy will cover any breach claim.
Not if you can't produce a compliant WISP, documented MFA, and a tested incident response plan. E&O carriers are increasingly denying claims where the agency couldn't demonstrate the controls they attested to on renewal. Your cyber endorsement has teeth — and exclusions.
We're under 10 employees — we're exempt.
Some states exempt under-10 agencies; many do not. And the trigger in several states is any handling of consumer NPI, not headcount. If you write personal lines, you handle NPI — and the exemption is shrinking with every new state adoption.
Our state hasn't adopted the Model Law yet.
It's almost certainly coming. 25+ states have already adopted, with more in the legislative pipeline. Once your state adopts, you typically have 12 months to comply — and an under-resourced regulator looking for an early example. Better to be ready than retroactive.
Our local IT MSP can do this.
Most local MSPs are excellent at IT operations but unfamiliar with insurance regulatory requirements. The NAIC Model Law specifies controls — MFA, encryption, vendor due diligence, breach notification — that require ongoing security operations, not just helpdesk. Ask your MSP to walk through each of the 10 WISP elements and show evidence.
Thinking About Selling?
Roll-up acquirers are walking away from agencies with weak cyber.
Whether it's Hub International, Acrisure, BroadStreet, Patriot, or any of the other PE-backed acquirers, cyber-posture diligence is now part of every deal. A documented WISP, evidence of MFA, vendor due-diligence files, and a tested incident response plan don't just protect your agency — they protect your multiple. We build all of it as part of our service, and we'll happily sit in the diligence call with you.
Dig Deeper
Agency-specific reading.
The NAIC Model Law — a plain-English guide for agencies
All 10 required WISP elements, the 72-hour breach clock, enforcement teeth, and who is and isn't exempt.
Business Email Compromise — the $50B threat targeting agencies
BEC is the top cyber threat to insurance agencies. The 6 attacker playbooks and the controls that stop them.
Third-Party Risk: Why your AMS provider and carrier portals are your biggest blind spot
NAIC requires written vendor due diligence. Learn how to tier your vendors, what to put in contracts, and the 8 questions to ask any critical supplier.
See exactly where you stand.
Book a free 30-minute WISP readiness check. We'll walk through the 10 NAIC elements with you, flag what's missing, and give you a plain-English plan to close the gaps — whether or not you ever work with us.