ARTICLE
16 April 2025

Insurance Cybersecurity Certifications: An (Updated) State Roundup

SM
Sheppard Mullin Richter & Hampton

Contributor

Sheppard Mullin is a full service Global 100 firm with over 1,000 attorneys in 16 offices located in the United States, Europe and Asia. Since 1927, companies have turned to Sheppard Mullin to handle corporate and technology matters, high stakes litigation and complex financial transactions. In the US, the firm’s clients include more than half of the Fortune 100.
When we last wrote about this, in 2021, only nine states (Alabama, Delaware, Louisiana, Michigan, Mississippi, New Hampshire, Ohio, South Carolina, and Virginia) had adopted certification obligations
United States Privacy

Over half of US states require annual compliance certifications from insurance providers. While the filing time frames for this year draw to a close, companies may want to keep them in mind not only for next year, but as a reminder of the information security programs that are expected to be in place.

When we last wrote about this, in 2021, only nine states (Alabama, Delaware, Louisiana, Michigan, Mississippi, New Hampshire, Ohio, South Carolina, and Virginia) had adopted certification obligations. Since then, 17 more states have followed suit, adopting the Insurance Data Security Model law (from which the obligations stem). These states are Alaska, Connecticut, Hawaii, Illinois, Indiana, Iowa, Kentucky, Maine, Maryland, Minnesota, North Dakota, Oklahoma, Pennsylvania, Rhode Island, Tennessee, Vermont, and Wisconsin. Additionally, while New York has not adopted the NAIC model law, it imposes a similar annual filing requirement.

Filing deadlines are set out below:

Deadline States
February 15 Alabama, Alaska, Delaware, Kentucky, Louisiana, Michigan, Mississippi, Ohio, South Carolina, Virginia
March 1 New Hampshire, Wisconsin
March 31 Hawaii
April 15 Connecticut, Illinois, Indiana, Iowa, Maine, Maryland, Minnesota, New York, North Dakota, Oklahoma, Pennsylvania, Rhode Island, Tennessee, Vermont


Those who might need to certify are those registered under the various state insurance laws. This includes insurance companies and insurance professionals, like agents and brokers. When making their filing, covered entities must certify that they have an Information Security Program in place. That program must include risk management and incident response procedures, as well as board oversight. Certification records and supporting materials need to be retained for five years after submission.

Putting it Into Practice: Those with insurance certification obligations should keep in mind the varying filing deadlines, as well as the accompanying obligations like having a compliant information security program in place.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More