Industry Compliance Guide

Insurance Agency Compliance

NAIC Model Law and Pennsylvania Act 2 of 2023 cybersecurity requirements for insurance agencies, brokers, and carriers.

Get a Free Consultation
← All Industries

What’s at stake: Pennsylvania adopted the NAIC Insurance Data Security Model Law as Act 2 of 2023. A WISP, annual risk assessment, and 5-business-day cybersecurity event notification are required. First annual certifications were due April 15, 2026.

Regulations That Apply

RegulationWhat It Covers
NAIC Model Law #668Insurance Data Security Model Law — adopted in 20+ states
PA Act 2 of 2023Pennsylvania Insurance Data Security Act — effective Dec 11, 2023
GLBA Safeguards RuleInsurance entities are GLBA-regulated financial institutions
HIPAAApplies to health insurers as covered entities
State DOI RulesState-specific licensing and data security requirements
NYDFS 23 NYCRR 500If licensed in New York — Second Amendment through Nov 1, 2025

What You Need In Place

  • Written Information Security Program
  • Annual risk assessment
  • Designated qualified individual
  • Third-party service provider oversight
  • Multi-factor authentication on systems with NPI
  • Encryption of customer data
  • 5-business-day cybersecurity event notification to the Commissioner
  • Annual certification of compliance

Common Threats In This Sector

Independent agencies and producers sit at the intersection of carrier portals, commission flow, and client PII. Each of those is a distinct attack surface.

  • Business email compromise targeting commission payouts and producer-of-record changes
  • Phishing impersonating carrier portals and underwriting systems
  • Ransomware against agency management systems (AMS360, Applied Epic, EZLynx, HawkSoft)
  • Health insurance lines: PHI exposure subject to HIPAA in addition to NAIC requirements
  • Cyber insurance application data exposure — ironic, but a real exfiltration target
  • Third-party MGA or wholesaler compromise reaching the agency’s book of business

Documentation You’ll Be Asked For

The NAIC Insurance Data Security Model Law (Model #668) is now adopted by 25+ states. State Departments of Insurance examine to it, and carriers increasingly require evidence of it before binding new producer appointments.

  • Written information-security program meeting the NAIC Model Law (or NYDFS 23 NYCRR Part 500 in New York)
  • Designated Qualified Individual or person responsible for the security program
  • Annual risk assessment
  • Third-party service provider oversight documentation
  • Incident response plan with state-specific cybersecurity event notification timelines (commonly 72 hours)
  • Producer access management showing onboarding and offboarding procedures
  • HIPAA documentation set if the agency writes health, dental, or vision lines

Where Most Small Agencies Fall Short

NAIC adoption has been gradual, so requirements vary by state of licensure. The patchwork is itself a problem — an agency licensed in multiple states often has obligations it hasn’t mapped.

  • NAIC Model Law obligations in licensed states are not mapped or tracked
  • No formal written information-security program
  • MFA missing on the agency management system and on carrier portals
  • No documented state-by-state cybersecurity event notification workflow
  • Producer offboarding does not actually revoke carrier-portal access
  • No vendor security review for cloud-hosted AMS or document-management providers

How CGetty Helps

WISP development, risk assessments, and ongoing security advisory built around the NAIC Model Law and Pennsylvania’s Act 2 of 2023.

Get your agency assessed

Not Sure Where Your Business Stands?

We help small businesses understand what applies to them and build a practical plan to get there. Let’s talk.

Contact Us