Pennsylvania’s New Cybersecurity Law for Insurance Licensees Goes into Effect

On December 11, 2023, the Pennsylvania Insurance Data Security Act, 40 Pa. C.S.A. § 4501 et seq., went into effect. The Act, which is based on a model law from the National Association of Insurance Commissioners (NAIC), imposes substantial new responsibilities on Pennsylvania licensees.

Who is affected?

Subject to limited exceptions, the Act applies to all persons and entities that are licensed, authorized to operate, or registered under Pennsylvania insurance laws. This includes insurers, third-party administrators, producers (agents and brokers) and rating organizations.

What are the requirements?

The Act requires licensees to report a qualifying cybersecurity event to the Pennsylvania Insurance Department no later than five business days after discovery. A qualifying cybersecurity event occurs when, broadly speaking, nonpublic information in the licensee’s possession is accessed without authorization. The Department is already interpreting the concept of an “event” broadly. Notification to the Department must meet all standards set forth in the Act. Additionally, the Act permits the Department to enact regulations that, though not yet promulgated, may impose additional requirements on licensees.

The Act also requires certain licensees to complete a routine risk assessment of the licensee’s cybersecurity business processes, including but not limited to training, management, information systems, and threat detection. Upon completion of the risk assessment, licensees must implement a comprehensive written information security program that meets the Department’s standards, designate an individual or entity to be responsible for the information security program, and establish a written incident response plan. If the licensee has a board of directors, the board is subject to additional responsibilities.

Licensees must re-evaluate their risk assessments annually. Licensees are also required to stay informed of emerging threats and changing technology, provide employees with cybersecurity awareness training, and submit a written statement to the Department each year certifying the licensee’s compliance with the Act. Records must be retained and subject to Department inspection for a period of five years. The Act also authorizes the Department to conduct Article IX examinations to determine compliance with certain of the Act’s provisions.

Deadlines & Penalties

Cybersecurity event reporting requirements are already in effect. Licensees must complete their risk assessments and implement an information security program no later than December 11, 2024. Annual certifications begin no later than April 15, 2026.     

Penalties for failure to comply with the Act are severe. The Department may impose not only monetary penalties, but may suspend or revoke the licensee’s license, authorization to operate, or registration.

Bottom Line

The Act imposes significant new requirements on licensees doing business in Pennsylvania. Each requirement involves specific standards to which licensees must adhere. Existing policies must be evaluated to determine necessary changes and/or requirements for new policies.

The team at Buchanan has extensive experience in both insurance regulation and cybersecurity, uniquely positioning our attorneys and specialists to assist licensees in complying with the Pennsylvania Insurance Data Security Act.