Insurance Agency Cybersecurity Requirements: What Insurance Agencies Must Know

Insurance agency cybersecurity requirements are no longer aspirational - they are enforceable legal mandates carrying monetary penalties, license suspension, and personal liability for agency principals. In 2026, three overlapping regulatory frameworks govern how insurance agencies must protect client data: the NAIC Insurance Data Security Model Law, the FTC Safeguards Rule, and state-specific regulations with New York DFS 23 NYCRR 500 as the most stringent.

Most agencies are subject to at least two of these frameworks simultaneously. NAIC 2025 reports that 22 states have now adopted the Model Law, meaning agencies licensed in those states face specific written program requirements regardless of their size. The FTC Safeguards Rule applies to virtually every insurance agency as a "financial institution" under the Gramm-Leach-Bliley Act.

This explainer covers each framework - who it applies to, what it requires, when compliance was due, and what penalties apply for non-compliance.

---

Key Takeaways

1. The NAIC Insurance Data Security Model Law has been adopted in 22 states as of 2025; agencies licensed in those states must maintain a written information security program or face license suspension.
2. The FTC Safeguards Rule applies to insurance agencies as financial institutions and requires specific technical controls including multi-factor authentication, encryption, access controls, and annual penetration testing for agencies with 5,000 or more customer records.
3. New York DFS 23 NYCRR 500 is the most stringent state-specific framework; it requires a 72-hour breach notification to the DFS, annual penetration testing, and designation of a CISO for covered entities with 10 or more employees.
4. FTC 2025 enforcement data shows $5 million in Safeguards Rule penalties assessed against financial services firms in 2024 - with the FTC signaling increased enforcement focus on smaller entities in 2025 and 2026.
5. The NAIC Model Law requires agencies to conduct an annual written risk assessment, maintain vendor oversight contracts, and report on the information security program to senior management each year.
6. Agencies that use third-party service providers (AMS vendors, comparative raters, payroll processors) must include contractual data security requirements in those vendor agreements or face Model Law and Safeguards Rule violations independently of any security incident.

---

Framework 1: NAIC Insurance Data Security Model Law

What It Is and Where It Applies

The NAIC Insurance Data Security Model Law was adopted by the NAIC in 2017 and establishes a uniform baseline for data security requirements for insurance licensees. As of 2025, it has been adopted in 22 states: Alabama, Connecticut, Delaware, Georgia, Hawaii, Indiana, Iowa, Louisiana, Maine, Maryland, Michigan, Minnesota, Mississippi, New Hampshire, North Dakota, Ohio, South Carolina, Tennessee, Utah, Vermont, Virginia, and Wisconsin.

The Model Law applies to all entities licensed under the insurance laws of an adopting state. This includes insurance agencies, brokers, MGAs, and surplus lines brokers. Size exemptions exist in most adopting states for licensees with fewer than 10 employees, less than $5 million in annual revenue, and less than $10 million in assets - but these exemptions are narrow and do not eliminate the obligation to protect nonpublic information.

Key Requirements

Written Information Security Program (WISP): Every covered licensee must maintain a written information security program that is appropriate to the size and complexity of the licensee, the nature of its activities, and the sensitivity of the nonpublic information it holds. The WISP is not a template - it must reflect the agency's actual operations, risk profile, and controls.

Annual Risk Assessment: The WISP must be based on and updated by an annual risk assessment that identifies foreseeable internal and external threats to the security of nonpublic information, assesses the likelihood and potential damage of those threats, and identifies current controls that protect against them.

Access Controls: The agency must implement access controls that limit access to nonpublic information to only those employees and systems that require it to perform their job functions. This includes user authentication, role-based access controls, and monitoring of privileged access.

Multi-Factor Authentication: The Model Law requires MFA for any individual accessing nonpublic information through an external network. This includes remote access, web portals, and cloud-based AMS platforms.

Encryption: Nonpublic information must be encrypted both in transit and at rest. Most state insurance commissioners interpret this to require TLS 1.2 or higher for data in transit and AES-256 encryption for data at rest.

Vendor Oversight: The agency must include contractual provisions in agreements with third-party service providers that require the vendor to maintain appropriate data security controls and to notify the agency promptly of any security event affecting the agency's nonpublic information.

Incident Response Plan: The agency must maintain a written incident response plan that addresses containment, notification, and post-incident review. (See the agency data breach response plan post for full detail on this requirement.)

Annual Board/Senior Management Reporting: The designated individual responsible for the information security program must report in writing to the agency's board or senior management at least annually on the program's status, risk assessment results, and any material changes.

Penalties for Non-Compliance

Penalties vary by state but follow the Model Law framework. Agencies in Model Law states that lack a written information security program face:

• Monetary penalties ranging from $500 per day (Alabama) to $25,000 per violation (Michigan).
• License suspension or revocation for willful non-compliance.
• Personal liability for agency principals in states where the state insurance code imposes individual responsibility for licensee compliance.

---

Framework 2: FTC Safeguards Rule

Who It Applies To

The FTC Safeguards Rule applies to "financial institutions" under Title V of the Gramm-Leach-Bliley Act. Insurance agencies qualify as financial institutions because they are "significantly engaged in financial activities" - specifically, underwriting insurance and brokering insurance are both enumerated financial activities under the GLBA.

The FTC Safeguards Rule applies to every insurance agency that collects, processes, or maintains "customer financial information" - which includes Social Security numbers, account numbers, income data, and credit information collected in connection with placing or renewing insurance. Virtually every agency falls within scope.

The 2023 amendments to the Safeguards Rule introduced more specific technical requirements. There is no employee size threshold that eliminates these requirements, though the annual penetration testing requirement applies specifically to agencies with 5,000 or more customer records.

Key Requirements Under the 2023 Amendments

Designated Qualified Individual (QI): The agency must designate a qualified individual responsible for overseeing, implementing, and enforcing the information security program. For a small agency, this is typically the agency owner. For a larger agency, it may be a designated operations or IT manager.

Annual Written Risk Assessment: Like the NAIC Model Law, the FTC Safeguards Rule requires an annual written risk assessment that identifies foreseeable risks, evaluates current safeguards, and documents the agency's plan to address identified risks.

Access Controls: The agency must limit and monitor access to customer information. This includes implementing role-based access controls, regularly reviewing access lists, and revoking access for terminated employees within a defined timeframe.

Multi-Factor Authentication: MFA is required for any individual accessing customer information. The Safeguards Rule specifies that MFA is required for any system that contains or provides access to customer financial information - including the AMS, carrier portals, email systems where policy documents are transmitted, and remote access systems.

Encryption: The rule requires encryption of all customer information held or transmitted by the agency, using current-standard encryption protocols.

Secure Development Practices: If the agency uses custom-developed software to handle customer information, the rule requires security testing of that software before deployment.

Monitoring and Testing: The agency must implement continuous monitoring or conduct periodic penetration testing of its information systems. Annual penetration testing is required for agencies with 5,000 or more customer records. Agencies below that threshold must still conduct vulnerability assessments at least annually.

Change Management: The agency must evaluate and address risks related to changes in business operations, including changes in third-party service providers, new software deployments, and changes in data handling practices.

Annual Testing of Incident Response Plan: The agency must test its incident response plan at least annually. A tabletop exercise with a simulated breach scenario satisfies this requirement.

FTC Notification Requirement: If a security event affects 500 or more customers, the agency must notify the FTC within 30 days using the FTC's online reporting portal. FTC 2025 enforcement data confirms that failure to notify the FTC is itself a separate violation from the underlying security failure.

Penalties for Non-Compliance

The FTC can assess civil penalties of up to $51,744 per violation per day under the FTC Act. In practice, FTC 2025 enforcement data shows penalties of $200,000 to $5 million for financial institutions that failed to implement required Safeguards Rule controls. The FTC has stated publicly that it will increase enforcement focus on smaller financial institutions - including independent insurance agencies - in 2025 and 2026.

---

Framework 3: New York DFS 23 NYCRR 500

Who It Applies To

NY DFS 23 NYCRR 500 applies to any entity that holds a license, registration, or charter from the New York Department of Financial Services. For insurance agencies, this means any agency licensed to do business in New York - including agencies domiciled in other states that hold a New York non-resident producer license.

The regulation divides covered entities into three tiers: "limited" (fewest requirements, applies to entities with fewer than 10 employees, under $5M revenue, and under $10M assets), "Class A" (enhanced requirements for entities with more than $20M in revenue, more than 2,000 customers, or more than $1 billion in assets), and all others (standard requirements). Most mid-size and larger agencies fall under the standard or Class A requirements.

Key Requirements Beyond NAIC Model Law and FTC Safeguards

72-Hour Breach Notification: NY DFS requires covered entities to notify the DFS within 72 hours of determining that a cybersecurity event has occurred. This is shorter than the 30-day FTC notification requirement and most state breach notification law timelines. The 72 hours run from the determination that an event occurred, not from discovery of a potential event.

Annual Penetration Testing: Covered entities must conduct penetration testing of their information systems at least annually, conducted by a qualified third party. This requirement applies broadly - not only to entities with 5,000+ records as under the FTC Safeguards Rule.

CISO Designation: Covered entities (other than "limited" covered entities) must designate a qualified Chief Information Security Officer (CISO). The CISO may be a third party or shared service provider - this option allows smaller agencies to satisfy the requirement through an outsourced vCISO arrangement rather than a full-time hire.

Annual Certification of Compliance: Covered entities must submit an annual certification of compliance with 23 NYCRR 500 to the DFS through the DFS online portal. The certification is signed by the agency's senior officer and the CISO. False certifications carry criminal liability.

Vulnerability Management: Covered entities must maintain a formal vulnerability management policy that includes processes for identifying, assessing, and remediating vulnerabilities in a timely manner.

Third-Party Risk Management: The regulation requires covered entities to conduct a risk assessment of third-party service providers that access or hold nonpublic information and to include specific cybersecurity requirements in contracts with those providers.

Penalties for Non-Compliance

The DFS can assess penalties of up to $1 million per violation under New York Insurance Law. DFS 2025 enforcement actions against financial services firms have ranged from $500,000 to $30 million for systemic cybersecurity failures. The DFS has a dedicated cybersecurity examination unit that reviews compliance with 23 NYCRR 500 as part of routine licensee examinations.

---

Compliance Requirements Comparison Table

---

Practical Compliance Steps for Independent Agencies

The overlap between the three frameworks is significant - most required controls appear in all three. An agency that builds its security program to satisfy the most stringent applicable framework (NY DFS 23 NYCRR 500 for agencies with a New York license) will satisfy the NAIC Model Law and FTC Safeguards Rule simultaneously.

For agencies not subject to NY DFS, build the compliance program in this sequence:

Step 1: Conduct a written risk assessment. This is the foundation of every framework. The risk assessment identifies what nonpublic information the agency holds, where it lives, who has access, what threats exist, and what current controls address those threats. Document it formally.

Step 2: Write or update the information security program. Using the risk assessment findings, document the agency's actual security policies and controls. The WISP must address access controls, encryption, vendor management, incident response, and employee training at minimum.

Step 3: Implement MFA. Enable multi-factor authentication on every system containing client data: the AMS, carrier portals, email, and any cloud storage containing policy documents. This is the single highest-impact technical control required by all three frameworks.

Step 4: Review and update vendor contracts. Every vendor that accesses or holds agency client data - AMS providers, comparative raters, benefits platforms, cloud storage providers - must have a contract that includes data security requirements and breach notification obligations.

Step 5: Test the incident response plan annually. Run a tabletop exercise. Walk through a simulated breach scenario. Identify gaps. Update the plan. Document the test.

Step 6: Schedule annual penetration testing. For NY DFS covered entities and FTC-covered agencies with 5,000+ records, this is mandatory. For other agencies, it is best practice and satisfies the risk assessment testing requirements of the NAIC Model Law and FTC Safeguards Rule.

---

The Employee Training Requirement

All three frameworks require employee security awareness training. Employees are the most common entry point for cyberattacks on insurance agencies - Coalition 2025 data shows that 68% of financial sector cyber incidents begin with a phishing email or social engineering attack on an employee.

Minimum compliant training program elements:

• Annual security awareness training for all employees with access to client data.
• Phishing simulation testing at least twice per year.
• Training on the agency's incident response procedures: who to call, what not to do (do not delete files, do not pay a ransomware demand without carrier notification).
• Training specific to roles with elevated access (producers, CSRs with AMS administrative access).

Document all training completion. Regulators request training records during cybersecurity examinations.

---

How State Examinations Assess Cybersecurity Compliance

State insurance departments in NAIC Model Law states have incorporated cybersecurity examination procedures into their routine financial and market conduct examination programs. NAIC 2025 data shows that cybersecurity-specific examination questions are now included in 18 of the 22 Model Law states.

During a cybersecurity examination, examiners typically request:

• A copy of the written information security program.
• Documentation of the most recent annual risk assessment.
• Evidence of MFA implementation across systems containing nonpublic information.
• Vendor contract provisions related to data security.
• Training records for all employees.
• Documentation of any security events in the prior 24 months and the agency's response.

Agencies that cannot produce these documents during an examination face findings that require corrective action plans and may result in monetary penalties even in the absence of any security incident.

---

Frequently Asked Questions: Insurance Agency Cybersecurity Requirements

What are the insurance agency cybersecurity requirements that apply in 2026?

Three frameworks apply to most insurance agencies: the NAIC Insurance Data Security Model Law (mandatory in 22 states as of 2025), the FTC Safeguards Rule (applies to all agencies as financial institutions under GLBA), and state-specific regulations such as NY DFS 23 NYCRR 500 for agencies licensed in New York. Each framework requires a written information security program, annual risk assessment, MFA, encryption, vendor contracts with security requirements, and an incident response plan. NY DFS adds annual penetration testing, CISO designation, and an annual compliance certification.

Does the FTC Safeguards Rule apply to a small, single-state insurance agency?

Yes. The FTC Safeguards Rule applies to every insurance agency that qualifies as a financial institution under GLBA - which includes any agency that places or brokers insurance. There is no employee size or revenue threshold that eliminates the Safeguards Rule's applicability. The annual penetration testing requirement is limited to agencies with 5,000 or more customer records, but all other Safeguards Rule requirements apply regardless of agency size.

What is the NAIC Insurance Data Security Model Law and which states have adopted it?

The NAIC Insurance Data Security Model Law is a model legislation framework adopted by the National Association of Insurance Commissioners in 2017. As of 2025, 22 states have enacted it into law: Alabama, Connecticut, Delaware, Georgia, Hawaii, Indiana, Iowa, Louisiana, Maine, Maryland, Michigan, Minnesota, Mississippi, New Hampshire, North Dakota, Ohio, South Carolina, Tennessee, Utah, Vermont, Virginia, and Wisconsin. Agencies licensed in these states must maintain a written information security program, conduct annual risk assessments, and comply with specific technical control requirements.

What happens if an agency is not compliant with cybersecurity requirements and suffers a breach?

Non-compliance with cybersecurity requirements multiplies the regulatory consequences of a breach. An agency that suffers a breach and is found to have lacked a compliant information security program faces penalties for the breach notification violation and separate penalties for the security program non-compliance. FTC 2025 enforcement data shows combined penalties reaching $5 million in single-firm actions. In NAIC Model Law states, non-compliance with the written program requirement is grounds for license suspension independent of any breach.

What is the minimum cybersecurity program an agency must have to satisfy all three frameworks?

A compliant minimum program includes: a written information security program (WISP) documented and signed by agency leadership; an annual written risk assessment; multi-factor authentication on all systems containing client data; encryption of client data in transit and at rest; written contracts with all third-party vendors that include security requirements and breach notification obligations; a written incident response plan tested at least annually; and annual security awareness training for all employees. Agencies subject to NY DFS 23 NYCRR 500 must add annual penetration testing, a CISO designation, and an annual compliance certification to this baseline.

How often must an agency update its information security program?

The written information security program must be reviewed and updated at least annually - the risk assessment process drives this review. The program must also be updated following any material change in the agency's operations (new AMS implementation, acquisition, significant staff changes), any security incident that reveals a gap in the program, and any change in applicable law or regulation. An information security program that is more than 12 months old without a documented review is non-compliant under both the NAIC Model Law and FTC Safeguards Rule.

---

Identify gaps in your agency's E&O and cyber coverage before regulators do: /features/policy-checker

---

Written by Javier Sanz, Founder of BrokerageAudit. Last updated April 2026.