New Wisconsin Cybersecurity Law
Cybersecurity has been a major challenge in both the private and public sectors for years and the pandemic has only exacerbated the threat. In reaction to said uptick, Wisconsin Governor, Tony Evers, signed into law Act 73, which goes into effect on November 1st. Act 73 is a law that establishes a cybersecurity requirement for the protection of the data the insurance industry collects.
Insurance companies’ security threat is magnified because of all the confidential information (think SSN numbers, birth certificate, bank information, addresses, and health information) that is gathered from their clients and stored. With this law passed and ready to take effect in just under a month, insurers will have to conduct a risk assessment, develop an information security program to mitigate identified threats, and work with third-party providers to protect customers’ information. Should a cybersecurity attack occur, insurers are also required to have an incident response plan prepared so that they can better reach and recover personal information that was jeopardized during said attack. Act 73 also states that if an attack occurs, insurance companies must notify consumers and their independent insurance providers within 45 days of learning there was a breach and notify consumer reporting agencies and the Commissioner’s Office within three days of the attack if it affects 1,000 or more consumers.
What is a cybersecurity risk assessment?
An assessment that identifies the various information assets that could be affected by a cyber attack (such as hardware, systems, laptops, customer data, and intellectual property), and then identifies the various risks that could affect those assets.
A risk estimation and evaluation are usually performed, followed by the selection of controls to treat the identified risks. It is important to continually monitor and review the risk environment to detect any changes in the context of the organization, and to maintain an overview of the complete risk management process.
Source: https://www.itgovernanceusa.com/cyber-security-risk-assessments
Licensees have a year to conduct a risk assessment and to address the vulnerabilities and risks identified.
There are two main routes insurance companies can pursue to reduce risk: people and processes. On the front end, insurers must do a better job educating their workforce and the public on the dangers of cyber-attacks and best practices for lowering risk. On the back end, organizations must adopt IT infrastructures that reduce the complexity of their system, thereby lowering the opportunities bad actors have to take over.
Here at Extract, security is always our highest priority and that is why we offer a software solution that automates the process of shielding sensitive data from the public. If you’re interested in learning more about what we do, please reach out today.
Sources:
https://www.govtech.com/security/wisconsin-law-imposes-cybersecurity-rules-for-insurance-industry
https://docs.legis.wisconsin.gov/2021/related/proposals/sb160