More than half the country has enacted insurance-specific cybersecurity law. If you are a licensed agent, broker, adjuster, or agency owner, this law applies to you. Here is what it requires, where your state stands, and what happens if you ignore it.
You Are Already Regulated. Does Your Agency Know It?
What Is the NAIC Insurance Data Security Model Law?
The Five Core Pillars of Compliance
Your 90-Day Compliance Roadmap
Frequently Asked Questions about Cybersecurity Requirements for Insurance Agencies
Most insurance agency owners assume cybersecurity regulation is a "carrier problem." They believe only the big insurers need to worry about compliance. They are wrong.
The NAIC Insurance Data Security Model Law applies to insurers, insurance agents, and other entities licensed by the state department of insurance. Every licensed agent and broker in an adopting state is covered. At least 28 jurisdictions have enacted some version of this law as of early 2026. Many more are on the way. The implementation dates for these rules are now active across most of the country.
State regulators created this law to protect consumer data. The National Association of Insurance Commissioners (NAIC) used the New York DFS 23 NYCRR 500 Cybersecurity Regulation as the framework (Thales CPL, 2026). New York’s law is one of the strictest state-level cybersecurity rules in the country.
This is not a soft guideline. It is a law in your state. Regulators are ready to use it. They want to ensure that every part of the insurance supply chain, from the local agent to the national carrier, protects sensitive client information.
Many agents get the scope of this law wrong. Under the NAIC model, the regulations apply to anyone with a license from the state insurance department. This includes independent agencies, general agents, and even individual adjusters.
The model law suggests an exemption for businesses with fewer than 10 employees. However, you must check your local rules. Some states lowered that number or removed the exemption entirely. Your state might cover even the smallest agencies. You may find "safe harbor" exemptions if you already follow HIPAA or GLBA rules. You must verify this with your state commissioner. Do not guess. A mistake here leads to heavy fines.
The law mandates five core obligations for your agency. You must treat these as a priority.
You must identify threats to your data every year. You cannot just think about it. You must write it down. Your assessment should look at your internal hardware, your cloud storage, and how your staff handles passwords. If you find a gap, you must create a plan to fix it. Recent data shows that a new vulnerability is identified every 17 minutes globally . Your assessment helps you find these before a hacker does.
You must have a written plan to protect consumer information. This document outlines your security rules. It explains how you grant access to data and how you encrypt files. Your board of directors or a senior leader must approve this plan annually.
Know exactly how to react when a breach happens. You need a list of who to call. This includes your IT team, your legal counsel, and your insurance carrier. The plan must cover how you will recover your data and how you will talk to your clients after an attack. Only 14% of small and mid-sized businesses currently have a formal security plan in place . Being in that 14% can save your agency.
You are responsible for the security of your partners. If you use a cloud-based CRM or a digital signature tool, you must check their security. The law says you cannot outsource your liability (NAIC, 2026) . You must ensure your contracts require these vendors to protect your data. In 2026, human error and misconfigurations in these third-party cloud tools account for 95% of security failures.
Report a cybersecurity event to your state insurance commissioner within 72 hours of discovery (Thales CPL, 2026). This is a tight window. You do not wait for a full investigation. You notify them as soon as you know a breach occurred.
This law changes over time. The NAIC working group is currently modernizing the model. They released new amendment drafts for public comment in early 2026. These updates focus on the use of Artificial Intelligence (AI) and how agents manage third-party data.
This law is not a one-time task. You must build a program that adapts. Agencies that wait to start will find themselves behind a moving target. New state portals are also coming online to make reporting easier, but they also make it easier for regulators to track who is failing.
States like New York, Texas, California, Illinois, Ohio, Michigan, New Jersey, Maryland, and Connecticut have already moved forward. The current list of adopting jurisdictions is long.
States Adopting Jurisdictions (as of March 2026)
Small insurance agencies are high-value targets for hackers. You hold a combination of financial data, health records, and personal identities.
Cybercrime costs are forecasted to hit $10.5 trillion globally in 2026. Small businesses account for 46% of all cyber attacks annually. An attack happens roughly every 39 seconds. Hackers do not look for big names. They look for weak locks.
Research shows that 60% of small businesses that suffer a major cyberattack go out of business within six months . Even if you pay a ransom, your business might not survive. Over 75% of small businesses say that a ransomware attack would lead to bankruptcy.
A data breach for a financial services firm now costs an average of $6.4 million. For small businesses in the U.S., the average insurance claim is roughly $108,000. This includes legal fees, forensic investigations, and client notification. These costs often exceed what a small agency has in cash reserves.
Avoid these common traps. They lead to business failure and legal trouble.
Cybercrime increases every year. An attack happens every 39 seconds. Small insurance agencies are gold mines for hackers. You hold Social Security numbers, health data, and financial records. Over 60% of small businesses go out of business within six months of a breach. The cost of a ransom is often less than the cost of the legal fees and lost trust.
You might use a big name for your email or your agency management system. That does not clear you of responsibility. The law says the licensee—you—is responsible for the data. You must monitor your vendors. You must ask for their security audits.
Notification is only one part of the law. Breach notification laws have existed for years. This new law is different. It requires a proactive security program. You cannot just wait for a breach to happen. You must prove you tried to prevent it.
Start today. Use this checklist to stay on track.
Insurance Data Security Model Laws are are spreading across the map. Your state is likely next. You need a plan to meet these new standards. If you need guidance or complaince help, our team of insurance compliance experts are here to help.