Cyber One Solutions logo.
Get Support

GLBA & Insurance Data Security Compliance for Insurance Agencies

Compliance / GLBA & Insurance Data Security

GLBA and Insurance Data Security Compliance for Insurance Agencies.

Insurance agencies and brokers handle exactly the kind of nonpublic personal information that data-security law is written to protect. Policyholder Social Security numbers, financial details, and, for life and health lines, health information move through every quote, application, and renewal. Insurance is regulated primarily by state insurance authorities rather than the FTC. Under the McCarran-Ferguson Act, the business of insurance is generally left to the states, so the Gramm-Leach-Bliley Act privacy and safeguards expectations reach insurance licensees through state law. The standard most states follow is the NAIC Insurance Data Security Model Law (Model #668), which a majority of states have adopted in some form.

Cyber One Solutions assesses the states where your agency is licensed and does business, then maps the program to the applicable state insurance data security law and the NAIC model. We build and manage the written information security program, the technical controls, the testing, and the documentation your state insurance department or a carrier expects to see. We do the work, write the evidence, and keep the program current.

What You Get
A written information security program (WISP) that satisfies the NAIC Insurance Data Security Model Law and the state statutes that apply to your licensing footprint.
A designated responsible individual overseeing the program.
MFA for anyone accessing your information systems, with encryption applied to policyholder nonpublic information.
A written risk assessment plus testing and monitoring on a defined schedule.
An incident response plan and the process to notify your state insurance commissioner within the required window.
An evidence trail ready for a market conduct exam or a carrier security review.
What the Rule Requires

Insurance Data Security, Mapped to Your Agency.

The NAIC Insurance Data Security Model Law sets out the core program elements a licensee must put in place, and a majority of states have adopted it in some form. Some states also have their own insurance data security statutes. Exact obligations depend on the states where your agency is licensed and does business, and we map the program to those requirements. Each element below is paired with the work we deliver against it.

Written Information Security Program (WISP)

A documented, comprehensive program that addresses each element the NAIC model and applicable state law require. It is tailored to how your agency actually handles policyholder nonpublic information across quoting, binding, servicing, and renewals. Because it overlaps heavily with GLBA safeguards, one program can satisfy multiple state requirements.

Designated Responsible Individual

The model requires the agency to designate a person responsible for the information security program. We can serve as, or support, that responsible individual and produce the documentation and reporting the role is accountable for.

Written Risk Assessment

A documented assessment of the foreseeable internal and external threats to the policyholder information in your agency management system, carrier portals, and rating and comparative-quoting tools. It pairs each risk with the safeguard that addresses it.

Access Controls, MFA & Encryption

Role-based access to policyholder financial and, where applicable, health data. Multi-factor authentication for anyone accessing your information systems. Encryption of nonpublic information in transit and at rest.

Testing, Monitoring & Third-Party Oversight

Regular testing and monitoring of the controls that protect policyholder information, plus audit logging of access to that information. It also covers oversight of the third parties that handle your data, including your agency management system vendor and the carriers and platforms you connect to.

Incident Response & Commissioner Notification

A written incident response plan and the process to investigate a cybersecurity event. When a reportable event occurs, the model requires notification to the state insurance commissioner within a defined window, commonly 72 hours in states that follow the model closely. The exact trigger and timeline depend on the state.

Why It Applies to Insurance Agencies

Selling and servicing insurance is exactly what these laws protect.

Insurance data security law protects the nonpublic information an agency collects and holds. Your daily work sits squarely inside that scope: gathering applicant financial and health details, submitting them to carriers, and maintaining the file for the life of the policy. Because insurance is regulated at the state level, these obligations reach you through state statutes and the NAIC Insurance Data Security Model Law rather than through the FTC.

Agencies hold high-value policyholder data.

Every file contains policyholder nonpublic information: Social Security numbers, financial and payment details, and, for life and health lines, health information. Commission and premium records add another layer of sensitive financial data. That is precisely the information insurance data security law is written to protect.

Account takeover and business email compromise target this data directly. The controls the model requires are MFA, verification procedures, and encryption. They are the same controls that defend against the most common attacks on agencies.

One written program can satisfy several state requirements.

The written information security program the NAIC model requires overlaps heavily with the GLBA safeguards expectations. For an agency licensed in more than one state, that overlap matters: a single, well-built program can meet the common core across the states that have adopted the model, rather than a separate binder for each.

We produce these documents to reflect what is actually running in your environment, so the program stands up to a market conduct exam or a carrier security questionnaire rather than reading as boilerplate.

Vendor oversight covers your management system and carrier connections.

Agencies rely on an agency management system (AMS), comparative rating and quoting tools, carrier and MGA portals, and payment processors. The model requires you to exercise due diligence over the third-party service providers that handle your policyholder information.

We inventory those vendors and connections, document the security expectations, and fold third-party oversight into your written program so the requirement is met and evidenced.

A reportable event starts a clock set by state law.

The NAIC model requires a licensee to investigate a cybersecurity event and, when it is reportable, notify the state insurance commissioner within a defined window. In states that follow the model closely, that window is commonly 72 hours from determining an event has occurred. The exact trigger, threshold, and timeline vary by state, and some states layer their own insurance data security statute on top of the model.

We build the incident response plan, define what counts as a reportable cybersecurity event across the states where you are licensed, and prepare the notification workflow. A real event is then handled inside the applicable window rather than improvised. Encrypting policyholder information in transit and at rest is both a core safeguard and a way to reduce exposure when an event occurs.

Frequently asked questions.

We are licensed in more than one state. Which law applies?

Potentially several. Insurance data security obligations follow the states where your agency is licensed and does business, not a single federal rule. A majority of states have adopted the NAIC Insurance Data Security Model Law in some form, and a few have their own insurance data security statutes with their own thresholds and notification timelines. During onboarding we assess your licensing footprint and map the program to the common core plus any state-specific requirements, so one coherent program covers the states you operate in rather than a separate effort for each.

How long does it take to get an agency compliant?

It depends on your current posture, but a program built from scratch typically takes 60 to 120 days to establish. Work starts with the gap analysis and written risk assessment, then moves through control implementation and documentation. We scope every engagement to what your environment and your licensing footprint actually require rather than to a fixed package.

Do our carrier appointments and MGA connections fall under our security program?

The parties that receive, transmit, or store your policyholder information are third-party service providers under the NAIC model, and the model requires you to exercise due diligence over them. That reaches your agency management system vendor, comparative rating tools, and the carrier and MGA portals you connect to. Each connection is a place policyholder data can be exposed. We inventory these relationships, document the security expectations, and extend access controls and monitoring to the systems involved, so the requirement is met and documented rather than assumed.

Common Questions

Insurance Data Security Compliance, Answered.

Common questions from insurance agencies and brokers working out whether GLBA and the NAIC Insurance Data Security Model Law apply to them and what compliance actually involves.

Don't see your question?
Our team answers questions like these every day, no sales pitch attached.
Ask a Question