The Complete Insurance Agency Data Security Guide

The NAIC Insurance Data Security Model Law (MDL-668) establishes a comprehensive cybersecurity framework for insurance licensees — including agencies, brokers, and producers. As of 2026, 25 states have adopted laws based on MDL-668, with additional states expected to follow. For agencies operating across state lines, compliance with MDL-668 provisions is effectively mandatory because you must comply with the most restrictive state in which you hold appointments. MDL-668 requires insurance licensees to develop a written information-security program tailored to their size, complexity, and the nature of their activities. Core requirements include: conducting a risk assessment at least annually, implementing safeguards based on identified risks, overseeing third-party service providers who access nonpublic information (NPI), establishing an incident-response plan, and notifying the state Department of Insurance commissioner within 72 hours of a cybersecurity event. The law defines "nonpublic information" broadly to include Social Security numbers, driver's license numbers, financial account information, health data, and any information that could be used to identify an individual in combination with other data elements. For an insurance agency, virtually every piece of client information — from applications to claims data to policy details — qualifies as NPI. This broad scope means security controls must extend to every system, device, and process that touches client data.

Beyond states that have adopted MDL-668, every state Department of Insurance (DOI) imposes some form of data-protection expectation on licensed agents and agencies. These requirements vary significantly: New York's DFS Cybersecurity Regulation (23 NYCRR 500) is the most prescriptive, requiring a CISO designation, annual penetration testing, encryption of NPI in transit and at rest, and detailed incident reporting within 72 hours. Agencies operating in New York — even if headquartered elsewhere — must comply. South Carolina's Insurance Data Security Act was among the first state-level adoptions of MDL-668 and includes specific requirements for multi-factor authentication and continuous monitoring of information systems. California, while not adopting MDL-668 directly, applies the California Consumer Privacy Act (CCPA/CPRA) to insurance data, creating a parallel set of obligations around consumer rights, data minimization, and breach notification. For multi-state agencies, the compliance challenge is substantial. A single agency with appointments in 15 states may need to satisfy 15 different cybersecurity frameworks. The practical solution is to build a security program that meets the most restrictive standard — typically New York's 23 NYCRR 500 — and then document compliance against each state's specific requirements. Cyber Defense Agent's framework mapping to NIST CSF 2.0 and CIS Controls provides a cross-walk that satisfies the technical requirements across all state DOI frameworks.

Insurance carriers are increasingly conditioning agency appointments on demonstrated cybersecurity competence. Major carriers — including Travelers, Hartford, Chubb, and Liberty Mutual — now include cybersecurity questions on their agency-appointment applications and renewal questionnaires. Some carriers require completion of specific cybersecurity certifications (such as the IIABA Cyber Secure certification) or third-party security assessments as a condition of maintaining appointments. The reason is straightforward: an agency is a gateway to the carrier's systems. Agencies connect to carrier portals, submit applications with client NPI, and access policy management systems. A compromised agency can expose the carrier to regulatory liability, financial loss, and reputational damage. After several high-profile agency-level breaches resulted in unauthorized access to carrier systems, the industry tightened its security expectations. Common carrier requirements include: enforced MFA on all carrier portal access, endpoint detection and response (EDR) on agency workstations, encrypted email for transmitting client applications and claims data, documented employee security-awareness training, and a written incident-response plan that includes notifying affected carriers within 24 hours. Some carriers conduct their own security assessments of agency networks before granting or renewing appointments. Cyber Defense Agent provides agencies with a verifiable Cyber Defense Score and trust page that can be shared directly with carriers during the appointment process. This shifts the conversation from verbal assurances to documented evidence — exactly what carrier security teams want to see. Agencies report that a strong Cyber Defense Score expedites the appointment process and differentiates them from competitors.