The Definitive Guide to the NAIC Insurance Data Security Model Law

The NAIC Insurance Data Security Model Law (MDL-668) was adopted by the National Association of Insurance Commissioners in 2017 to establish a uniform framework for protecting nonpublic information held by insurance licensees. The model law was designed in response to mounting cyber threats against the insurance industry and the patchwork of inconsistent state regulations that left significant gaps in consumer protection. The model law requires insurance licensees — including agencies, brokers, producers, adjusters, and carriers — to develop, implement, and maintain a comprehensive written information security program. It draws heavily from the New York Department of Financial Services (NYDFS) Cybersecurity Regulation (23 NYCRR 500) but is tailored to the broader insurance industry rather than just financial institutions. Unlike federal regulations such as HIPAA or the FTC Safeguards Rule, the NAIC model law is not itself enforceable. Instead, it serves as a template that individual states adopt into their own insurance codes. This means the specific requirements, deadlines, and penalties vary by state, though the core framework remains consistent. As of 2026, the majority of US states have enacted legislation based on or substantially similar to the NAIC model law, creating a near-national standard for insurance cybersecurity.

The model law applies to all "licensees" — any person or entity licensed, authorized, or registered under state insurance law. In practical terms, this captures a wide range of businesses: Insurance agencies and brokerages — From large national brokerages to one-person independent agencies, any entity that sells, solicits, or negotiates insurance must comply if their state has adopted the model law. Insurance producers — Individual licensed producers, whether captive or independent, are covered entities. Even if you operate as a sole proprietor working from a home office, you hold nonpublic consumer information that the law protects. Insurance carriers — Life, health, property-casualty, and specialty carriers must implement the full information security program requirements. Adjusters and third-party administrators — Claims adjusters, TPAs, and managing general agents who handle policyholder data fall under the law's scope. The model law does include limited exemptions. Most state adoptions exempt licensees with fewer than 10 employees (the threshold varies by state), licensees subject to HIPAA (to avoid duplicative requirements), and small entities below certain premium or asset thresholds. However, even exempt entities must still comply with breach notification requirements and basic data protection standards. It is critical to check your specific state's adopted version to determine whether exemptions apply to your business.

The model law establishes several core requirements that form the backbone of a compliant information security program: Written Information Security Program (WISP) — Licensees must develop and maintain a comprehensive written program that is commensurate with the size and complexity of the organization, the nature and scope of its activities, and the sensitivity of the nonpublic information it holds. The WISP must be approved by the board of directors or senior officer. Risk assessment — A documented risk assessment must identify reasonably foreseeable internal and external threats to the security, confidentiality, and integrity of nonpublic information. The assessment must evaluate the adequacy of existing safeguards and be updated as circumstances change. Incident response plan — A written plan for responding to cybersecurity events must include procedures for internal escalation, external notification (including to the insurance commissioner), remediation steps, and documentation of events and responses. Third-party service provider oversight — Licensees must exercise due diligence in selecting service providers that handle nonpublic information and require them by contract to implement appropriate security measures. This extends to cloud providers, IT managed service providers, and any vendor with access to policyholder data. Board oversight and governance — The board of directors (or equivalent governing body) must oversee the information security program. This includes receiving reports from the designated responsible individual, ensuring adequate resources are allocated, and approving the WISP. Breach notification — Licensees must notify the state insurance commissioner within 72 hours of determining that a cybersecurity event has occurred that affects nonpublic information of 250 or more consumers. Some states have shortened this window or lowered the threshold. Notification to affected consumers must follow state breach notification laws.

While the NAIC model law is principles-based rather than prescriptive, it expects licensees to implement technical safeguards appropriate to their risk profile. The following controls are commonly expected: Access controls and authentication — Restrict access to information systems and nonpublic information to authorized individuals only. Implement multi-factor authentication for any individual accessing internal systems or nonpublic information remotely, and for all privileged accounts. Encryption — Encrypt nonpublic information in transit over external networks and at rest on portable devices and removable media. Many state adoptions explicitly require encryption or equivalent compensating controls for stored data. Network security — Deploy firewalls, intrusion detection/prevention systems, and network segmentation to protect systems containing nonpublic information. Regularly review and update network security configurations. Vulnerability management — Conduct regular vulnerability assessments and penetration testing. Monitor for security patches and apply them in a timely manner. Cyber Defense Agent provides continuous external vulnerability monitoring that satisfies ongoing assessment requirements. Audit trails and logging — Maintain audit trails designed to detect cybersecurity events and reconstruct material financial transactions. Logs should be retained for a period consistent with state requirements (typically 3-5 years). Secure disposal — Implement policies and procedures for the secure disposal of nonpublic information when it is no longer needed for business purposes. This includes physical documents, electronic records, and hardware that stored such information.

Cyber Defense Agent provides insurance agencies and producers with the technical infrastructure to meet NAIC model law requirements efficiently: Continuous risk assessment — Our 100-tool external scan identifies vulnerabilities in your public-facing infrastructure, including TLS/SSL configuration, email authentication, DNS security, open ports, and exposed services. This feeds directly into your required risk assessment documentation. Cyber Defense Score — Your numeric score and letter grade provide a clear, trackable metric for board reporting and governance requirements. Score trends over time demonstrate continuous improvement to regulators. Framework mapping — Every scan result maps to NIST CSF 2.0 and CIS Controls, which state regulators recognize as reasonable security frameworks. This mapping simplifies the process of demonstrating that your safeguards are appropriate to your risk profile. Third-party monitoring — Use Cyber Defense Agent to scan your critical vendors and service providers, supporting the due diligence and ongoing monitoring requirements for third-party oversight. Trust page and compliance evidence — Your public-facing trust page and downloadable compliance report provide documented evidence of your security posture that you can share with carriers, regulators, and clients. Start with a free scan at cyberdefenseagent.ai/check to identify gaps in your external security posture and begin building your compliance evidence.