NOTICE TO INSURANCE PROFESSIONALS CONCERNING MINNESOTA’S CYBERSECURITY LAW
Insurance producers, insurance adjusters, and a wide variety of other insurance professionals—unless they qualify for one of the exceptions listed below—must create and maintain a written information security program by Aug. 1, 2022. The Information Security Program law is contained in Minnesota Statutes §§ 60A.985—60A.9858.
The program must contain administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee's information system, and it must be designed to:
Protect the security and confidentiality of nonpublic information and the security of the information system;
Protect against any threats or hazards to the security or integrity of nonpublic information and the information system;
Protect against unauthorized access to, or use of, nonpublic information, and minimize the likelihood of harm to any consumer; and
Define and periodically reevaluate a schedule for retention of nonpublic information and a mechanism for its destruction when no longer needed.
The licensee must monitor, evaluate, and adjust, as appropriate, the information security program consistent with any relevant changes in technology, the sensitivity of its nonpublic information, internal or external threats to information, and the licensee's own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems.
There are designee responsibility, risk assessment, and oversight requirements as well, which depend on the licensee’s size and management structure. These are covered in detail in Minn. Stat. § 60A.9851.
Incident response plan
As part of this information security program, the licensee must establish a written incident response plan designed to promptly respond to, and recover from, any cybersecurity event that compromises the confidentiality, integrity, or availability of nonpublic information in its possession, the licensee's information systems, or the continuing functionality of any aspect of the licensee's business or operations. The incident response plan must address these areas:
The internal process for responding to a cybersecurity event
The goals of the incident response plan
The definition of clear roles, responsibilities, and levels of decision-making authority
External and internal communications and information sharing
Identification of requirements for the remediation of any identified weaknesses in information systems and associated controls
Documentation and reporting regarding cybersecurity events and related incident response activities
The evaluation and revision, as necessary, of the incident response plan following a cybersecurity event
All licensees must promptly investigate known or suspected cybersecurity events and restore the security of their information systems. Minn. Stat. § 60A.9852. Licensees must maintain the associated records for at least five years and must notify the commissioner and affected consumers when the event meets certain parameters as outlined in Minn. Stat. § 60A.9853.
Per Minn. Stat. § 60A.9856, the cybersecurity law provides several exceptions to certain requirements, including:
A licensee with fewer than 25 employees is exempt from the program and investigation requirements (but not the notification requirements).
An employee, agent, representative, or designee of a licensee, who is also a licensee, is exempt from the program and investigation requirements (but not the notification requirements) and need not develop its own information security program “to the extent that the employee, agent, representative, or designee is covered by the information security program of the other licensee.”
An employee, agent, representative, or designee of a producer licensee (as defined under section 60K.31, subdivision 6), who is also a licensee, is exempt from all requirements.