Insurance Data Security Act – All Companies
All insurers should check on the status of their state’s (state of domicile) progress on adopting the NAIC’s Data Security Model Law into their state laws and the provisions adopted and possible exemptions provided in your state. For Wisconsin domiciled companies, the Wisconsin Insurance Data Security Law (Act 73) was signed into law by Governor Evers on July 15, 2021. The Act establishes requirements to provide data security to protect nonpublic information for licensees regulated by the Wisconsin Office of the Commissioner of Insurance (OCI), which includes insurance companies, agents, and public adjusters.
The Act dictates that licensees take preventative measures to address the potential for cybersecurity events through risk assessment procedures, implementing an Information Security Program (ISP), developing an incident responses plan, and providing immediate notifications of any cybersecurity events to the OCI (within 3 days). Reporting to the OCI is required if either: (1) the information breached has a reasonable likelihood of causing material harm to a consumer or normal operations of the entity; or (2) if the breach involves nonpublic information of at least 250 Wisconsin residents and; (1) there is a reasonable likelihood of harm to consumers or the entity’s operation, or (2) the licensee is required to report the event to another government body by state or federal law. Licensees are obligated to notify both consumers and producers of record within a “reasonable” time, but no later than 45 days after receiving knowledge that a breach has occurred.
Licensees are also obligated to notify the OCI of breaches involving third-party service providers within 3 days after receiving knowledge that a breach has occurred at the third party.
There are some exemptions to the law, including organizations that are already obligated to comply with other data security regulations. In addition, any entities that have any of the following criteria are not required to establish an ISP, but are obligated to report any cybersecurity event: less than $10M in total assets, less than $5M in gross premium/revenue, or less than 50 employees.
The Act is effective on November 1, 2021, in Wisconsin, but licensees have until November 1, 2022, to conduct a risk assessment and develop and implement their ISP, and have until November 1, 2023 to establish a 3rd Party compliance program. The Act includes specific requirements for the ISP, but the ISP should be tailored to each entity. An annual certification must be made to the Insurance Commissioner no later than March 1st, with the first certification due by March 1, 2023. More information on the procedure for providing the annual certification will be provided by the OCI in the future.
Through August 2021, the following states have adopted data security regulations using the NAIC Data Security Model Law as a base: Alabama, Connecticut, Delaware, Hawaii, Indiana, Iowa, Louisiana, Maine, Michigan, Minnesota, Mississippi, New Hampshire, North Dakota, Ohio, South Carolina, Tennessee, Virginia and Wisconsin. For more information for Wisconsin, see 2021 Act 73 and this OCI bulletin.
Group Capital Calculation – All Company Groups
In December 2020, the NAIC adopted the Group Capital Calculation (GCC) template, instructions, and proposed revisions to the Insurance Holding Company System Act. The purpose of the GCC is a filing requirement for insurance groups to help regulators evaluate solvency at the group level. State legislatures and insurance departments must adopt the holding company system revisions with the hope of having the GCC in place for year-end 2022.
Insurer groups should review the GCC template and instructions to become familiar with them, and consider the following:
The GCC Instructions, Q&A, and draft Template can be found here.
New Look for 2021 Audit Reports
This may seem like lackluster news, but in the world of accountants and auditors, it is extremely exciting! For 2021 audit reports – the audit opinion letters included in your audited financial statements – the wording and format of the audit opinion will be modified. Statements on Auditing Standards Number 134 (SAS 134) issued by the AICPA’s Auditing Standards Board has updated the auditor opinion letter to move the auditor’s opinion to the beginning of the letter, and adopted wording intended to increase transparency into the basis for the auditor’s opinion, as well as the responsibilities of both the auditors and entity management. Some of these exciting changes include:
Please look for the new and improved audit report in your 2021 audited financial statements!
Strohm Ballweg New Employees and Promotions
SB is excited to announce a few new additions to the team! We welcome (back) Evan Oppermann, who has interned with us for the past couple of years and is a recent graduate of Edgewood College, as a Staff Accountant. John Vose also joined us in September as part of our team serving Municipal Property Insurance Company and has more than 35 years of personal and commercial insurance experience. Last but not least, Aimee Kent recently came on board as a Senior Accountant to assist with compilation engagements and quarterly filings. Welcome all!
Effective September 1st, Hannah Langworthy, CPA and Ashley Perales, CPA were promoted to Senior Accountants (pictured below, left to right). Congratulations on these well-deserved promotions, which recognize and reward their dedicated and capable service to our clients!