Michigan Cybersecurity Requirements
Understanding Michigan's Insurance Data Security Law and its requirements for financial institutions and insurance entities operating in the state.
Important Disclaimer
The information provided on this page is for general informational purposes only. State cybersecurity regulations are complex and subject to change. We recommend reaching out to our team to confirm you have covered all applicable requirements for Michigan operations.
Overview
Michigan has adopted an Insurance Data Security Law (added as Chapter 5A to the Insurance Code, MCL 500.550–500.565) that imposes cybersecurity requirements on licensed insurers, producers, and other "licensees" of the Department of Insurance and Financial Services (DIFS). These rules are modeled on the NAIC Insurance Data Security Model Law and require a formal, documented information security program based on risk.
Who is Covered?
- Insurance carriers and producers licensed in Michigan
- Certain other entities licensed or registered under the Michigan Insurance Code ("licensees")
- Some small licensees have limited exemptions from certain obligations, but are still expected to protect nonpublic information
Core Cybersecurity Program Expectations
Michigan's Insurance Data Security Law expects covered licensees to:
Maintain a Written Information Security Program (ISP)
- Designed to protect the security and confidentiality of "nonpublic information"
- Appropriate to the licensee's size, complexity, and the sensitivity of information handled
Perform Periodic Risk Assessments
- Identify reasonably foreseeable internal and external threats
- Assess the likelihood and potential damage of those threats
- Evaluate the sufficiency of existing security controls
Implement Administrative, Technical, and Physical Safeguards
- Access controls and authentication
- Secure development and change management practices
- Encryption or other compensating controls for data at rest and in transit where appropriate
- Multi-factor authentication where reasonable
- Secure disposal of nonpublic information in any format
- Monitoring systems for unauthorized access or tampering
Vendor / Third-Party Oversight
- Exercise due diligence in selecting service providers
- Require providers by contract to maintain appropriate security safeguards
- Monitor providers' compliance as part of your risk management process
Incident Response Planning
- Maintain a written incident response plan that describes roles, decision making, communication, investigation, containment, recovery, and documentation steps for cybersecurity events
Ongoing Governance
- Periodic updates to the ISP as threats, vulnerabilities, business operations, and technology change
- Cybersecurity risks integrated into enterprise risk management
- For certain licensees, board or senior management oversight and periodic reporting on the information security program
Breach Notification and Regulator Reporting
- Covered licensees must investigate cybersecurity events involving nonpublic information
- If certain thresholds are met (e.g., impact on Michigan residents or the licensee's overall operations), notification to DIFS and affected consumers is required within specified time frames and with prescribed content
- Additional federal or other state breach notice requirements may also apply depending on the nature of the data and where consumers reside