ND| North Dakota Insurance Bulletin 2025-1 establishes updated requirements for insurance licensees regarding data security and cybersecurity event reporting, effective August 1, 2025, under NDCC 26.1-02.2 and SB 2088. Licensees—including insurers, producers, TPAs, MGAs, and other entities—must implement a written Information Security Program, promptly investigate potential cybersecurity events, and notify the Insurance Commissioner within three business days if certain thresholds are met. HIPAA-covered entities are generally exempt from some requirements but must still comply with breach notification to the Commissioner.
Key Points
- All licensees must implement, monitor, and update an Information Security Program, including risk assessment and third-party diligence; smaller entities (under $5M revenue or $10M assets) may tailor programs to their scale.
- Cybersecurity events must be investigated immediately, documented for at least five years, and reported to the Commissioner within three business days if North Dakota residents or 250+ consumers are impacted.
- HIPAA-covered licensees may be exempt from certain provisions but remain subject to event notification requirements; guidance is available from the Insurance Department.