Mich. Comp. Laws §§ 500.550 – .565 |
Type of Data Covered | Deadline for Government Notification | Government Notice Requirement |
Electronic. | Within ten (10) business days after determining a cybersecurity event has occurred. | Notification to the Michigan Director of the Department of Insurance and Financial Services is required after determining that a cybersecurity event has occurred. |
Subject Entities |
Applies to any licensed insurer or producer, and other persons licensed or required to be licensed, authorized, or registered, or holding or required to hold a certificate of authority under Michigan’s Insurance Code. A licensee is exempt from certain sections if it meets any of the following requirements:
Does not apply to a purchasing group or a risk retention group chartered and licensed in a state other than this state or a person that is acting as an assuming insurer that is domiciled in another state or jurisdiction. |
Security Standard under the Insurance Data Security Law | Must develop, implement, and maintain a comprehensive written information security plan that:
|
Type of Data Covered | Electronic |
Definitions |
A “Cybersecurity Event” means an event that results in unauthorized access to and acquisition of, or disruption or misuse of, an information system or nonpublic information stored on an information system.
Cybersecurity event does not include either of the following:
“Nonpublic information” means electronic information that is not publicly available information and is any of the following:
|
Methods of Compliance |
Written Information Security Plan requirements:
Risk Assessment requirements:
Based on the risk assessment, a subject entity must:
Incident Response Plan requirements:
Regarding third-party service providers, a subject entity must:
If a subject entity has a board of directors, the board or an appropriate committee of the board shall, at a minimum:
|
Government Notice Requirements | Subject entities must notify the Director of the Michigan Department of Insurance and Financial Services without unreasonable delay but in no event later than ten (10) business days from a determination that a cybersecurity event involving nonpublic information that is in the possession of the subject entity has occurred when either of the following have occurred:
|
Additional Government Reporting | An insurer domiciled in Michigan must submit a written statement by February 15 every year certifying its compliance with the required information security standards. It must maintain for examination all records, schedules, and data supporting the certificate for a period of five years. If a Michigan-domiciled insurer identifies areas, systems, or processes that require material improvement, update, or redesign, the subject entity shall document the identification and the remedial efforts planned and underway to address the areas, systems, or processes. The documentation shall be made available for inspection by the Director. |
Last updated: January 2024