IIA

Find out if you would pass the compliance with the Louisiana Insurance data security law (idsl) And Book your COMPLIMENTARY NO-OBLIGATION Cybersecurity Audit

At no cost or obligation, we’ll conduct a FREE Cybersecurity audit of your company’s overall network health to review and validate as many as 10 different data-loss and security loopholes.

We’ll also look for common places where security and backup get overlooked, such as mobile devices, laptops, tablets and home PCs.

This Audit can be conducted 100% remote with or without your current IT company or department knowing.

Motiva pii dfs

IDSL Cybersecurity Requirements for Licensees

In 2020 the Louisiana Legislature passed the Insurance Data Security Law (IDSL) during the 2020 Regular Session which became effective August 1, 2020. The goal of the regulation is to ensure the safeguarding of sensitive customer data and to promote the integrity of the information technology systems of regulated entities.

As a filling entity you must comply with:

  • Establish a Cybersecurity Program
  • Develop a Cybersecurity Policy
  • Include Audit Trails within the Information Security Program
  • Employee Cybersecurity Training and Monitoring
  • Limit Users Access Privileges
  • Establish Application Security Procedures
  • Perform Periodic risk assessments
  • Provide cybersecurity personnel with cybersecurity updates and training
  • Enable Multi-Factor Authentication for Information Systems
  • Enable Data Encryption and Protection
  • Establish a Incident Response Plan

All regulated entities will need to develop a cybersecurity policy and implement an incident response plan that includes a notification system for data breaches and cybersecurity events within 72 hours.

IDSL Cybersecurity Requirements are incredibly confusing, and the fines for not being compliant can be debilitating.

Motiva penalties dfs

The cybersecurity regulations do not specifically detail any potential penalties or the impact of noncompliance. Instead, the commissioner may impose a penalty pursuant to R.S. 22:18. (The normal insurance penalty statute.)

The pertinent deadlines are as follows:

  • August 1, 2021: to develop implement, and maintain a comprehensive written information security program
  • August 1, 2022: to require its third party service providers to implement measures to protect data helped by the provider
  • February 15, 2022: each insurer domiciled in Louisiana must manually submit a "Louisiana Insurance Data Security Law Information Security Program Certification Form"

Cybersecurity Regulation Exemptions

Section 22:2509 of the IDSL cybersecurity regulation contains several exemptions. Most exemptions are limited in nature and require Covered Entities to still comply with some provisions of the Regulation. If you apply for an exemption, you still have to investigate any cybersecurity events, Notify the Comissioner of a cybersecurity event and Have in place Cyber security policies and response system.

Fewer than 25 employees

You are entitled to this limited exemption when your business has fewer than 25 employees, including independent contractors. You must still design and implement a Cybersecurity program.

Less than $5M in gross annual revenue

You are entitled to this limited exemption when your business has less than $5,000,000 in gross annual revenue in each of the last 3 fiscal years. You must still design and implement a Cybersecurity program.

Less than $10M in year-end total assets

You are entitled to this limited exemption when your business has less than $10,000,000 in year-end total assets. You must still design and implement a Cybersecurity program.

Proving Compliance with IDSL

Utilizing risk assessments to benchmark and assess the posture of your cybersecurity program is essential. At the end of each year, regulated institutions need to complete an annual certification process in coordination with the board of directors to evaluate their cybersecurity program.

At the end of this process, the organization will need to provide a Certification of Compliance with Louisiana IDSL Cybersecurity Regulation.

Under IDSL, a program must coincide with best practices that support:

  • Information Security
  • Access Controls and identity management
  • Business continuity and disaster recovery planning
  • Security and Personnel Training
  • Security of information systems
  • Network Security
  • Periodic risk assessments
  • Internal reporting and auditing
  • Data Encryption and Protection
  • Threat Feed Detection
  • Incident Response Plans
  • Multi-Factor Authentication
  • Vendor/Third-Party Risk Assessments

FIND OUT IF YOU ARE IN COMPLIANCE IN UNDER 10 MINUTES