If you are a licensed insurance company, agency, broker, or third-party administrator
(TPA) in Pennsylvania, it’s time to get serious about PIDSA.
The Pennsylvania Insurance Data Security Act (PIDSA) went into effect in December 2023,
and its final mandatory requirements arerolling out through 2026. If you aren’t fully prepared,
you aren't just at riskof a breach—you’re at risk of losing your license.
PIDSA is designed to strengthen how the insurance industryprotects sensitive customer information. It’s not just a "bestpractice"—it’s a legal mandate across the Commonwealth.
Who Has to Comply? You are fully responsible for compliance if you are:
• An insurance company or agency.
• An insurance broker or producer.
• A Third-Party Administrator (TPA).
Limited Obligations: You may have reducedrequirements only if you have fewer than 10 employees, earn under $5million in annual revenue, or hold under $10 million in assets.
To achieve full compliance, your agency must implement theseseven pillars:
1- Build a Written Security Program (WISP): Create a formal, documented data security plan tailored to your specific operations.
2- Conduct a Risk Assessment: Regularly identify weak spots in your systems, software, and internal processes.
3- Have an Incident Response Plan: Develop a detailed roadmap with legal, IT, and notification steps ready for immediate action.
4- Report Breaches Fast: PA law requires reporting cybersecurity events within 5 business days.
5- Allocate Executive Oversight: Assign a "Qualified Individual" to lead your cybersecurity efforts—this can no longer be a side task.
6- Vet Your Third-Party Providers: You are responsible for your vendors. Assess their security practices and breach plans thoroughly.
7- Routinely Train Your Team: Build an ongoing culture of security to help staff avoid phishing and other cyber threats.
• Dec 11, 2024: Core Cybersecurity Program and Protections must have been in place.
• Dec 11, 2025: • Vendor Oversight Program must be active.
• April 15, 2026: Deadline to submit your first annual proof of compliance report (and yearly thereafter).
The Pennsylvania Insurance Department isn't taking thesedeadlines lightly. Non-compliance leads to:
• Hefty Fines that can drain your agency's revenue.
• License Suspension or revocation.
• Public Exposure and loss of client trust.
• Higher Scrutiny from state regulators.
Don't wait until the April 15th deadline to find out you'remissing a key document. Get a FREE PA Cybersecurity Compliance Assessment—confidential,fast, and packed with actionable insights.
You’ll walk away knowing:
• Exactly where your security risks are.
• A clear path to fix them.
• What you are missing to satisfy PIDSA auditors before it’s too late.
