Nevada Insurance Data Security Law (SB21)

Nevada has enacted the Insurance Data Security Law (SB21) which requires certain insurance licensees to develop, implement, and maintain an information security program that meets certain requirements. These requirements include: 

• Risk Assessment: Licensees must conduct a comprehensive risk assessment to identify and assess the potential risks and vulnerabilities associated with their information systems and nonpublic information.
• Written Information Security Program: Licensees must develop and implement a written information security program (WISP) that includes:
  • Administrative safeguards: Policies and procedures for the security of nonpublic information. 
  • Technical safeguards: Security measures for access to and transmission of nonpublic information.
  • Physical safeguards: Security measures for physical access to facilities containing nonpublic information.
• Third-Party Service Provider Oversight: Licensees must establish written policies and procedures for the selection and oversight of third-party service providers.
• Incident Response Plan: Licensees must develop and implement a written incident response plan to respond to and recover from cybersecurity events. 
• Annual Certification: Certain insurers must submit an annual statement to the Commissioner of Insurance certifying their compliance with the cybersecurity requirements. 
• Data Breach Notification: In the event of a data breach, licensees must notify affected individuals and the Commissioner of Insurance.

It’s important to note that these requirements are subject to change, and insurance businesses operating in Nevada should stay updated on the latest regulations and best practices for data security.