Skip to main content

Cybersecurity Event and Attestation Update Notification

Michigan Insurance Data Security Law: Public Act 690 of 2018 added Chapter 5A, MCL 500.550 to 500.565, to the Insurance Code of 1956. This act was effective January 20, 2021 with certain requirements not required for one or two years after that date. MCL 500.565.

  • Effective January 20, 2021: Pursuant to MCL 500.559, all licensees (includes insurers) are required to notify the Director as promptly as possible, but not later than 10 business days, after determining a cybersecurity event occurred involving nonpublic information in the licensee's possession if criteria listed under MCL 500.559(1)(a) or (b) applies. Licensees should utilize form FIS 2359: Notice of Cybersecurity Event. Please note that licensees have a continuing obligation to update and supplement this form regarding material changes to information previously provided relating to the cybersecurity event. Submission of the form and supplemental information should be submitted to DIFS-Cybersecurityforms@Michigan.gov.
  • Due February 15 of each year (beginning February 15, 2022): Pursuant to MCL 500.555(9), each licensee that is an insurer domiciled in Michigan shall submit to the Director a written statement certifying that the insurer is in compliance with the requirements under MCL 500.555, unless an exception applies to the insurer. For certification, an insurer domiciled in Michigan should utilize FIS 2360: Information Security Program Annual Certification. If an exception applies, an insurer domiciled in Michigan should utilize Form FIS 2378 Domestic Insurer Exemption Certification. Each insurer domiciled in Michigan MUST submit either the FIS 2360 or FIS 2378 annually. The completed applicable form may be submitted electronically to DIFS-Cybersecurityforms@Michigan.gov.