Certification of Information Security Program

An information security program is the administrative, technical, and physical safeguards that a licensee uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle nonpublic information.

Your information security program must be in writing and commensurate with the size and complexity of your operation and the nature and scope of your activity. This includes your use of third-party service providers and how sensitive the nonpublic information used by you or in your possession, custody, or control. Please see MCL 500.555 for a detailed description of what is required in your information security program.

If you are an insurer who is domiciled in Michigan, then you must submit a written statement to the Department of Insurance and Financial Services certifying that your information security program is in compliance with the requirements of MCL 500.555 utilizing FIS 2360: Information Security Program Annual Certification. You are exempt from certifying your information security program if you meet any of the following conditions:

(A) You have fewer than twenty-five employees; independent contractors are included in this count.

(B) You are subject to and in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191.

Starting in 2022, all insurers who are required to certify their information security program must do so by February 15 of each year. If you were an insurer who was previously exempt due to having fewer than twenty-five employees (including independent contractors) but increase your number of employees to twenty-five or more employees, you have 180 days to certify that your information security program is in compliance with Michigan's requirements.