The web Browser you are currently using is unsupported, and some features of this site may not work as intended. Please update to a modern browser such as Chrome, Firefox or Edge to experience all features Michigan.gov has to offer.
Who is required to report a cybersecurity event to the Department of Insurance and Financial Services?
Any licensee who meets one of the following criteria:
(A) The licensee is an insurer and is domiciled in Michigan, or the licensee is a producer whose home state is Michigan. Also, the cybersecurity event has a reasonable likelihood of materially harming either one or more Michigan consumers or any material part of a normal operation of the licensee.
(B) The licensee reasonably believes that the nonpublic information affects 250 or more Michigan consumers and is either of the following:
(1) A cybersecurity event impacting the licensee of which notice is required to be provided to any government body, self-regulatory agency, or other supervisory body under any state or federal law.
(2) A cybersecurity event that has a reasonable likelihood of materially harming either any Michigan consumer or any material part of the normal operation of the licensee.
Licensees shall notify the Director promptly, but no later than 10 business days, after a determination that a cybersecurity event involving nonpublic information that is in the possession of a licensee has occurred.