HCSHB436--INSURANCECOMPANIES'DATASECURITY
SPONSOR: Hardwick
COMMITTEEACTION:Voted"DoPasswithHCS"bytheStanding
CommitteeonInsurancebyavoteof12to0.
ThefollowingisasummaryoftheHouseCommitteeSubstituteforHB
436.
Thisbillestablishesthe"InsuranceDataSecurityAct".
Thebillrequireslicenseestoimplementaninformationsecurity
program,asdefinedinthebill.Eachlicenseemusthavea
comprehensiveinformationsecurityprogramthatisinkeepingwith
thesizeandcomplexityofthelicenseeandthescopeofits
activities. Thisbillspecifiesdataprotectionobjectivesforthe
programs,aswellasstandardsforriskassessmentbylicensees,
andmeasurestobeimplementedintheinformationsecurity
programs.
Thebillspecifiestherequirementsforlicensees'boardsof
directorsorexecutivemanagementregardingtheinformation
securityprograms,andrequirescertainoversightof"third-party
serviceproviders",asdefinedinthebill.Licenseesmustmonitor
theirinformationsecurityprograms,andadjustthemasappropriate
consistentwithrelevantchangesintechnologyandthelicensees'
activities. Thisbillrequiresincidentresponseplansaspartof
informationsecurityprograms,asspecifiedinthebill.Insurers
domiciledinthisstatemustannuallysubmit,byApril15,a
writtenstatementthattheinsurerisincompliancewiththe
informationsecurityprogramrequirementsofthebill,andmust
maintaincertaindocumentationforinspectionbytheDirectorof
theDepartmentofCommerceandInsuranceforaperiodofthree
years.
Thebillalsospecifiesproceduresandstandardsforinvestigation
ofcybersecurityevents,aswellasrequirementstonotify
regulators,consumers,otherinsurers,andinsuranceproducersas
specifiedinthebillifcertaincybersecurityeventsoccur.The
Directorwillhaveauthoritytoenforcethebillinthemanner
providedbylawforenforcementoftheinsurancelawsofthis
state.
Asspecifiedinthebill,documentsandotherinformationfurnished
totheDepartmentofCommerceandInsurancewillbeconfidential
andprivilegedfromdisclosuretootherpartiesandpersons
receivingdocumentsorinformationundertheDirector'sauthority
inthebillwillnottestifyinanyprivatecivilaction.Inorder toassistintheperformanceoftheDirector'sdutiesinthebill,
theDirectormayreceivedocumentsandinformationwhichwould
otherwisebeconfidentialandprivileged,andmayenterinto
agreementswithotherauthorizedparties. NeithertheDirectornor
anypersonorentitywhoreceivesdocuments,materials,orother
informationwillbepermittedto:
(1)Shareorotherwisereleasethedocuments,materials,orother
informationtoathirdparty;
(2)Shareorotherwisereleasethedocuments,materials,orother
informationforcommercialuse;or
(3)Sellcybereventornonpublicinformationofanypersonor
entity.";and
Thisbillspecifiescertainexceptions.
ThebillcontainsadelayedeffectivedateofJanuary1,2026,and
grantslicenseesadditionaltimefortheimplementation ofcertain
provisions.
ThisbillissimilartoHB2316(2024).
Thefollowingisasummaryofthepublictestimonyfromthe
committeehearing. Thetestimonywasbasedontheintroduced
versionofthebill.
PROPONENTS: Supporterssaythatthisisagoodwaytomakesure
insurancecompaniesaredoingwhattheycantokeepourprivate
informationsafewhilekeepingeachcompany'smethodfor
cybersecurityprivate.
TestifyinginpersonforthebillwereRepresentative Hardwick;
TylerHobbs,MissouriDepartmentofCommerceandInsurance;Arnie
C.Dienoff;HamptonWilliams,MissouriInsuranceCoalition.
OPPONENTS: Therewasnooppositionvoicedtothecommittee.
Writtentestimonyhasbeensubmittedforthisbill.Thefull
writtentestimonyandwitnessestestifyingonlinecanbefound
underTestimonyonthebillpageontheHousewebsite.