PIDSA is designed to strengthen how the insurance industryprotects sensitive customer information. It’s not just a "bestpractice"—it’s a legal mandate across the Commonwealth.
Who Has to Comply? You are fully responsible for compliance if you are:
• An insurance company or agency.
• An insurance broker or producer.
• A Third-Party Administrator (TPA).
Limited Obligations: You may have reducedrequirements only if you have fewer than 10 employees, earn under $5 million in annual revenue, or hold under $10 million in assets.
To achieve full compliance, your agency must implement theseseven pillars:
1- Build a Written Security Program (WISP): Create a formal, documented data security plan tailored to your specific operations.
2- Conduct a Risk Assessment: Regularly identify weak spots in your systems, software, and internal processes.
3- Have an Incident Response Plan: Develop a detailed roadmap with legal, IT, and notification steps ready for immediate action.
4- Report Breaches Fast: PA law requires reporting cybersecurity events within 5 business days.
5- Allocate Executive Oversight: Assign a "Qualified Individual" to lead your cybersecurity efforts—this can no longer be a side task.
6- Vet Your Third-Party Providers: You are responsible for your vendors. Assess their security practices and breach plans thoroughly.
7- Routinely Train Your Team: Build an ongoing culture of security to help staff avoid phishing and other cyber threats.
Dec 11, 2024: Core Cybersecurity Program and Protections must have been in place.
Dec 11, 2025: Vendor Oversight Program must be active.
April 15, 2026: Deadline to submit your first annual proof of compliance report (and yearly thereafter).
The Pennsylvania Insurance Department isn't taking these deadlines lightly. Non-compliance leads to:
Hefty Fines that can drain your agency's revenue.
License Suspension or revocation.
Public Exposure and loss of client trust.
Higher Scrutiny from state regulators.
Get a clear, expert-led view of your cybersecurity and compliance posture. Motiva’s cybersecurity risk assessment identifies gaps across security controls, policies, and regulatory alignment, so agencies know exactly where they stand and what to fix first.
What’s included: