MO| Bulletin 26-01, issued by the Missouri Department of Commerce and Insurance explains implementation of Missouri’s Insurance Data Security Act, effective January 1, 2026, including how and when regulated licensees must report cybersecurity events, how third‑party service provider breaches are handled, and which regulated entities are excluded from the Act’s “licensee” definition.
Key Points:
- Licensees must report qualifying cybersecurity events to the Director using a designated electronic notification form, update prior reports for material changes, and are urged to review statutory definitions and exclusions before reporting.
- Cybersecurity events affecting third‑party service providers that handle nonpublic information for a licensee are treated as the licensee’s own events, triggering the same reporting duties and timing requirements to the Director.
- Certain regulated entities (e.g., HMOs, HSCs, captive insurers, Missouri mutuals, some associations, and specified service contract providers) are not considered “licensees” under the Act, and the phrase “those terms” in the reporting trigger refers only to “home state” and “producer,” not “insurer.”