The NAIC Model Law WISP template every agency needs.
A written information security programme (WISP) aligned to the NAIC Insurance Data Security Model Law — drafted in plain English, ready to fill in, sign, and file with your annual certification. Built for independent agencies, MGAs, and wholesale brokers.
What's inside
Ten sections — one for each NAIC Model Law requirement.
Each section explains what the Model Law requires, gives you template language to adapt, and lists the evidence examiners and E&O carriers expect to see. Sign at the bottom, file it with your annual certification, and refresh every twelve months.
- 1Information Security Programme Overview
- 2Designated Qualified Individual
- 3Annual Written Risk Assessment
- 4Access Controls & Identity Management
- 5Encryption of Non-Public Information
- 6Multi-Factor Authentication
- 7Third-Party Service Provider Oversight
- 8Cybersecurity Event Investigation & 72-Hour Notification
- 9Cybersecurity Awareness Training
- 10Annual Certification to the Commissioner
The template is a printable web document. Use your browser's Print → Save as PDF to keep an offline copy.
Why this matters
The regulator checks. The carriers check. The buyer of your agency will check.
Adoption is accelerating
More than 25 states have adopted the NAIC Insurance Data Security Model Law — and the list keeps growing. Once your state adopts, you typically have 12 months to comply and 24 months to bring third-party vendors into line.
E&O carriers check first
Cyber and professional-liability questionnaires now ask whether the agency maintains a written WISP, MFA on carrier portals, and a tested incident response plan. Misrepresent any of it and the claim can be denied.
Annual certification has teeth
Most NAIC-adopted states require an annual written certification to the insurance commissioner. A WISP you can't produce on demand is the most common gap regulators find.
Want the controls behind the template?
Kapacyber runs the day-to-day security operations behind every section of this WISP — MFA on your AMS and every carrier portal, EDR on every device, 24/7 monitoring, agency-specific BEC training, and a pre-built 72-hour notification workflow.