The Missouri Department of Commerce & Insurance published a bulletin announcing the enactment of the Insurance Data Security Act during the 2025 First Regular Session. The act is effective from January1, 2026.

The Insurance Data Security Act requires insurers to notify the Director of Insurance when certain cybersecurity events have occurred. An electronic notification form can be found on the Department website here.

Licensees must also report to the Director about cybersecurity events that involve a third-party service provider. The Department defines a third-party service provider as a person, not otherwise defined as a licensee, that contracts with a licensee to maintain, process, store, or otherwise is permitted access to nonpublic information through its provision of services to the licensee.