​Re: Information Security Program Certification, Insurance Article §33–103 (j)(1)

Date: February 14, 2024

To: All insurers, nonprofit health service plans, health maintenance organizations, dental organizations, managed general agents, and third party administrators ​

Carriers¹ that are required to file an Information Security Program Certification² with the Insurance Commissioner must do so on or before April 15 of each year. The first certification is required on or before April 15, 2024.  

Bulletin 23-18 provided information regarding the requirements to have in place a comprehensive written information security program based on the carrier’s risk assessment and a written incident response plan designed to promptly respond to, and recover from, a cybersecurity event. Bulletin 23-18 reviewed the criteria for an exemption from the requirement to file a certification. 

The purpose of this Bulletin is to provide the method for carriers to file the required Information Security Program Certification online. The Information Security Program Certification can now be submitted via electronic form here.

This is the primary method of submitting the filing. Any questions regarding the form can be sent to Raymond Guzman, Chief of Market Analysis, Market Regulation and Professional Licensing at [email protected]. 

____________________ 

¹ See §33–101 (c)(1) 

² See §33–103 (j)(1) ​

Questions or comments on the requirement to file may be sent to Mary Kwei, Associate Commissioner, Market Regulation and Professional Licensing, Maryland Insurance Administration, 200 Saint Paul Place, Suite 2700, Baltimore, MD 21202, or call 410-468-2113, or email to [email protected]. 

____________________ 

Kathleen A. Birrane       

Comm​issioner 

____________________ 

By: Mary M. Kwei

Associate Commissioner

Market Regulation & Professional Licensing