Insurance agencies across Pennsylvania and some that are licensed in the state have hopefully spent the last several months hearing more and more about PIDSA compliance.

PIDSA, or the Pennsylvania Insurance Data Security Act / Act 2 of 2023, is a set of cybersecurity laws and regulations designed to protect consumer information and establish security expectations for insurance organizations and insurance licensees operating within the Commonwealth.

The original April 15, 2026, deadline for annual certification has now passed for the applicable insurers domiciled in Pennsylvania, which has lead many agencies, brokers, and related insurance businesses to ask a slew of questions:

• Does PIDSA apply to us?
• Did we miss something?
• What documentation should we already have?
• Does our current IT provider count as a third-party vendor?
• What should we do now?

If your agency writes insurance business in Pennsylvania, now is the time to review your cybersecurity procedures, your vendor oversight, and your documentation heading into the next compliance cycle.

At Marvel IT Services, we specialize in working with independent insurance agencies that rely on expert knowledge in the insurance field, robust cybersecurity practices, and practical help desk support to focus on the work that really matters to their agency.

If you need help right now, skip over this article and reach us directly to set up a thorough review of your current systems, practices, and gaps.

With that, here’s what Pennsylvania insurance agencies should know moving forward in 2026.

A Quick Overview of PIDSA

Simply put, PIDSA requires insurance-related organizations to implement reasonable cybersecurity safeguards to protect nonpublic consumer information.

Specifically, this law addresses:

• Risk assessments
• Information security programs
• Corporate oversight
• Cybersecurity event response
• Third-party service provider oversight
• Documentation requirements

Sometimes this feels like tech-jargon, and so we often get asked, “Does PIDSA apply to my insurance agency?”

The law distinguishes a key difference between “insurers” and “licensees.”

“Insurers” are Pennsylvania-domiciled and had the April 15, 2026, certification requirement to comply with the entirety of the law.

“Licensees” are insurance-related businesses that are licensed under Pennsylvania insurance laws and may also have further obligations under the Act depending on the structure of the business and exemptions. This can include organizations that work within insurance agency operations, brokerage services, policy serving, customer record management, and any systems that handle or store nonpublic insurance data.

Because the exemptions and the applicability vastly vary, the agencies should review requirements with their legal and/or compliance counsel and also confirm their technical readiness with their IT team.

PIDSA affects more than just carriers. Pennsylvania insurance agencies that store or access nonpublic insurance information should have a thorough understanding of how the law impacts their workflows, cybersecurity requirements, current vendors, and all documentation.

1. Review Your Information Security Programs

One of the biggest problems that will affect PIDSA compliance is a lack of cybersecurity programs.

To build an effective and defined cybersecurity program for insurance agencies, multiple factors should be both considered and configured. This should typically include:

• Documented access controls
• Password policies
• Multi-Factor Authentication (MFA) for all critical & sensitive accounts
• Endpoint protection
• Secure cloud & email controls
• Device lifecycle planning
• Ongoing employee cybersecurity awareness

For many agencies, the biggest risk is assuming that a simple antivirus will protect against everything and keep compliance requirements.

PIDSA is broader than just antivirus. It focuses on protecting any nonpublic information through administrative, technical, and operational safeguards.

To begin to tackle the task of cybersecurity, there are a few key questions that can be asked:

• Who can access agency systems?
• Where is policyholder information stored?
• What hurdles are required to be passed to reach sensitive information?
• Are laptops and devices secured?
• Are shared files protected and encrypted?
• Is MFA turned on for all email addresses?

2. Revisit Your Risk Assessment in 2026

Cybersecurity is never meant to be a “set it and forget it” practice. Threats against insurance agencies are ever-growing and evolving, with AI-driven advances pushing new attacks out even faster, and to fail to revisit or get a new risk assessment leaves an agency wide open to a cyberattack and a compliancy gap.

To achieve a proper risk assessment, an insurance agency should evaluate the following:

• Email security features
• Endpoint exposure
• Cloud access rules
• Remote staff access policies
• Third-party vendor access
• Backups
• Password hygiene
• Ransomware exposure

For agencies, even one compromised mailbox can expose policy documents, financial information, renewal notices, and personally identified customer information.

Revisiting a previous risk assessment will show what gaps were in need of attention, but getting a new risk assessment will reveal the risks and compliancy gaps that are present in the current systems.

3. Understand PIDSA Vendor Oversight Requirements

One of the most important and often overlooked parts of PIDSA compliance is third-party vendor oversight.

New regulations require covered organizations to exercise due diligence when working with third-party service providers that access, process, or store nonpublic information on the organization’s behalf. That includes evaluating potential risk and maintaining appropriate oversight as those relationships continue.

For agencies, this means that multiple vendors must be vetted as customer information often moves through one or more system.

Some examples of vendors that fall under this are as follows:

• Agency management software
• Cloud storage platforms
• Email providers
• VoIP or communication systems
• Backup vendors
• Cybersecurity vendors
• Managed IT providers
• Payroll or HR platforms
• Digital document and e-signature platforms
• Third-party insurance carrier portals or integrations

Even if your agency doesn’t directly host the data yourself, you may still be responsible for evaluating how vendors protect the information your agency handles. A helpful way to think about this is:

If a vendor can access agency systems, store customer information, or impact business operations, they should be reviewed as part of your cybersecurity program.

A review of these vendors doesn’t need to be overly complicated, but it needs to be intentional and focused. To help, here’s a few areas of concern and questioning that can guide a conversation with vendors:

• Access & Security: Does the vendor employ strict cybersecurity policies themselves (i.e., MFA, administrator restrictions, and onboarding/offboarding employees).
• Data Protection: How does the vendor store data provided to them? Is it encrypted and backed up?
• Incident Response: What is the vendor’s response and notification process in the event of a cybersecurity incident?
• Operational Reliability: Does the vendor schedule and undergo regular maintenance and updates?
• Documentation & Review: Does your agency have agreements and documentation on file for each vendor? When were they last reviewed?

Insurance agencies that operate and write business in Pennsylvania need to review third-party vendors that access their systems or handle sensitive nonpublic information. From security practices to operational reliability, oversight of third-party vendors is now a part of the broader cybersecurity practices for insurance agencies with these new regulations.

4. Review Documentation Before the Next Certification Cycle

The official certification documentation provided by the Pennsylvania Insurance Department outlines in plan legalese what is required of any insurer domiciled within Pennsylvania that does not mee the proper exemption criteria, which can be found in section 4532 of the Pennsylvania Insurance Data Security Act (Act 2 of 2023). Put plainly, any insurer subject to the act must agree to do the following for a period of 5 years:

• Maintain compliance with sections 4512, 4513, 4514, and 4515 of the Act.
• The insurance agency will keep all records, schedules, and data supporting compliance with the Act.
• If areas that are uncompliant or outdated are found at any point by the insurance agency, then the agency is required to document the identification and remedial efforts undertaken to fix the problems.
• All documentation should be ready to be inspected by the Pennsylvania Insurance Department.

Being compliant to what’s written within the Act is not enough. Insurance agencies within Pennsylvania must also maintain crystal-clear records of anything and everything pertaining to the Act.

5. If You’re Behind, Start With the Highest-Risk Areas

If you’ve read this far and aren’t sure where to start, we want to provide you with a quick 5-step action plan to begin to tackle this new act.

Step 1

Secure all email accounts (with MFA enabled, if not already enabled).

Step 2

Review all current data backups for onsite and cloud servers.

Step 3

Review all vendor access and protocols for your nonpublic sensitive data.

Step 4

Update all endpoint protections to bolster security.

Step 5

Document all discoveries of security flaws along with all work completed to address the issues. Store this securely for the next 5 years.

This may seem like a lot to tackle today, but progress matters to get your agency to become compliant with the new regulations. Beginning today with structured remediation will be far more manageable than waiting until next spring.

Frequently Asked Questions

Q: Does PIDSA apply to insurance agencies within Pennsylvania?

A: It may, depending on licensing structure and applicable exemptions. Reviewing the Act with proper legal and/or compliance guidance can help determine if your agency is subject to the regulations.

Q: Does PIDSA require third-party vendor oversight?

A: Yes. Pennsylvania specifically requires all applicable insurers to have oversight over any third-party vendor that accesses and/or handles sensitive nonpublic data.

Q: Does my IT provider count as a third-party provider?

A: In most cases, yes. IT providers often manage systems, access sensitive data, ensure backups, or configure security tools, meaning they fall under the need for third-party oversight.

Q: Is the April 15 deadline the end of compliance?

A: No. Compliance is required year-round.

Where to Go From Here?

While there’s urgency now for insurance agencies to become compliant with PIDSA regulations, the importance of ongoing cybersecurity compliance for Pennsylvania insurance organizations continues long after April 2026.

Right now, the most important next steps are as follows:

• Review cybersecurity controls and standards.
• Confirm vendor oversight.
• Strengthen documentation procedures.
• Reduce avoidable risks.
• Prepare early for next year… and beyond.

At Marvel IT Services, we help insurance agencies build dependable IT environments with proactive support and robust cybersecurity practices that help ensure compliance with practical guidance.

For Pennsylvania insurance agencies, that includes helping evaluate vendor access, security controls, and operational IT readiness.

If these new regulations and requirements implemented by PIDSA feel overwhelming to tackle, we’re ready to help by offering simple, free review of your agency’s current cybersecurity environment.

Reach out to us today to get in contact with us to set up that free review.