In 2023, Pennsylvania joined the growing number of states enacting the National Association of Insurance Commissioners' (NAIC) Model Law on Insurance Data Security. Going into effect in December, but with a staggered implementation, the law first required covered insurance companies and "licensees" (i.e., any person or organization required to have a license to engage in the business of insurance) to investigate and report cybersecurity events to the insurance commissioner. On Dec. 11, 2024 (just four months away), the second phase of the law goes into effect, which requires licensees to undertake detailed risk assessments, design and implement comprehensive and written cybersecurity programs, and, for some organizations, publicly certify compliance with the law. If your organization (or your client) has not yet begun preparing for satisfy the requirements of this phase, time now is of the essence to undertake these steps and build a record of affirmative evidence showing compliance.