The "Cybersecurity and Accountability Act of 2025" introduces comprehensive standards for data security and mandates protocols for insurance licensees to investigate and report cybersecurity events to the Commissioner of the Department of Insurance, Securities and Banking. Licensees are required to develop a written information security program that includes administrative, technical, and physical safeguards appropriate to their operational size and complexity. The bill also stipulates that licensees conduct risk assessments, implement security measures like multi-factor authentication, and protect nonpublic information during transmission and storage.

Furthermore, the legislation outlines the procedures for investigating cybersecurity incidents, requiring licensees to assess the nature and scope of any events promptly and maintain records for at least five years. It emphasizes consumer protection and transparency, aligning local practices with national cybersecurity standards. Licensees must notify the Commissioner within three business days of identifying a cybersecurity event affecting 250 or more consumers or posing significant risks. The bill also addresses the responsibilities of reinsurers and third-party service providers, ensures confidentiality of investigation documents, and establishes penalties for non-compliance, with fines reaching up to $1,000 per day, capped at $25,000.