The "Cybersecurity and Accountability Act of 2025" introduces comprehensive standards for data security and mandates protocols for insurance licensees to investigate and report cybersecurity events to the Commissioner of the Department of Insurance, Securities and Banking. Licensees are required to develop a written information security program that includes administrative, technical, and physical safeguards appropriate to their operations. They must conduct risk assessments, implement security measures like multi-factor authentication, and protect nonpublic information during transmission and storage. The bill also emphasizes consumer protection and transparency by adopting nationally accepted data standards for cybersecurity.

Furthermore, the legislation stipulates that licensees must maintain records of all cybersecurity incidents for at least five years and notify the Commissioner within three business days of identifying a cybersecurity event that affects 250 or more consumers or poses significant risks. It outlines the responsibilities of reinsurers and third-party service providers in such incidents and includes provisions for the confidentiality of investigation documents. The bill establishes penalties for non-compliance and clarifies that it does not create a private right of action for individuals. The Commissioner is responsible for implementing rules to enforce the act, which will take effect after the Mayor's approval and a Congressional review period.