| Update Applicable to: | Effective Date |
| All Licensees Under Missouri Insurance Law, Including Insurers and Producers, Except for Those Explicitly Exempted | January 1, 2026 Security Program Requirements: January 1, 2027 Third Party Service Provider: January 1, 2028 |
What happened?
On July 2, 2025, Missouri Governor Mike Kehoe signed House Bill 974 into law, establishing new cybersecurity and data protection standards for the insurance industry.
Overview:
The law applies to entities that are or must be licensed, authorized, or registered under Missouri’s insurance laws, with limited exemptions for small businesses and entities already governed by federal data security laws.
- The legislation introduces the Insurance Data Security Act, which requires insurers and other licensees to implement comprehensive written information security programs.
- These programs must be based on risk assessments and include administrative, technical, and physical safeguards, employee training, and incident response plans.
- Licensees must investigate cybersecurity events and notify the Missouri Department of Commerce and Insurance within four business days if the event could significantly impact consumers or operations.
Employer Responsibilities Include:
- Developing a tailored security program.
- Training staff on cybersecurity awareness.
- Overseeing third-party vendors’ data practices.
- Reporting breaches and maintaining incident records for three years.
- Submitting annual compliance certifications.
The law grants the Department of Commerce and Insurance authority to investigate violations, enforce compliance, and issue penalties.
Source References
- Missouri HB 974 – Establishes provisions relating to insurance for certain uses of motor vehicles
Need help understanding how changes to employment laws will affect your business?
Learn more about how Vensure's Missouri PEO services can help you navigate complex employment laws and keep your business compliant.
This communication is intended solely for the purpose of conveying information. The present post might incorporate hyperlinks directing readers to websites managed by third-party entities. The inclusion of any links within this communication is meant to serve as points of reference and could encompass opinion articles from various law firms, articles from HR associations, official websites, news releases, and documents of government agencies, and other relevant third-party sources. Vensure has no authority over these external websites and bears no responsibility for their content. Furthermore, Vensure does not endorse the materials present on these websites. The contents of this communication should not be interpreted as legal advice or as a legal standpoint concerning specific facts or scenarios. Nor should it be deemed an exhaustive compilation of facts potentially pertinent to federal, state, or local laws. It is strongly advised that employers solicit legal guidance from an employment attorney when undertaking actions in response to any legal updates provided. This is due to the possibility of future alterations occurring in federal, state, and local laws, regulations, as well as the directives and guidelines issued by governing agencies. These changes may transpire at any given time, potentially rendering certain portions of the content within this update void or inaccurate.
