American Association of State Compensation insurance Fund
Canada and USAFind a Member
North America Map Yukon British Columbia Alberta Saskatchewan Manitoba Ontario New Brunswick Prince Edward Island Nova Scotia Maine Washington Oregon Idaho Montana Wyoming North Dakota Minnesota New York Rhode Island California Utah Colorado Missouri Kentucky Ohio Pennsylvania Maryland Arizona New Mexico Oklahoma Texas Louisiana South Carolina Hawaii

Magnifying GlassSelect a state or province from the map above to get primary contact and web information for any
member fund.

CopperPoint Mutual Insurance Company
Phone: (602) 631-2000
Address: 3030 North Third Street
Phoenix, AZ   85012

State Compensation Insurance Fund
Address: 333 Bush Street
Suite 800
San Francisco, CA   94104

Pinnacol Assurance
Phone: (303) 361-4000
Address: 7501 East Lowry Boulevard
Suite 800
Denver, CO   80230-7006

Hawaii Employers' Mutual Insurance Co. Inc.
Phone: (808) 524-3642
Address: 1100 Alakea Street
Suite 1400
Honolulu, HI   96813

Idaho State Insurance Fund
Phone: (208) 332-2100
Address: 1215 West State Street
P.O. Box 83720
Boise, ID   83720-0044

Kentucky Employers Mutual Insurance
Phone: (859) 425-7800
Address: 250 West Main Street Suite 900
P.O. Box 83720
Lexington, KY   40507-1724

Louisiana Workers' Compensation Corporation
Phone: (225) 924-7788
Address: 2237 South Acadian Thruway
P.O. Box 83720
Baton Rouge, LA   70808

Maine Employers Mutual Insurance Company (MEMIC)
Phone: (207) 791-3300
Address: 261 Commercial Street
P.O. Box 11409
Portland, ME   04104

Chesapeake Employers’ Insurance Company
Phone: (410) 494-2000
Address: 8722 Loch Raven Boulevard
P.O. Box 11409
Towson, MD   21286-2235

SFM Mutual Insurance Company
Phone: (952) 838-4200
Address: 3500 American Boulevard West Suite 700
P.O. Box 11409
Bloomington, MN   55431-4434

Missouri Employers Mutual Insurance
Phone: (800) 442-0590
Address: 101 N Keene St
P.O. Box 11409
Columbia, MO   65201

Montana State Fund
Phone: (406) 495-5015
Address: 855 Front Street
P.O. Box 4759
Helena, MT   59604-4759

New Mexico Mutual Group
Phone: (505) 345-7260
Address: 3900 Singer Boulevard NE
P.O. Box 4759
Albuquerque, NM   87109

New York State Insurance Fund
Phone: (212) 312-7001
Address: 199 Church Street
P.O. Box 4759
New York, NY   10007

Workforce Safety and Insurance
Phone: (701) 328-3800
Address: 1600 East Century Avenue Suite 1
P.O. Box 4759
Bismarck, ND   58506-5585

Ohio Bureau of Workers Compensation
Phone: (800) 644-6292
Address: 30 West Spring Street
P.O. Box 4759
Columbus, OH   43215-2256

CompSource Mutual Insurance Company
Phone: (405) 232-7663
Address: 1901 North Walnut Ave.
P.O. Box 53505
Oklahoma City, OK   73152-3505

State Accident Insurance Fund (SAIF)
Phone: (503) 373-8000
Address: 400 High Street SE
P.O. Box 53505
Salem, OR   97312-1000

Pennsylvania State Workers Insurance Fund
Phone: (570) 963-4635
Address: 100 Lackawanna Avenue
P.O. Box 5100
Scranton, PA   18505-5100

Beacon Mutual Insurance Company
Phone: (401) 825-2667
Address: One Beacon Centre
P.O. Box 5100
Warwick, RI   02886-1378

South Carolina State Accident Fund
Phone: (803) 896-5800
Address: P.O. Box 102100
P.O. Box 5100
Columbia, SC   29221-5000

Texas Mutual Insurance Company
Phone: (800) 859-5995
Address: 6210 East Highway 290
P.O. Box 5100
Austin, TX   78723-1098

Workers Compensation Fund
Phone: (800) 446-2667
Address: 100 West Towne Ridge Parkway
P.O. Box 2227
Sandy, UT   84070

Washington Department of Labor and Industries
Phone: (360) 902-5800
Address: P.O. Box 44001
P.O. Box 2227
Olympia, WA   98504-4001

Wyoming Division of Workers Safety & Compensation
Phone: (307) 777-7159
Address: Cheyenne Business Center
1510 East Pershing Boulevard
Cheyenne, WY   82002

Workers Compensation Board - Alberta
Phone: (780) 498-3999
Address: 9925-107 Street
P.O. Box 2415
Edmonton, AB   T5J 2S5

Workers Compensation Board of British Columbia (WORKSAFEBC)
Phone: (604) 273-2266
Address: P.O. Box 5350 Station Terminal
P.O. Box 2415
Vancouver, BC   V6B 5L5

Manitoba Workers Compensation Board
Phone: (204) 954-4321
Address: 333 Broadway
P.O. Box 2415
Winnipeg, MB   R3C 4W3

Phone: (506) 632-2200
Address: 1 Portland Street
P.O. Box 160
Saint John, NB   E2L 3X9

Workers Compensation Board of Nova Scotia
Phone: (902) 491-8999
Address: 5668 South Street
P.O. Box 1150
Halifax, NS   B3J 2Y2

Prince Edward Island Workers Compensation Board
Phone: (902) 368-5680
Address: 14 Weymouth Street
P.O. Box 1150
Charlottetown, PE   C1A 7L7

Saskatchewan Workers Compensation Board
Phone: (306) 787-4370
Address: 200 - 1881 Scarth Street
P.O. Box 1150
Regina, SK   S4P 4L1

Puerto Rico State Insurance Fund Corporation
Phone: (787) 793-5959
Address: G.P.O. Box 365028
P.O. Box 1150
San Juan, PR   00936-5028
Tools for Members

Member Home

Member Connection: A member-only forum where you can post questions and ideas.

Stat Book: A highly functional analytical tool that provides valuable comparative benchmarking results from among our members who participate.

Online Directory: Get connected with your counterparts through this comprehensive list of AASCIF members with updated phone number, email and website information.

Associate Member Lookup

Latest Newsletter

Is Your Data Protected? Prepare Now for the NAIC Data Security Model

By Danielle N. Kopf, CFSA, CRMA, Internal Audit Manager, Beacon Mutual Insurance Company

It’s nearly impossible to turn on the nightly news without a report of a security breach. We are all well versed in the risks associated with holding and maintaining an individual’s personal nonpublic information. Insurance carriers, and their third-party service providers, hold a great deal of this sensitive information. Over the years, there have been countless laws, regulations, and best practices established to mitigate the risk of having this type of information. The National Association of Insurance Commissioners (NAIC) is following suit.

Insurance regulators from seven states (California, Florida, Illinois, Maine, New York, Rhode Island, and Texas) formed a task force to draft the Insurance Data Security Model Law on behalf of the NAIC. This model law sets forth data security standards and obligations regarding the investigation of a cybersecurity event, as well as notification of such an event to the state insurance commissioner. A version of this model law has already passed in South Carolina, Ohio, and Michigan and is expected to be introduced in more states in 2019 and beyond. Important to note, in certain states, if the licensee is already in compliance with New York regulation Cybersecurity Requirements for Financial Services Companies (effective March 1, 2017), the licensee is deemed to be in compliance with this model law.

The model law sets forth the definition of a cybersecurity event to be an event resulting in unauthorized access to or disruption or misuse of an information system or information stored on such information system. Exempt from this law is the unauthorized acquisition of encrypted nonpublic information if the encryption key is not also acquired, released, or used without authorization. Similarly, if the licensee determines that the nonpublic information accessed by an unauthorized individual has not been used or released and has been returned or destroyed, this event is also exempt from the model law.

What’s different in this model law compared to others? There are several things to be aware of and to prepare for, including the requirement to regularly conduct a cybersecurity risk assessment, management and testing of third-party service provider access, employee training on emerging threats, data classification procedures and board of director oversight. Third-party service providers may also be required to implement appropriate administrative, technical and physical measures to protect and secure the information systems storing this nonpublic information.

This model law will require licensees to perform a cybersecurity risk assessment to identify “reasonably foreseeable” internal and/or external threats to the licensee’s information systems AND any nonpublic information held by or accessible by third-party service providers, and include such in the Enterprise Risk Management risk register. Utilizing the information gained in the cybersecurity risk assessment, licensees will be required to implement a written Information Security Plan (ISP), including an incident response plan. The model law outlines specific objectives that the licensee should include in the written ISP, which includes a periodic reevaluation of the record retention schedule of nonpublic information and the safe destruction of such information. Nonpublic information should only be held on to for as long as it serves a business purpose; it must then be destroyed in a secure manner.

Just like other risks identified by organizations, mitigating controls must be implemented to reduce that risk to an acceptable level. Controls over the security of nonpublic information can include such safeguards as multifactor authentication, encryption, physical security restrictions, audit trails, and regular intrusion detection tests. These controls should not be the “set it and forget it” type. Staying informed of emerging threats and vulnerabilities and appropriately implementing control activities is required. Also required is providing training to employees on newly identified risks.

In the unfortunate situation of an event, notification to the commissioner must occur within 72 hours once determination has been made that such an event has occurred. In addition to the commissioner, the licensee is obligated to notify the consumers impacted and any producers of record. If there is a cybersecurity event at a third-party service provider, the licensee must require the same actions of the third-party service provider.

Proper governance controls over the written ISP include annual updates (at a minimum) to the board of directors or a designated subcommittee, informing them of material matters related to the ISP, including risk assessments, risk management, and control effectiveness. Lastly, the licensee will be required to certify compliance annually to the domiciliary state insurance commissioner.

In summary, the NAIC and state insurance regulators will be taking a hard look at the cybersecurity risk assessments and the corresponding mitigating controls put in place to protect a consumer’s nonpublic information as well as an entity’s own sensitive business information. Not only will you be required to protect this information contained within your information systems but also the third- party service providers with access to your systems and data.



Home | Contact | Site Map