Insurance companies face state-level regulatory requirements in addition to federal frameworks. The NAIC Insurance Data Security Model Law has been adopted by many states. Cyber insurance underwriters increasingly require SOC 2 or ISO 27001 from policyholders. Insurtech startups face the same compliance pressure as fintech -- SOC 2 is expected by enterprise partners. HIPAA applies to health insurance. GDPR and state privacy laws apply to policyholder data.