FL S1216

Requires licensed mortgage brokers, lenders, and money services businesses in Florida to develop, implement, and maintain a comprehensive written information security program with administrative, technical, and physical safeguards to protect nonpublic personal information and information systems.

Mandates licensees establish a written incident response plan addressing internal processes, roles and responsibilities, communications, remediation, and documentation for responding to and recovering from cybersecurity events.

Exempts licensees with fewer than 20 workforce members (employees and independent contractors) or fewer than 500 customers per calendar year, with a 180-day compliance window once a licensee no longer qualifies for the exemption.

Requires licensees to notify the Office of Financial Regulation of any security breach affecting 500 or more persons in Florida, promptly investigate cybersecurity events, and maintain all investigation records and the information security program for a minimum of 5 years.

Adds failure to comply with the notification requirements as grounds for disciplinary action against mortgage brokers and lenders and for cease and desist orders, license denial, suspension, or revocation for money services businesses, with an effective date of July 1, 2025.