On December 3, 2017, the National Association of Insurance Commissioners (“NAIC”) Cybersecurity (EX) Working Group met and noted that the U.S. Department of the Treasury has recommended that states nationwide work to implement NAIC’s recently adopted Insurance Data Security Model Law (“Model Law”). The full text of the Model Law is available at NAIC.org and can be found here. The Model Law sets standards and best practices for insurers to follow as they safeguard consumers’ data, and it closely follows the New York State Department of Financial Services (“NYDFS”) Cybersecurity Regulation, 23 NYCRR 500, which was adopted earlier this year and applies to those regulated or licensed under New York insurance, banking or finance laws. In short, those in the insurance industry need to take action to develop cybersecurity programs and procedures.
What is NAIC?
NAIC is composed of insurance regulators from each of the 50 states, the District of Columbia and five U.S. territories. Although NAIC’s membership is made up of state insurance regulators, NAIC itself is a non-governmental organization that works to establish a comprehensive and coordinated set of nationwide standards for insurance regulatory matters and best practices to be adopted or implemented by individual state insurance regulators suitable to their own state’s needs. Thus, NAIC’s adoption of the Model Law signals that state insurance regulators nationwide are taking cyberthreats seriously and expecting that industry participants will take appropriate measures to safeguard consumers’ data.
Development of the Model Rule
In 2014, NAIC established its Cybersecurity Task Force in response to the types of information stored by insurance companies. In 2016, the Cybersecurity Task Force began drafting the Model Law to establish uniform standards for data security applicable to the insurance sector. Several versions of the Model Law proceeded through the NAIC Innovation and Technology (EX) Task Force and the Cybersecurity (EX) Working Group. Ultimately, in October 2017, NAIC adopted the Insurance Data Security Model Law to create information security standards for the insurance sector.
During the time NAIC’s Cybersecurity Task Force was developing the Model Rule, NYDFS was also developing a cybersecurity regulation, which was adopted in March 2017. The NYDFS Cybersecurity Regulation requires, in part, that those regulated by New York’s banking, finance and insurance laws must implement and maintain a robust cybersecurity program, including incident response policies, cybersecurity personnel, cyber risk assessments, relevant cybersecurity training and compliance with reporting obligations in the wake of a data security incident. Because NYDFS is responsible for supervising all insurance companies that do business in New York, many insurance companies that began to comply with the NYDFS Cybersecurity Regulation have a head start on adopting policies and practices that are promoted under NAIC’s Model Law.
Key Features of the Model Law
The Model Law is directed to insurers, brokers and other state-regulated entities, and it promotes the maintenance of an information security program based on ongoing risk assessment, oversight of third-party service providers, investigations of data breaches and notification to regulators in the event of a cybersecurity incident. State legislatures can now choose to adopt and implement the Model Law in its entirety or to tailor its provisions to the individual needs of a particular state’s insurance market.
Those in the insurance industry should be familiar with the NAIC Model Law and the NYDFS Cybersecurity Regulation. Policies concerning data security and privacy should be in place and, among other things, contracts should be reviewed concerning third-party vendors’ maintenance of protected information and other data (e.g., IT service providers, data storage and cloud providers). Insurance industry participants should associate themselves with advisors experienced in this space and take meaningful steps now to comply with the new standards within the industry.