Mapping of NYDFS Cybersecurity Regulations to NAIC Insurance Data Security Model Law

Posted on October 10, 2017

The cybersecurity threats posed to electronic data are ever growing. Cybercriminals can cause significant losses for regulated entities as well as consumers whose private information may be exposed. Insurance companies and other organizations regulated by the New York State Department of Financial Services (NYDFS) are subject to Cybersecurity regulations (23 NYCRR 500 Cybersecurity Requirements for Financial Services Companies) as of March 1, 2017. This regulation is the first of its kind. 

On August 8, 2017, the NAIC Cybersecurity (EX) Working Group followed with the adoption of its Insurance Data Security Model Law. The model law’s purpose is to establish standards for data security and for the investigation of and notification to the Commissioner of a cybersecurity event. Companies compliant with the NYDFS cybersecurity regulation are considered in compliance with the NAIC Insurance Data Security Model Law.

Johnson Lambert has developed a white paper to map the NYDFS Cybersecurity regulation to the NAIC Insurance Data Security Model Law. Download the printable white paper here.

Questions? Contact the author of this white paper, Kim Mobley, CPA, CISA, Partner, at