Impact of NAIC’s Insurance Data Security Model Law
Over the past decade, cybersecurity has led our news headlines. It seems that every few months a new cybercrime occurs, leaving companies with a tarnished reputation and customers’ data compromised.
The financial sector is particularly vulnerable to cyberattacks because of the large amount of personally identifiable information (PII) they must store to do business. Regulators realize this and are working to create legislation to protect customers’ data. New York was first to pass cybersecurity specific legislation with NYDFS (New York Department of Financial Service) 23 NYCRR Part 500.
NYDFS’s Cybersecurity Regulation outlines cybersecurity requirements for insurance companies licensed in New York. Requirements of this legislation include: implementing a detailed cybersecurity plan, comprehensive cybersecurity policy, and an ongoing reporting system for cybersecurity events. In addition, companies were required to designate a Chief Information Security Officer (CISO). These regulations were released on February 16, 2017, went into effect March 1, 2017, and included transition periods for compliance.
The NAIC Insurance Data Security Model Law
In October 2017, the NAIC full membership adopted its Insurance Data Security Model Law. The Model Law’s purpose is to establish standards for data security and for the investigation of and notification to the Commissioner of a cybersecurity event.
The Model Law and NYDFS have the same mission: to protect consumers and markets from fraud. Therefore, the Model Law states companies compliant with the NYDFS cybersecurity regulation are considered in compliance with the NAIC Insurance Data Security Model Law. However, certain exemptions included in New York’s cybersecurity regulation differ from those of the NAIC Model Law. For example the NYDFS cybersecurity regulation includes exemptions for Captives and Risk Retention Groups. The NAIC Model Law’s definition of a “licensee” does not include a purchasing group or Risk Retention Group chartered or licensed in another state, or a licensee that is acting as an assuming insurer domiciled in another state or jurisdiction.
Requirements for the licensee’s information security program can be found in Section 4 of the Model Law. The requirements are similar to the NYDFS cybersecurity regulation and include appointment of a Chief Information Security Officer, data retention policy, risk assessment, security measures/controls, oversight by Board of Directors, Third-Party vendor oversight, incident response plan, annual certification to the Superintendent and notification to the superintendent. The licensee’s information security program must be based on a robust risk assessment. The program is scalable to the size, complexity, and scope of the licensee’s activities. The Model Law is principles-based vs. rules-based, like the NYDFS Cybersecurity Regulation. The NYDFS cybersecurity requirements are also based on risk assessment, but the provisions identified in each section are mandatory. Specific security measures and controls are not mandated in the Model Law, but must be implemented as appropriate, and include the following:
- Regular system testing;
- audit trails;
- restricted access privileges;
- application security;
- multi-factor authentication; and
- staff training.
The Model Law also calls for at least annually assessing the effectiveness of the safeguards’ key controls, systems, and procedures. This annual assessment will require that management has identified the key controls, systems, and procedures that address the risks identified in its risk assessment.
The Model Law cybersecurity requirements give examiners the teeth they need when examining a licensee. Licensees should look to their domestic regulator for guidance on interpreting and implementing the Model Law.
State Adoption Status
It should be noted that the Model Law is a guideline and cannot be enforced until approved and adopted by individual states. South Carolina became the first to officially adopt the Model Law on May 3, 2018, with the South Carolina Insurance Data Security Act. The law will go into on January 1, 2019. South Carolina licensees will have until July 1, 2019, to implement an information security program and July 1, 2020, to comply with third-party service provider due diligence requirements.
Currently, there are four states plus the District of Columbia that have added or plan to add the Model Law to their 2018 legislative calendars: Rhode Island, Vermont, Louisiana, Nevada, and the District of Columbia. Rhode Island introduced the Insurance Data Security Act on February 28, 2018. The committee recommended the measure be held for further study on March 27, 2018. Vermont and District of Columbia have stated publicly they would like to move forward with adoption processes. Newcomers Louisiana and Nevada have also expressed interest in introducing the Model Law during their legislative sessions.
NAIC’s Adoption Timeline
The NAIC has an aggressive goal of encouraging “legislatures or regulatory bodies to adopt the model law, with as few changes as possible, in a majority of states within three years.” Once a state adopts the law, insurers will only have one year to comply with nearly all the regulations. This means that in as soon as two years from now, states that add the Model Law to their agenda will require insurers to be compliant by 2020.
Because the Model Law was introduced in late 2017, many states may not have ample time to add this to their 2018 legislative calendars. However, the “early adopters” of the Model Law were those that had a hand in creating it, and understand how important it is to move quickly on this regulation. For instance, South Carolina’s Director, Ray Farmer, chaired the Cybersecurity Working Group, and Rhode Island Superintendent Elizabeth Dwyer was its vice-chair. Superintendent Dwyer also chaired the Cybersecurity Model Law Drafting Group.
Cybersecurity at the Federal Level
While neither the House nor the Senate have recently passed any bills addressing cybersecurity, it remains to be a key issue at the federal level. During the 2017 fall NAIC meeting of the Cybersecurity (EX) Working Group, the U.S. Department of Treasury commented on adoption of the Model Law. The Department of Treasury recommended prompt adoption of the Model Law and added that this should be complete within 5 years, otherwise federal preemption may result. This brings up the possibility that if states do not make progress to adopt the Model Law within the next five years, Congress could pass legislation setting a federal requirement for insurance data security.
Impact to Insurers
This strict timeline will affect mid-market insurers that are not subject to SOX the most, as many do not have the provisions of the law in place. With adoption and implementation imminent, it’s important to understand how these regulations might apply to your organization and what you can do now to start preparing for compliance.
In the short term, organizations should be sure to establish a team responsible for overseeing the cybersecurity program. This team should perform a risk assessment and assess the current state of cybersecurity risks and controls. The findings from the assessment should be used to define an improvement plan. In addition, organizations should create an incident response plan that includes a procedure for reporting and responding to security events, if one does not already exist.
Insurers should evaluate third party service providers and implement appropriate administrative, technical and physical measures to support security. Due diligence processes should be established to support the service provider selection, onboarding, regular monitoring, and end of contract processes. Insurers should continue to make control assessments a regular activity and use the findings from these assessments to update their improvement plan. These improvement plans should have action items that are monitored to strengthen and mature the cybersecurity program. Finally, insurers should assign the board of directors or appropriate committee to oversee the annual compliance report that must be renewed every year.
Any insurers preparing for a Department of Insurance examination should understand the updates to the Financial Condition Examiners Handbook. The NAIC IT Examinations Working Group regularly reviews and revises the existing guidance to reflect the most current cybersecurity best practices and improve examination protocols. The exam guidance is a tool used by the regulators to evaluate an insurer’s security program and does not represent requirements for companies to follow. The Model Law, once enacted by the states, will set expectations for how companies design their information security programs.
NAIC Insurance Data Security Model Law Update
Understanding the NAIC Insurance Data Security Model Law
Cyber Security Risks Facing Insurance Companies in 2017
NAIC Report: 2018 Spring National Meeting