Insurance agencies responsible for safeguarding the nonpublic information of clients and employees may soon be affected by the Insurance Data Security Model Law as many states are beginning to review and adopt the law. Modeled after the March 1, 2017 New York State Department of Financial Services (NY DFS) Cybersecurity Requirements for Financial Services Companies Act, the law provides a framework for states to address risks and set cybersecurity guidelines for the insurance industry.
Approved by the National Association of Insurance Commissioners (NAIC) in October 2017, the model law requires notification to the insurance commissioner no later than 72 hours after the discovery of a cybersecurity event. To better prepare for this imminent change in insurance regulation, familiarize yourself with these definitions and key requirements of the Insurance Data Security Model Law.
Applications of the Model Law
The law applies to a licensee pursuant to the insurance laws of the state. It does not apply to purchasing or risk retention groups chartered and licensed in other states or a licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction.
Definitions of the Model Law
Under the model law, a “licensee” is defined as any person licensed, authorized to operate, or registered—or required to be licensed, authorized or registered.
A “cybersecurity event” is defined as “an event resulting in unauthorized access to, disruption or misuse of, an information system or information stored on such information system.” Cybersecurity events do not include encrypted nonpublic information if the encryption, process, or key is not also acquired, released, or used without authorization. Nonpublic information accessed by an unauthorized person that has not been used or released and has been returned or destroyed is also excluded.
Requirements of the Model Law
Implementation of an Information Security Program. Each licensee is required to develop, implement, and maintain a comprehensive written Information Security Program commensurate to the size and complexity of the licensee. Designed to minimize consumer harm by protecting the security and confidentiality of nonpublic information against any hazard or threat, this program shall detail the administrative, technical, and physical safeguards of nonpublic information and its destruction mechanism for when it’s no longer needed.
Risk assessment and management. Licensees shall designate one or more employees, affiliates, or an outside vendor to be responsible for identifying internal and external threats that could result in unauthorized access, transmission, disclosure, misuse, alteration, or destruction of nonpublic information. The program includes employee training, information system updates, the regulation of data management, storage, and disposal, and the detection, prevention, and response to attacks.
Oversight by Board of Directors. If the licensee has a board of directors, the board is responsible for the development, implementation and maintenance of an information security program and annually reporting on its status and compliance to address issues such as risk management and assessment, third-party service provider arrangements, cybersecurity violations, and responses to events.
Oversight of third-party service providers. Nonpublic information used by or in the possession of third-party service providers shall be protected and secured by administrative, technical and physical measures. The licensee is also responsible for exercising due diligence in selecting a third-party service provider.
Program adjustments. The law states that licensees shall monitor, evaluate and adjust the information security program consistent with any relevant changes in technology, the sensitivity of its nonpublic information, internal or external threats to information, and the licensee’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems.
Incident response plan. Each licensee is to establish a written plan to describe how they will respond to, recover from, and remediate any system weaknesses compromised by a cybersecurity event. Licensees must also promptly investigate all cybersecurity events. This includes events that have or may have occurred and applies to vendors and service providers designated to act on behalf of the licensee.
Penalties and Exceptions
The law also requires the licensee to certify annual compliance by submitting a written statement to the commissioner by Feb. 15 of each year. Individual states will determine the penalties for noncompliance. Exceptions of the model law will be determined by each state. Some exceptions include independent contractors, licensees with fewer than 10 employees, and licensees subject to HIPAA, among others.
For more information on the individual regulations and the consequences of noncompliance, download the full Insurance Data Security Model Law at the NAIC Website.
