A look at the Insurance Data Security Model Law
The insurance industry is just one of many industries under threat from cyber attacks. Every day, millions of customers are at risk of having their private data stolen. To combat the problem, the National Association of Insurance Commissioners came up with new guidelines to help protect data. And states are also beginning to adopt their own measures. Let’s look at what the standards mean for insurance companies around the country.
The Insurance Data Security Model Law
In March 2017, the National Association of Insurance Commissioners issued new guidelines for insurance companies in an ongoing effort to protect consumers’ private data and information. The NAIC guidelines are based on New York’s Department of Financial Services Cybersecurity Regulations for Financial Services Companies (23 NYCRR 500 ) which, as predicted, has served as a model for other laws and standards.
“The NAIC Model Law outlines a framework of generally accepted best practices in information security, as well as a legal framework for requiring insurance companies to implement such programs.”
While this effort sets guidelines (this is why it’s called a “model law”), each state is required to adopt its own rules as law.
What are the new standards?
Here is a look at the Insurance Data Security Model Law from the NAIC. “The purpose is to establish standards for data security and standards for the investigation and notification to the Commissioner of a Cybersecurity Event.”
The new standards are in response to several large security breaches that occurred a few years ago. The NAIC created a cybersecurity taskforce to determine ways to protect consumers’ data. The guidelines are designed to upgrade cybersecurity and protect the confidentiality of “nonpublic information” such as social security numbers, driver’s license numbers, ID cards, bank account numbers, credit/debit card numbers, and security codes/passwords that allow access to consumers’ financial information and records.
The guidelines are also designed to protect against unauthorized access of sensitive information about consumers and minimize the likelihood of cyber events.
Requirements of the NAIC Model Law
There are several components included in the guidelines. They address upgrading cyber security measures, assessing the effectiveness of cybersecurity systems and training, the proper response to threats and/or breaches, and issuing an annual report to the state insurance commission ensuring compliance.
Insurance companies must designate one or more people to oversee an “Information Security Program.” The designees can be employees, an affiliate of the insurance company, or an outside vendor who acts on behalf of the company.
Every insurance company must conduct an internal assessment to identify areas of potential threats that could lead to unauthorized access of private data. This includes assessing policies and procedures, IT systems, firewalls, and other cyber protections that are put in place to manage threats, such as:
- Cybersecurity training for employees
- Systems that store and protect private data, including information systems; networks; software; information classification, storage, transmission, and disposal.
- Systems that detect, prevent, and respond to attacks, intrusions, and system failures.
An organization must create information safeguards to protect the private information of customers and manage threats. These safeguards must be assessed at least annually.
There must be oversight by the board of directors (if there is one) or a committee of the board. This role includes:
- The implementation of an Information Security Program.
- Ensuring that a written report regarding the program is filed annually.
- Reviewing cybersecurity programs to address possible issues, manage risks, and make arrangements with third-party service providers to provide cybersecurity.
- Access the effectiveness of the program.
Third-party service providers
Many insurance companies use third-party service providers. The NAIC guidelines require that companies exercise due diligence when selecting vendors. They must also require all vendors/providers to implement their own cybersecurity measures.
Cyber event response plan
The NAIC also set guidelines that requires the development of an “incident response plan” regarding how and when companies must notify customers about a cybersecurity event.
The plan should include:
- The internal response and process after a cybersecurity event.
- The goals of the response plan.
- The roles, responsibilities, and levels of people making decisions regarding an event.
- External and internal methods of communications and how information will be shared.
- How to communicate information about identified weaknesses in the Information Systems.
- How cybersecurity events should be documented and reported to the insurance commissioner and consumers.
- Evaluating and revising the response plan as needed after a cybersecurity event.
Investigating cyber events
Cybersecurity events can and do happen. If an insurance company receives information from internal sources or a third-party affiliate, it must take action to investigate the incident. Companies should:
- Investigate whether a cybersecurity event did occur.
- Assess the scope and nature of the event.
- Determine what data (if any) was involved.
- Take steps to restore the security of the systems and data.
Insurance companies must submit a written statement to their state Insurance Commissioner which certifies they are in compliance. Companies should save and store all records, schedules, and data supporting the certifications for at least five years (or more, according to state law).
How the NAIC Model Law applies across different states
The NAIC cybersecurity regulations only set suggested guidelines. Each state is required to adopt its own rules. Since each state has different requirements, it’s important to know the law where you do business. That said, if your company has offices in different states, you’ll need to comply with the laws in every state.
New York was the first state to pass its own regulations, but others have followed, including South Carolina, Alabama, Ohio, and Michigan.
Examples of state differences
New York: The NYDFS Cybersecurity Regulations mirror the NAIC guidelines fairly closely but, for example, add a requirement that companies must use multifactor authentication (more than one method of authentication) in order to access sensitive information.
South Carolina: Insurance Journal outlines some of the requirements in South Carolina:
- Establish data security standards to mitigate risks and damage from data breaches.
- Develop and maintain a secure information program.
- Investigate cybersecurity events.
- Notify South Carolina Department of Insurance about cybersecurity events.
California: The state is poised to pass the most sweeping regulations yet. Along with adopting much of the NAIC guidelines, California will also require insurance companies to notify customers (upon request) about what personal data they have collected, why they collected the information, and which third parties have received it.
Cybersecurity is an ever-present danger that requires vigilance and compliance with federal and state regulations as well as evolving best practices. Protecting the private information of your customers, clients, vendors and employees is essential if you want to avoid financial and reputational damage. And the NAIC Model Law—and complying with its standards—is one more step in the right direction
CyberGuard360’s clients across four states and 40 industries are guided safely through the threat landscape. If you’d like us to put our expertise to work for you, we’d be happy to help. Call us at 844-315-9882 or use our contact form for a free consultation.