NAIC Insurance Data Security Model Law

The Big Picture

On October 24, 2017 the NAIC passed the Insurance Data Security Model Law which establishes standards for data security and for the investigation of and notification to the Commissioner of a Cybersecurity event. The framework of the Insurance Data Security Law is similar to the New York Department of Financial Services Cybersecurity Regulation that went into effect on March 1, 2017. Essentially, insurance companies across the U.S. are now required to perform a Cybersecurity Risk Assessment and to create and maintain a Cybersecurity Program based on the Risk Assessment.

The Model Law is now available for consideration and adoption by individual states. As of this writing, two states, South Carolina and Vermont, are submitting the Model Law for their 2018 legislative calendars. How many other states make the same move and how quickly remain to be seen, however, adopting the Model Law establishes a sound, common insurance industry standard through a path of least resistance.

Taking a Closer Look – Who is Covered?

The NAIC Insurance Data Security Law applies to all insurance companies operating in the U.S.

Exemptions:

  • Companies with fewer than 10 employees
  • Companies who have met information security requirements under the HIPAA Security Rule
  • Companies who have met requirements of 23 NYCRR 500 are considered to have met the NAIC Model Law

Taking a Closer Look – What is Required?

The NAIC Insurance Data Security Model Law requires insurance companies to create and maintain a Cybersecurity Program based on their Cybersecurity Risk Assessment. The Cybersecurity Program should contain administrative, technical and physical safeguards for the protection of Non-public Information and the company’s Information Systems that are commensurate with the size and complexity of the company. Namely, the goals of the Cybersecurity Program are to:

  1. Protect the security and confidentiality of Non-public Information and the security of the Information System;
  2. Protect against any threats or hazards to the security or integrity of Non-public Information and the Information System;
  3. Protect against unauthorized access to or use of Non-public Information, and minimize the likelihood of harm to any Consumer; and
  4. Define and periodically reevaluate a schedule for retention of Non-public Information and a mechanism for its destruction when no longer needed.

 Taking a Closer Look – How do Businesses Reach Compliance?

The timetable to become compliant begins when the NAIC Insurance Data Security Model Law is adopted by a state . There are two consecutive 12-month transition periods after the effective date with respective compliance requirements:

First 12-month transitional period: insurance companies are required to have implemented Section 4 of the Law, Implementation of an Information Security Program:

  • Risk Assessment
  • Policies and Procedures
  • Implement appropriate security measures including but not limited to the following:
  1. Access controls
  2. Identify data, personnel, devices, systems and facilities and rank by criticality
  3. Physical access restrictions
  4. Data encryption
  5. Secure application development, both in-house and externally developed
  6. Multi-factor authentication
  7. Regular testing and monitoring of systems
  8. Maintain audit trails
  9. Disaster recovery/business continuity plan
  10. Secure data disposal
  • Employee Cybersecurity awareness training
  • Incident response plan
  • Oversight by Board of Directors or appropriate committee – annual report to the Board
  • Annual certification to Commissioner of Domiciliary State

Second 12-month transitional period: insurance companies are required to have implemented Section 4(F) of the Law, Oversight of Third-Party Service Provider Arrangements:

  • Perform due-diligence in selecting third-party service providers
  • Require third party service providers to implement administrative, technical and physical measures

Moving forward, insurance companies are required to notify the Commissioner within 72 hours of a Cybersecurity Event. In addition, an annual written statement will be submitted to the Commissioner by February 15 certifying compliance with Section 4 of the Law, Implementation of an Information Security Program.

Meeting the requirements of the NAIC Insurance Data Security Model Law can be a daunting process. With proper planning and use of available resources such as an experienced, reputable cybersecurity partner, compliance and robust cybersecurity become easily within reach. To learn how SCA can help, click here.