More than two years have passed since the implementation of the New York Department of Financial Services’ (NYDFS) landmark Cybersecurity Regulation, a.k.a. 23 NYCRR 500. At this point all entities bound to NYDFS requirements, like banks, mortgage companies, and insurance companies, have demonstrated compliance. Now, new requirements in other states are mandating higher standards for the insurance industry when it comes to cybersecurity and data privacy.
Similar to 23 NYCRR 500, the Insurance Data Security Model Law, approved by the National Association of Insurance Commissioners (NAIC) in 2017, has seen increased adoption over the last year. In applicable states, the law requires insurers and other entities licensed under the Department of Insurance to develop, implement, and maintain an information security program. It also establishes minimum data security, breach notification, and incident response standards for those subject to the law.
Last month, Alabama joined four other states, Michigan, Mississippi, Ohio, and South Carolina, in adopting the law.
Under NAIC Model Law, organizations subject to state insurance laws are required to implement an information security program designed to:
- Protect the security and confidentiality of Nonpublic Information and the security of the Information System;
- Protect against any threats or hazards to the security or integrity of Nonpublic Information and the Information System;
- Protect against unauthorized access to or use of Nonpublic Information, and minimize the likelihood of harm to any Consumer; and
- Define and periodically reevaluate a schedule for retention of Nonpublic Information and a mechanism for its destruction when no longer needed
The risk assessment section of the law stipulates that insurers designate a party responsible for managing the program, identify "reasonably foreseeable" internal and external threats that could result in the unauthorized access of data, and assess the sufficiency of policies and procedures around safeguarding against threats.
Similar to NYCRR, a risk management section requires organizations in states where NAIC is applicable to:
- Place access controls on Information Systems
- Identify and manage the data, personnel, devices, systems, and facilities
- Restrict access at physical locations
- Protect all nonpublic information by encryption
- Adopt secure development practices for in-house developed apps
- Use effective controls, like multi-factor authentication
- Regularly test and monitor systems and procedures to detect actual and attempted attacks or intrusions
- Ensure audit trails are designed to detect and respond to events
- Enact measures (backups) to protect against destruction, loss, or damage of data
- Develop procedures for the disposal of nonpublic data
NAIC Model Law requires organizations to notify the commissioner, usually the Director of the Department of Insurance, "as promptly as possible but in no event later than 72 hours" after it's been determined a cybersecurity event has occurred.
Alabama's law, outlined through Senate Bill 54, or the Insurance Data Security Law, was enacted on May 1, 2019 although insurers in the state have one year, until May 1, 2020, to conform to its information security requirements, and a year after that, May 1, 2021, to follow its controls for third-party service providers.
South Carolina was the first to pass the law last May; it went into effect on January 1, 2019 and requires insurers to report on its information security program to the state's Department of Insurance by July 1. Insurers’ third-party service providers also have to ensure they’ve implemented security measures to protect and secure any information systems and personal information by July 1 as well.
Michigan enacted HB 6491, its version of the NAIC Law, on December 28, 2018; Ohio adopted its NAIC law via Ohio SB273 several weeks prior, on December 19.
Not all state laws are the same however; some differ from the NAIC Model Law.
Ohio's has exemptions for organizations with fewer than 20 employees or less than $5 million in gross annual revenue, and has a wording that limits the definition of a cybersecurity event to the unauthorized access or misuse of information “that has a reasonable likelihood of materially harming any consumer residing in this state or any material part of the normal operations of the licensee."
Michigan's law expands on the 72-hour requirement and gives insurers 10 business days to report a cybersecurity incident to the Department of Insurance. It also exempts organizations with fewer than 25 employee and specifies that in the course of any proceedings, any documents handed over to the NAIC or third-party consultants aren't subject to the state's freedom of information act or subpoena.
Licensees in states where the law is applicable should ensure they're familiar with the NAIC Model Law and any state-specific permutations but the insurance industry in general would be well served to keep tabs on the law as versions of it have also been introduced in the Connecticut, Mississippi, Nevada, Rhode Island and New Hampshire legislatures.
