The National Association of Insurance Commissioners (NAIC), the standard-setting body for U.S.-based insurers, introduced a new cybersecurity standard in October of 2017. This “Model Law,” formally known as the Insurance Data Security Model Law, sets certain security expectations and operations guidelines for insurance companies. If insurance companies are licensed or write business in various states, it is crucial to be aware of the jurisdiction’s approval of new laws for insurance data security. In 2018, Ohio and South Carolina have joined New York with cybersecurity laws.
South Carolina was the first state to fully conform to the NAIC Model Law. The state’s governor signed the NAIC’s recommendations into law on May 3, 2018 with an implementation deadline of January 1 of this year. By signing this into law, the Governor requires insurers who are licensed in South Carolina to do the following:
Assess cybersecurity risks.
The entity should regularly perform (or hire an outside professional to perform) a cybersecurity risk assessment.
Implement an information security program.
The entity should implement a program to address the risks identified in the risk assessment.
Designate a person (or group) to manage the program.
The organization should establish a person or group – whether internal or external – to ensure policies of the information security program are being followed.
Require their board of directors to oversee and report on the efficacy of the program.
The board will be fiscally responsible for controlling security threats. They should attest, at least annually, that the organization’s cybersecurity program is working as it should be.
Train their employees.
Employees should be familiar with cybersecurity risks and aware of how these risks will impact their daily work activities.
Ensure the cybersecurity of third-party service providers.
The same level of scrutiny will apply to third-party service providers under investigation, so organizations should require their business partners to comply with their cybersecurity standards.
Create an incident response plan.
The organization should know exactly how it will respond to and recover from a cybersecurity event.
Notify within 72 hours.
The State’s Director of Insurance should be informed of all events within 72 hours of discovery.
Encourage employees to report suspicious behavior.
Organizations should cultivate a work environment that encourages employees to report potential threats.
Stay informed of emerging threats.
Gathering information about new dangers will help organizations pivot their risk assessments and address those new risks going forward.
South Carolina is, so far, the only state to fully adopt NAIC standards. These standards were modeled after the cybersecurity guidelines of New York.
The New York Department of Financial Services (NYDFS)’s passed cybersecurity regulations in March of 2017, well before the NAIC finalized its Model Law. Unsurprisingly, there are many similarities between the two. In most areas of the law, however, New York’s reach expands beyond that of the Model Law. For instance, NYDFS mandates the designation of a CISO – Chief Information Security Officer – as the party responsible for maintaining the cybersecurity program for the insurer. A few other differences are:
- While the Model Law requires testing of controls as part of its risk management procedures, New York specifies that organizations must perform vulnerability and penetration testing.
- NYDFS requires covered entities to be able to reconstruct the daily transactions that led to certain security breaches. The Model Law does not require audit trails.
- In New York, insurers should perform assessments on their third-party service providers to ensure they reach minimum cybersecurity practices. The Model Law simply asks that due diligence be performed.
- NYDFS requires multi-factor authentication when accessing the network, whereas the Model Law merely requires that controls be effective.
In response to the NAIC Model Law, Ohio passed cybersecurity laws of its own in December 2018 relating to insurers licensed in the state. It holds true to the Model Law in many of the most important ways: it requires insurers to implement and enforce a cybersecurity program; it asks insurers to notify oversight bodies after a breach and insurance companies must certify that they are in compliance with the law. However, there are a few differences, which are notable in the following four areas:
Nonpublic information is more closely protected in Ohio. Sensitive information in the possession of a third-party service provider, a vendor or the NAIC should not be released, be subject to subpoenas or admissible as evidence in a private civil lawsuit.
Actions required following a cybersecurity breach.
Ohio requires a “reasonably likelihood” that material harm to the insurer’s operations will occur before the breach is considered an event worthy of the Superintendent of Insurance’s attention. The NAIC Model Law does not have such materiality rules; all breaches should be reported. In Ohio, insurers are then given three business days to make the report, while the Model Law allows for 72 hours. Additionally, Ohioans are not required to update the Superintendent about the data recovery unless there are “material developments” related to the event.
Exemptions from the law.
Both Ohio’s laws and the Model Law allow exemptions from these cybersecurity requirements, but Ohio lets licensees off the hook when they meet any of the following requirements: they have less than 20 employees; they have annual revenues under $5 million or they have assets valued at less than $10 million.
Ohio insurers will not be protected by the law if their failure to follow cybersecurity guidelines results in a breach. The law will affirm any tort resulting from this oversight.
The NAIC’s goal with the Model Law is to standardize data security controls, and the organization hopes that the majority of states will have adopted the Model Law by the end of 2020. If you have questions about the Model Law or would like to be informed when your state addresses these recommended standards, contact us and let us know – we are here to help.