The National Association of Insurance Commissioners’ (NAIC) adopted the Insurance Data Security Model Law in October 2017. It establishes minimum standards for data security applicable to insurance providers. I believe this legislation will have a significant impact on state-level cybersecurity standards over the next five years. It is part of a growing body of state-level cybersecurity legislation, which includes New York State’s DFS 500 regulation issued in March 2017.
The objective of NAIC’s Model Law is:
“… to establish standards for data security and standards for the investigation of and notification to the Commissioner of a Cybersecurity Event applicable to Licensees.”
If other states’ approaches to implementing the standard are like New York’s, the laws will require any insurance entity licensed by that state to implement controls in accordance with the standard and formally assert to the same.
The Model Law requires that licensees minimally:
- Build a Cybersecurity Program commensurate with the size and complexity of the licensee and adequate to protect Nonpublic Information (largely the Personally Identifiable Information and Patient Health Information of its clients).
- Operate a Risk Management Program that identifies, analyzes, and develops appropriate treatment approaches for reasonably foreseeable internal or external threats that could result in unauthorized access, transmission, disclosure, misuse, alteration or destruction of Nonpublic Information.
- Implement the controls deemed necessary by the Risk Management Program including (but not limited to): access controls, asset management, encryption, secure development practices, multi-factor authentication, penetration testing, log management, data retention, and cyber security awareness training.
- Operate a Third-Party Risk Management Program that exercises due diligence in selecting Third-Party Service Providers (vendors) and ensures they put in place the appropriate administrative, technical, and physical measures to protect and secure the Information Systems and Nonpublic Information that are accessible to, or held by, the Third-Party Service Provider.
- Develop a written Incident Response Plan designed to promptly respond to, and recover from, any Cybersecurity Event that compromises the confidentiality, integrity, or availability of Nonpublic Information in its possession.
NYS DFS 500 extended the NAIC guidance by also requiring that the firms “utilize qualified cybersecurity personnel” as well as “… designate a qualified individual responsible … as Chief Information Security Officer.” In both cases, DFS allows the personnel and/or CISO to be “… employed by the Covered Entity, one of its Affiliates or a Third-Party Service Provider.”
Conforming with DFS 500 has been a notable challenge for all the small and mid-tier licensees that we have worked with to make them compliant. I would expect that, as these regulations begin to roll out in each state, we are going to see these challenges repeated.
My understanding is many states plan to implement regulations in accordance with NAIC’s guidance with South Carolina and Rhode Island being the farthest along in preparing legislation. I just started reviewing South Carolina’s proposed legislation (Act 171) and will publish a blog shortly that looks at it in relation to NAIC guidance and DFS 500 and gives some guidance on putting a program in place that meets the requirement in time for its July 1, 2019 deadline.