Ohio recently became the third state to adopt cybersecurity legislation modeled after the National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law. This law, approved by the NAIC in 2017, requires insurance companies to set up cybersecurity testing, information security programs, and incident response plans for breach notification procedures.
So far, only South Carolina, Michigan and Ohio have adopted the NAIC’s Insurance Data Security Model Law, but a number of other states have indicated they intend to follow suit in 2019. South Carolina, Michigan and Ohio have all adopted very similar versions of the model provision, meaning cybersecurity compliance is fairly consistent across the three states.
The first thing insurance companies need to do in order to avoid penalties and unintentional infractions is carry out an internal risk assessment, according to Jeffrey Taft, partner in Mayer Brown’s Financial Services Regulatory & Enforcement group. They need to look at their cybersecurity policy and tailor a program based upon their unique risk profile.
“Insurers also need to assess the cybersecurity of their third-party service providers, which are a large part of any financial services organization,” Taft told Insurance Business. “They need to do their due diligence on those third-party service providers, and they need to ensure their contractual provisions are adequate in terms of cybersecurity. That provision under the NAIC’s Insurance Data Security Model Law, similar to the New York cybersecurity legislation, has a long phase-in period to give insurance companies some time to modify their existing vendor contracts and include additional protections if necessary.
“A lot of the provisions required within the NAIC’s Insurance Data Security Model Law are things that a lot of insurance companies may already have. For example, a lot of companies will have an incident response plan in place that includes reporting procedures. What they might not have done is fully implement and test those policies. Implementation and testing are two key elements of any successful cybersecurity program.”
Insurance brokers operating in states that have adopted the NAIC’s Insurance Data Security Model Law must follow the same obligations and provisions as the insurance carriers. However, their risk profiles may differ depending on the size of their operations and their overall business appetite, Taft pointed out. The NAIC model is somewhat scalable in that it’s based upon a company’s individual risk assessment, so even if smaller brokerage firms lack the same cybersecurity resources as larger carriers, they can still tailor their procedures for compliance.
A number of states have introduced, or are in the process of introducing, their own cybersecurity legislation. In February 2018, the New York Department of Financial Services (NYDFS) cybersecurity regulation (23 NYCRR 500) came into effect for all financial institutions in the state. The New York law has similar requirements to the NAIC’s Insurance Data Security Model Law, but it imposes some additional obligations and has some more stringent obligations. Generally, those complying with the New York law are fairly comfortable that they’re also in compliance with the NAIC provisions, according to Taft.
California is also proceeding with its own cybersecurity law, bill SB-327, which is due to come into effect on January 01, 2020. The Californian law, in contrast to the NAIC’s regulation, is much more focused on privacy rather than cybersecurity. Privacy also seems to be the primary focus at a federal legislative level, Taft noted.
“A lot of the discussion and the legislation that’s being proposed at a federal level right now is focused on privacy. We’ve seen it in the context of the Californian privacy act and also in Europe with the GDPR. There hasn’t, however, been much progress from a federal level on legislation regarding cybersecurity. That might explain why there has been a lot more developments into cybersecurity at state level,” he commented.
“There are lots of critical industries in the US that aren’t yet subject to a federal privacy law, so I think that will continue to be the federal focus moving forward. Obviously, there has been some attempt at a federal level to increase cybersecurity programs and increase information sharing between critical infrastructure, but that has been more through executive orders and other things of that nature. There hasn’t been a lot of legislation around that per say.”
The federal government has taken note of the NAIC’s Insurance Data Security Model Law. The federal trade commission recently proposed a customer information safeguarding rule that draws very heavily upon the NAIC’s model rules and the NYDFS cybersecurity legislation. If more and more states start to adopt the NAIC model, it could essentially become “a de facto standard” at a federal level, according to Taft.
