NAIC Model Law passes

What the new insurance data security regulation means and mean and how it will impact the insurance sector.

cyber insurance primary2
Thinkstock

Earlier this year, I reported on a piece of regulation being advanced by the National Association of Insurance Commissioners (NAIC).  On October 24th, this regulation – “Insurance Data Security Model Law” – was ratified by the NAIC.  So, what does this mean and how, if at all, will it impact the insurance sector?

To begin, we need to look at the scope of this regulation as it applies to a “licensee.” According to this model law, “licensee” means:

"any person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of this state but shall not include a purchasing group or a risk retention group chartered and licensed in a state other than this state or a licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction.”

If you wanted to know approximately how many people this can impact, as of 2015, there were approximately 1.07 million insurance agents. Many of these agents are independent or working with small firms that rely upon having free or basic antivirus software and generally are self-reliant in managing their client’s non-public records.

It is important to note that organizations that are already compliant with the New York Cyber Law that came out in March of this year, are likely able to demonstrate adherence with NAIC’s model.  This is because NAIC’s model incorporated a lot of the good work that was done by New York’s Insurance Commissioner Maria Vullo and her team.

Now that NAIC has ratified it, what is next?  Each state commissioner will determine if they will mandate this as a formal requirement within their respective purview. While there is a good chance that some states may not adopt, I am of the opinion that between the recent Equifax breach and similar scenarios where a failure to implement adequate best practices is causing consumer harm, most states will adopt and mandate as a formal requirement. This rationale aligns with the basis of why New York came up with their own.

Providing a licensee is operating in a state where it becomes mandates, what would these requirements look like? Well to begin, a formal “written” information security plan. This plan would be the basis for how an information security program was defined, implemented, and operated.

A formal risk assessment must be conducted and the outcomes from this risk assessment must be conveyed in any updates to the licensee’s information security plan and is not limited to just the licensee. The following is taken directly from the Model Law:

Identify reasonably foreseeable internal or external threats that could result in unauthorized access, transmission, disclosure, misuse, alteration or destruction of Nonpublic Information, including the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third-Party Service Providers…”

I call your attention to the following:

  • Foreseeable
  • Third-Party Service Providers

As stated earlier, those licensees’ that are not working at large and well-established carriers and rely on basic antivirus or believing that Windows Defender will save them are likely not going to have the capability to address these issues.

For those that do work for larger organizations (brokers and carriers), if a Board of Directors (BOD) exist, then they must now have skin in the game. In fact, it specifically calls out that the BOD is obligated to provide Oversight of Third-Party Service Provider Arrangements. 

Candidly, I was impressed that the NAIC was able to advance the approval process as quickly as they did since my last post in August. I would like to draw your attention to the diligence and perseverance of the NAIC’s Cyber Working Group leadership in accomplishing this.  As a cyber risk practitioner, I find it comforting that there will be regulatory mechanisms to require the business sector responsible for underwriting cyber risks should demonstrate the same capabilities.

Especially considering a recent article by Advisen titled “Greed is overtaking fear in the market: Has the cyber insurance market overextended itself?” To wit, an excerpt from that piece:

The cyber insurance market has grown steadily in response to market demand and rising risk, but some question whether insurers underestimate potential losses when underwriting and pricing business.”

This article is published as part of the IDG Contributor Network. Want to Join?

SUBSCRIBE! Get the best of CSO delivered to your email inbox.