What the new insurance data security regulation means and mean and how it will impact the insurance sector. Credit: Thinkstock Earlier this year, I reported on a piece of regulation being advanced by the National Association of Insurance Commissioners (NAIC). On October 24th, this regulation – “Insurance Data Security Model Law” – was ratified by the NAIC. So, what does this mean and how, if at all, will it impact the insurance sector?To begin, we need to look at the scope of this regulation as it applies to a “licensee.” According to this model law, “licensee” means:“any person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of this state but shall not include a purchasing group or a risk retention group chartered and licensed in a state other than this state or a licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction.”If you wanted to know approximately how many people this can impact, as of 2015, there were approximately 1.07 million insurance agents. Many of these agents are independent or working with small firms that rely upon having free or basic antivirus software and generally are self-reliant in managing their client’s non-public records.It is important to note that organizations that are already compliant with the New York Cyber Law that came out in March of this year, are likely able to demonstrate adherence with NAIC’s model. This is because NAIC’s model incorporated a lot of the good work that was done by New York’s Insurance Commissioner Maria Vullo and her team. Now that NAIC has ratified it, what is next? Each state commissioner will determine if they will mandate this as a formal requirement within their respective purview. While there is a good chance that some states may not adopt, I am of the opinion that between the recent Equifax breach and similar scenarios where a failure to implement adequate best practices is causing consumer harm, most states will adopt and mandate as a formal requirement. This rationale aligns with the basis of why New York came up with their own.Providing a licensee is operating in a state where it becomes mandates, what would these requirements look like? Well to begin, a formal “written” information security plan. This plan would be the basis for how an information security program was defined, implemented, and operated. A formal risk assessment must be conducted and the outcomes from this risk assessment must be conveyed in any updates to the licensee’s information security plan and is not limited to just the licensee. The following is taken directly from the Model Law:“Identify reasonably foreseeable internal or external threats that could result in unauthorized access, transmission, disclosure, misuse, alteration or destruction of Nonpublic Information, including the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third-Party Service Providers…”I call your attention to the following:ForeseeableThird-Party Service ProvidersAs stated earlier, those licensees’ that are not working at large and well-established carriers and rely on basic antivirus or believing that Windows Defender will save them are likely not going to have the capability to address these issues.For those that do work for larger organizations (brokers and carriers), if a Board of Directors (BOD) exist, then they must now have skin in the game. In fact, it specifically calls out that the BOD is obligated to provide Oversight of Third-Party Service Provider Arrangements. Candidly, I was impressed that the NAIC was able to advance the approval process as quickly as they did since my last post in August. I would like to draw your attention to the diligence and perseverance of the NAIC’s Cyber Working Group leadership in accomplishing this. As a cyber risk practitioner, I find it comforting that there will be regulatory mechanisms to require the business sector responsible for underwriting cyber risks should demonstrate the same capabilities. Especially considering a recent article by Advisen titled “Greed is overtaking fear in the market: Has the cyber insurance market overextended itself?” To wit, an excerpt from that piece:“The cyber insurance market has grown steadily in response to market demand and rising risk, but some question whether insurers underestimate potential losses when underwriting and pricing business.” Related content opinion Insuring Uncle Sam’s cyber risk The insurance sector needs to have panel members that are already cleared and approved by the DoD in advance of a cyber incident being reported and arguably before coverages are agreed upon within the four corners of an insurance policy. By Carter Schoenberg May 02, 2018 6 mins Government IT Government Technology Industry opinion Underwriting cyber exposure – the business case for certifying The ability to have an independent and agnostic organization provide a certification of a product or service has more upside than down. By Carter Schoenberg Apr 12, 2018 5 mins Data Breach Financial Services Industry Technology Industry opinion Training insurance agents and brokers in cyber risk By Carter Schoenberg Feb 28, 2018 5 mins Financial Services Industry Technology Industry Cybercrime opinion Cyber insurance in the 2018 regulatory landscape If more money continues to be spent on cyber defense, and our risk posture is not improving proportional to the level of spend, the insurance sector may need to reassess how to evaluate an applicant’s cyber risk profile. By Carter Schoenberg Jan 16, 2018 5 mins Regulation Technology Industry Cyberattacks Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe