• United States




NAIC Model Law passes

Oct 30, 20174 mins

What the new insurance data security regulation means and mean and how it will impact the insurance sector.

cyber insurance primary2
Credit: Thinkstock

Earlier this year, I reported on a piece of regulation being advanced by the National Association of Insurance Commissioners (NAIC).  On October 24th, this regulation – “Insurance Data Security Model Law” – was ratified by the NAIC.  So, what does this mean and how, if at all, will it impact the insurance sector?

To begin, we need to look at the scope of this regulation as it applies to a “licensee.” According to this model law, “licensee” means:

“any person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of this state but shall not include a purchasing group or a risk retention group chartered and licensed in a state other than this state or a licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction.”

If you wanted to know approximately how many people this can impact, as of 2015, there were approximately 1.07 million insurance agents. Many of these agents are independent or working with small firms that rely upon having free or basic antivirus software and generally are self-reliant in managing their client’s non-public records.

It is important to note that organizations that are already compliant with the New York Cyber Law that came out in March of this year, are likely able to demonstrate adherence with NAIC’s model.  This is because NAIC’s model incorporated a lot of the good work that was done by New York’s Insurance Commissioner Maria Vullo and her team.

Now that NAIC has ratified it, what is next?  Each state commissioner will determine if they will mandate this as a formal requirement within their respective purview. While there is a good chance that some states may not adopt, I am of the opinion that between the recent Equifax breach and similar scenarios where a failure to implement adequate best practices is causing consumer harm, most states will adopt and mandate as a formal requirement. This rationale aligns with the basis of why New York came up with their own.

Providing a licensee is operating in a state where it becomes mandates, what would these requirements look like? Well to begin, a formal “written” information security plan. This plan would be the basis for how an information security program was defined, implemented, and operated.

A formal risk assessment must be conducted and the outcomes from this risk assessment must be conveyed in any updates to the licensee’s information security plan and is not limited to just the licensee. The following is taken directly from the Model Law:

Identify reasonably foreseeable internal or external threats that could result in unauthorized access, transmission, disclosure, misuse, alteration or destruction of Nonpublic Information, including the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third-Party Service Providers…”

I call your attention to the following:

  • Foreseeable
  • Third-Party Service Providers

As stated earlier, those licensees’ that are not working at large and well-established carriers and rely on basic antivirus or believing that Windows Defender will save them are likely not going to have the capability to address these issues.

For those that do work for larger organizations (brokers and carriers), if a Board of Directors (BOD) exist, then they must now have skin in the game. In fact, it specifically calls out that the BOD is obligated to provide Oversight of Third-Party Service Provider Arrangements. 

Candidly, I was impressed that the NAIC was able to advance the approval process as quickly as they did since my last post in August. I would like to draw your attention to the diligence and perseverance of the NAIC’s Cyber Working Group leadership in accomplishing this.  As a cyber risk practitioner, I find it comforting that there will be regulatory mechanisms to require the business sector responsible for underwriting cyber risks should demonstrate the same capabilities.

Especially considering a recent article by Advisen titled “Greed is overtaking fear in the market: Has the cyber insurance market overextended itself?” To wit, an excerpt from that piece:

The cyber insurance market has grown steadily in response to market demand and rising risk, but some question whether insurers underestimate potential losses when underwriting and pricing business.”


Carter Schoenberg is the President and Chief Executive Officer of HEMISPHERE Cyber Risk Management, Inc. Mr. Schoenberg is a certified information system security professional with over 23 years of combined experience in criminal investigations, cyber threat intelligence, cyber security, risk management and cyber law. He is a cybersecurity subject matter expert supporting government and commercial markets to better define how to evaluate a risk profile and defining criteria for brokers and carriers to utilize in their determination on coverage and premium analysis.

HEMISPHERE is working with insurance stakeholders to define appropriate standards and training of brokers and agents in determining coverage requirements, scheduled for release later in 2017. HEMISPHERE is also working with the National Association of Insurance Commissioner’s Cyber Task Force.

Mr. Schoenberg’s expertise has been featured at many events and his background and knowledge in the Latin American markets, specifically in Panama’, has provided him with a unique and detailed view of this market segment.

Mr. Schoenberg is responsible for designing practical solutions to address cyber risk management using his proprietary cost-benefit analysis enabling system owners to make mission and cost justified decisions on cyber risk. Starting his career in law enforcement as a homicide detective, his work products have been actively used by DHS, the ISAC communities, and the Georgia Bar Association for Continuing Learning Educational (CLE) credits on the topic of cybersecurity risk and liability. His expertise is profiled at conferences including ISC2, SecureWorld Expo, ISSA and InfosecWorld.

The opinions expressed in this blog are those of Carter Schoenberg and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.