At the end of last year, the National Association of Insurance Commissioners (NAIC) adopted an Insurance Data Security Model Law. The “purpose and intent” of the law is to “establish standards for data security and investigation and notification of data security applicable to insurance providers.”
The “NAIC Model Law” is just that: a model. State legislators (or insurance commissioners) must approve and adopt the NAIC proposal. And, of course, each state is free to re-tool the Model Law as it sees fit. To date, no state has enacted its own version of the NAIC Model Law, and industry organizations have expressed skepticism as to whether the proposal will receive much industry support. But, as companies working to certify their compliance with the New York Department of Financial Services’ (DFS) cybersecurity regulation can attest, new state-level cybersecurity regulation is a challenge.
But those companies that are in compliance with the DFS cybersecurity regulation (or are working to do so) should be off to a good start if they are ever affected by the NAIC Model Law. A Drafting Note for the NAIC Model Law provides “that if a Licensee . . . is in compliance with” the DFS regulation, “such Licensee is also in compliance with this Act.”
Indeed, the NAIC Model Law and the DFS regulation are similar in many respects. Both, for example, require covered companies to enact an information security program, to conduct a risk assessment, to perform due diligence of third-party service providers, to develop an incident response plan, to maintain an audit trail, to create policies for data retention and destruction, and to notify authorities in the event of a cybersecurity event.
But there are some notable differences. For instance:
The NAIC Model Law explains that a “Cybersecurity Event” does not include “unauthorized acquisition of Encrypted Nonpublic Information if the encryption, process or key is not also acquired, released or used without authorization.” The DFS regulation does not include similar language.
The NAIC Model Law requires a company’s board of directors (or an appropriate committee) to “[o]versee the development, implementation, and maintenance of the Licensee’s Information Security Program.” The DFS regulation, in contrast, states that a company’s “Senior Officer” or “board of directors” must approve cybersecurity policies or procedures.
Although the NAIC Model Law requires insurers to “no less than annually” assess the “effectiveness of the safeguards’ key controls systems, and procedures,” it does not include the DFS regulation’s specific vulnerability-assessment and penetration-testing requirements.
The DFS regulation requires, absent approval from a company’s Chief Information Security Officer, that multi-factor authentication be used “for any individual accessing” the company’s internal network from an external network. The NAIC Model Law, however, states that companies must “utilize effective controls,” which “may include” multi-factor authentication, for any individual “accessing Nonpublic information.”
The NAIC Model Law’s cybersecurity-event-reporting requirement is much more detailed than the DFS regulation. The NAIC Model Law identifies thirteen specific categories of information for reporting to a states’ insurance commissioner—including, how “the cybersecurity event was discovered,” whether the company has a filed a police report, and a description of any efforts to remediate the situation that permitted the breach to occur in the first place.
If a state ultimately adopts the NAIC Model Law, insurers will have one year to comply with all but the third-party-provider rules, which provide an additional year for compliance. We will continue to report on any movement and developments.