Cybersecurity is a critically important topic for the insurance industry. The highly sensitive consumer financial and health information that is collected by insurers presents an especially alluring target for cyber criminals. In recognition of this risk, the National Association of Insurance Commissioners (“NAIC”) adopted the Insurance Data Security Model Law in October 2017. The NAIC’s model law establishes a legal framework for requiring insurance organizations to operate complete cybersecurity programs, including everything from planned cybersecurity testing and board-level involvement in the information security program to incident response plans and specific breach notification procedures. Although the model law is not enforceable until approved and adopted by individual states, the NAIC is strongly encouraging states to adopt the model law and has set a goal of having it adopted by the majority of states within three years.
Last year, the New York State Department of Financial Services’ issuance of 23 NYCRR 500 marked the first action by a state to craft a policy directed at insurance company gathering, storage, and protection of confidential information.
This month, Governor Henry McMaster signed the South Carolina Department of Insurance Data Security Bill, possibly a watershed for states considering the Insurance Data Security Model Law. South Carolina now becomes the second state to address cybersecurity in the insurance industry, and the first to adopt the NAIC model largely unchanged. The Rhode Island General Assembly is studying a similar measure, and the Nevada and Vermont legislatures have enacted provisions similar to the model law targeting their financial services sectors.
Both the New York and South Carolina laws require boards of directors (or, for New York, a “Senior Officer”) to assume oversight over an information security program and policy. Companies will be required to conduct regular penetration testing, attempting to circumvent or defeat security features of their information systems. The laws also call for multi-factor authentication through knowledge factors (passwords), possession factors (token or text message verification), or biometric corroboration. These basic requirements represent minimum security measures and should be implemented immediately if not already in force. Annually, the board must submit a certification to the Commissioner of Insurance (or analogous departmental head) as to the security of a firm’s program as well as report any material data breach (a “Cybersecurity Event”).
In the wake of a Cybersecurity Event under either New York or South Carolina laws, a company must notify the head of the state agency that regulates insurance within 72 hours. The company (or an outside service provider) must also conduct an investigation for each incident, determining the scope of the breach, the nonpublic information compromised, and the measures to restore the security of the company’s information system.
The NAIC model law generally tracks the New York rules, and companies complying with 23 NYCRR 500 will likely fall in line with many of the requirements that states are considering. There are some differences, however, and insurance companies should carefully consider all applicable state requirements when creating their cybersecurity policies. For example, under the NAIC model law, a Cybersecurity Event does not include the acquisition of encrypted nonpublic information unless the encryption, process or key that would unlock the information is also acquired.