In a flurry of approvals last week, the National Association of Insurance Commissioners (NAIC) took substantial steps toward finalizing its proposed Insurance Data Security Model Law during the 2017 NAIC Summer National Meeting in Philadelphia. The Model Law establishes minimum cybersecurity standards consistent with New York’s cybersecurity regulation. The approval of the Model Law by key NAIC bodies is further indication of the increasing consensus among federal and state agencies regarding the core cybersecurity practices that businesses across sectors will be expected to meet.
Both the Cybersecurity (EX) Working Group and the Innovation and Technology (EX) Task Force adopted the revised sixth version of the Model Law. Only Arkansas, New Mexico and Utah voted against adoption of the Model Law at the Working Group level. The Model Law next goes to the Executive Committee, and then to the joint Executive/Plenary for final adoption. The exact timing for these last approvals is uncertain.
The Model Law substantially tracks language from New York’s recently adopted regulation, Cybersecurity Requirements for Financial Services Companies. Like New York’s regulation, the Model Law essentially promotes a proactive, holistic and risk-based cyber strategy including requirements such as:
- Maintaining an information security program based on a cybersecurity risk assessment;
- Evaluating and addressing cybersecurity risks posed by third-party service providers;
- Requiring oversight by the board of directors;
- Establishing a written incident response plan;
- Providing an annual certification of compliance to Departments of Insurance; and
- Investigating and providing notice to Departments of Insurance regarding cybersecurity events.
The Model Law, however, generally stops short of including many of the more specific and nuanced requirements included in the New York regulation, opting instead to require licensees to determine which controls listed in the Model Law are appropriate for them. Additionally, the Model Law establishes specific requirements for reinsurers to provide notice to insurers of cybersecurity events, an issue that was not specifically addressed by the New York regulation. The Model Law also applies to a potentially different set of insurance “licensees” than the New York regulation, but does similarly apply to life, property and casualty and health insurers, as well as producers.
The revised sixth draft of the proposed Model Law made limited changes to the previous revision. Significant changes include the addition of a drafting note stating that companies in compliance with the New York regulation also meet the requirements of the Model Law, the removal and simplification of detailed requirements regarding third-party service providers, and revising the annual report requirement contained in the previous draft to instead contain an annual certification requirement in line with the New York regulation.
The proposed Model Law was originally intended to be finalized by the end of 2016, but failed to meet that deadline due to opposition from all sides to various sections of earlier drafts. The version adopted at the NAIC Summer Meeting was developed after New York Superintendent of Financial Services Maria Vullo urged the Cybersecurity (EX) Working Group to adopt New York’s cybersecurity regulation as its model at the NAIC’s Spring meeting. By doing so, the NAIC moved away from attempting to establish a uniform consumer breach reporting requirement for insurers that had been the focus of earlier drafts. It is yet to be seen if the NAIC will continue to work towards that goal in a separate model law. For more information regarding the development of the Model Law, see Legal Alert: NAIC Report: 2017 Spring National Meeting.
The New York Department of Financial Services (DFS) issued a final regulation that took effect on March 1, 2017, that applies new requirements for a cybersecurity risk assessment and a cybersecurity program to DFS-licensed individuals and entities including insurance companies, insurance agents, brokers, banks, money transmitters and other financial services companies. For more information regarding the DFS cybersecurity regulation, see Legal Alert: NY DFS Publishes Final Cybersecurity Rules for Financial Services Companies.
The adoption of the Model Law by key NAIC bodies is a significant step that reinforces the need among companies to act swiftly to implement a holistic, proactive and risk-based approach to managing their cybersecurity programs.