Insurance Industry Cybersecurity Standards Laws on the Horizon

The Insurance Data Security Model Law proposed by the National Association of Insurance Commissioners (NAIC) in 2017 has now been fully enacted in eleven (11) states. New legislative initiatives for cybersecurity directed specifically to the insurance industry sector are currently underway in several other states. For the states that have enacted the NAIC’s model standard, there are phased in compliance requirements for those companies that fall within the scope of the law. The NAIC proposes that its model law creates rules for insurers, agents & brokers, and other insurance professionals with regard to data and information security as well as standards relating to the investigation and notification of cyber security events. The NAIC model law requires insurers and brokers to:

• Implement an information security program;
• Implement security measures based on a risk assessment of internal and external threats;
• Investigate the scope and extent of cybersecurity incidents; and
• Notify state insurance commissioners of the confirmed cybersecurity event, which is any incident resulting in unauthorized access to, disruption or misuse of, an information system or information stored on the system.

Under the NAIC law, state insurance commissioners are given regulatory oversight power to confirm compliance with the law and to require remediation of data security deficiencies. The model law allows small business exemptions and does not create a private cause of action.

Even if your state has not yet adopted the NAIC model law, insurance professionals should in any event devise and implement information security programs and perform regular risk assessments of internal and external threats. We advise all clients to carefully analyze the scope and extent of cyber security events and regularly act as “breach counsel” to companies facing cyber security and privacy occurrences to assist in this analysis. The NAIC cyber security standards are best practices for all insurance industry professionals.

(The states that have adopted the model law in some form are Alabama, Connecticut, Delaware, Indiana, Louisiana, Michigan, Mississippi, New Hampshire, Ohio, South Carolina and Virginia.)

For additional information, please contact any of the following: Stuart Panensky [email protected]; Stuart Anolik at [email protected], Gal N. Kaufman at [email protected], or Michael S Khoury at [email protected], with any questions or more specific situations.