On Oct. 24, 2017, the National Association of Insurance Commissioners (NAIC) approved the Insurance Data Security Model Law. The model law was established to address cyber-security risks and set guidelines for licensees to help safeguard consumers. While the law has many details, some are particularly important for insurance agencies that handle personal information of clients and employees.
This model law closely resembles the New York Department of Financial Services cyber-security regulation that took effect on March 1, 2017. It provides a framework for states to establish their own cyber-security rules for licensees. South Carolina was the first state to adopt the model law almost in its entirety, and other states are currently reviewing it.
Safeguarding consumers' nonpublic information is a vital part of the model law, and requirements are placed on licensees in the event of a cyber-security event. Notification to the insurance commissioner is required as soon as possible but no later than 72 hours from the determination of a cyber-security event.
Who Is a Licensee?
Within the model law, a licensee is defined as any person licensed, authorized to operate, registered, or required to be licensed, authorized or registered pursuant to the insurance laws of the state.
What Is a Cyber-Security Event?
Any event resulting in unauthorized access to or disruption or misuse of an information system or information stored on such a system constitutes a cyber-security event. This does not include unauthorized acquisitions of encrypted nonpublic information if the encryption process or key is not also acquired. Also, if the nonpublic information was not used or released and was returned or destroyed, a cyber-security event is not established.
Key Requirements of Licensees
Implementation of an Information Security Program – Each licensee shall develop, implement and maintain a comprehensive written information security program based on the licensee's risk assessment. It shall contain administrative, technical and physical safeguards for the protection of nonpublic information and the licensee's information system. This program shall protect against unauthorized access to or use of nonpublic information to help prevent harm to the consumer. A retention plan should also be included to evaluate how long nonpublic information should be kept and to set protocol for the destruction on nonpublic information when no longer needed.
Risk Assessment and Management – Designate one or more employees or an outside firm to be responsible for the data security program. Identify internal and external threats that could result in unauthorized access, transmission, disclosure, misuse, alteration or destruction of nonpublic information. Also include third-party service providers. Make sure policies and procedures are in place to manage these threats. Employee training, updating network systems, storage of data, transmission of data and disposal of data should all be considered and documented within the program.
Oversight by Board of Directors – If the licensee has a board of directors, the board shall develop, implement and maintain an information security program. Such program shall be reviewed at least annually, with a report on the overall status and compliance. This report shall address issues such as risk management, risk assessment, control decisions, third-party service provider arrangements, results of testing, cyber-security events or violations, and responses to events. It must also address any recommended changes to the program.
Oversight of Third-Party Service Provider Agreements – Licensees shall be responsible for exercising due diligence in selecting third-party service providers. Each third-party service provider shall be required to implement appropriate administrative, technical and physical measures to protect and secure the information systems and nonpublic information held by the third-party provider.
Incident Response Plan – Each licensee shall establish a written incident response plan to promptly respond to, and recover from, a cyber-security event that compromises nonpublic information. This plan shall include an internal process for responding to a cyber-security event, definition or roles, external and internal communications and information sharing, identifying and remediation of any weaknesses in the information systems and controls, documenting and reporting of the cyber-security event, and evaluation and revision of the incident response plan following a cyber-security event.
Program Adjustments – The licensee shall monitor, evaluate and adjust, as appropriate, the information security program consistent with any relevant changes in technology, the sensitivity of its nonpublic information, internal or external threats to information, and the licensee's own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements and changes to information systems.
Annual Certification – A written statement shall be submitted to the commissioner by Feb. 15 of each year certifying that the agency is in compliance.
Exceptions
Within Section 9 of the model law, there is an exception for licensees with fewer than 10 employees, including independent contractors, and individual licensees who are covered by the information security program of another licensee. Licensees that are required to comply with the Health Insurance Portability and Accountability Act (HIPAA) are to be in considered to be in compliance with Section 4 of the model law.
- Fewer than 10 employees, including independent contractors
- Licensee subject to HIPAA and has established and maintains an information security program pursuant to such statutes, rules, regulations, procedures or guidelines established by HIPAA
- An employee, agent, or representative or designee of a licensee, who is also a licensee if covered by the information security program of the other licensee
- Licensee who is compliant with the New York Compilation of Codes, Rules and Regulations, Title 23, Part 500 of the Cybersecurity Requirements for Financial Services Companies Act, effective March 1, 2017
If a licensee ceases to qualify for an exception status, it will have 180 days to comply with the model law.
Licensees with exception status must still make notification to the commissioner within 72 hours from the determination of a cyber-security event, and the licensee shall conduct a prompt investigation to determine the nature and scope and identify if any nonpublic information may have been compromised.
Filing for an exception will be determined by each state. Within the New York cyber security requirements, covered entities must file for an exemption to the New York Department of Financial Services.
Penalties
The model law allows the individual state to determine the penalties set forth for non-compliance.
Adoption
Adoption of the model law will be the true test. So far [at press time], South Carolina has adopted the model law, and other states are reviewing for adoption. The South Carolina bill follows the model law almost verbatim. However, some states may decide to make changes to the model law as it is adopted, creating complicated compliance issues for licensees in multiple states. Even today, the varying state data-breach laws create a significant compliance issue for businesses across the country.
Resources
ACT has created an 'Agency Cyber Guide 1.0' to help agents understand the costs for non-compliance, individual regulations, and resources for all the cyber regulations – including NY DFS, NAIC, and Gramm-Leach-Bliley. Click HERE for version 1.0 of the Cyber Guide.
Note: The ACT 'Security Issues' work group is updating this guide to include a matrix of all vendors offering cyber compliance services. This will be release August of this summer.
From the Editor: George Robertson is owner of Rockingham Insurance in Eden, N.C., an ACT committee member, and president of Robertson Consulting.