Following New York’s lead after the Department of Financial Services (the NYDFS) promulgated its Cybersecurity Regulation,1 in October 2017 the NAIC adopted its Insurance Data Security Model Law (the NAIC Model)2 to establish standards for data security, and for the investigation and notification of certain cybersecurity events. The NAIC Model applies to any individual or nongovernmental entity licensed, authorized, or registered under the insurance laws, with certain exceptions. An NAIC taskforce had been working on cybersecurity standards for two years, but substantially revised its prior working drafts to follow the concepts and terminology used in the NYDFS Cybersecurity Regulation. The NAIC Model will prompt state legislatures to enact cybersecurity requirements that will affect the entire insurance industry, including InsurTech firms and other service providers with access to the data and systems of insureds and producers. Legislation based on the NAIC Model has already been introduced in Rhode Island3 and South Carolina,4 and other states are expected to follow in the coming months.
Concerns about the potential for inconsistent, or conflicting, cybersecurity requirements have been expressed by various insurance industry participants and commentators. The NAIC Model, while based on the NYDFS Cybersecurity Regulation, differs from it in several important respects, as highlighted in our previous article available here. To address these concerns, a drafters’ note to the NAIC Model states that Licensees in compliance with the NYDFS Cybersecurity Regulation are deemed to be in compliance with the NAIC Model. It remains to be seen whether and to what extent states may incorporate this language; the pending Rhode Island and South Carolina bills referenced above do not. Although the Rhode Island and South Carolina bills follow the NAIC virtually verbatim, other states may introduce their own variations, which could complicate compliance efforts for the insurance industry.
Nevertheless, given the importance and reach of the NAIC Model, and the likelihood that states will act soon to adopt it in some version, a close review of its requirements is warranted.
Applicability of the NAIC Model
The NAIC Model applies to “Licensees,” which are defined to include any individual or entity (other than nongovernment agencies) operating, or required to operate, under a license, registration, or other authorization under the insurance laws of a state. Purchasing groups and risk retention groups chartered and licensed in another state as well as assuming insurers that are domiciled in another jurisdiction are not included in the definition of Licensee for purposes of the NAIC Model.
Given the requirements concerning the security of Third Party Service Providers, defined as described below, many providers of services to Licensees should also review the provisions of the NAIC Model Law.
The NAIC Model Law imposes various obligations to protect the security of “Nonpublic Information” and “Information Systems.”
Licensees with fewer than 10 employees, including independent contractors, are exempt from the NAIC Model. This exemption from all of the requirements of the NAIC Model is in contrast to the limited exemptions for small businesses under the NYDFS Cybersecurity Regulation, in which several of the Regulation’s requirements apply to otherwise exempt small businesses. In addition, HIPAA-covered entities that maintain an Information Security Program under HIPAA are deemed to be in compliance with the NAIC Model requirement for an Information Security Program, provided that a written statement of compliance is submitted. In addition, employees, aides, representatives, and designees of a Licensee are not required to develop their own Information Security Programs to the extent they are covered by the Information Security Program of another Licensee.
“Nonpublic Information” is defined to include nonpublic information that is commonly defined as personal information for purposes of breach notification statutes: Social Security number, driver’s license or other non-driver identification number; account number, credit or debit card number; security code access code or password that would permit access to a consumer’s financial account; or biometric records. In addition, the definition includes certain health and medical information, and business-related information if the tampering, unauthorized disclosure, access or use of the business information will cause a material adverse impact to the business, operations or security of the Licensee. Therefore, similar to the approach taken by the NYDFS, these new cybersecurity requirements go beyond requiring the protection of information that is important to consumers, and extends to information that is important to the Licensee’s business, and by extension the industry.
Also similar to the NYDFS cybersecurity regulation, the NAIC Model Law requires protection of “Information Systems,” defined to include industrial/process control systems, telephone switching and private branch exchange systems, and environmental control systems, in addition to systems used for processing data.
Requirements of Licensees
Information Security Program
The backbone of the NAIC Model Law is the requirement for a written Information Security Program, based on the Licensee’s risk assessment. This is consistent with prior data protection regimes, including the NYDFS Cybersecurity Regulation and the Massachusetts Data Security Regulation.5 The Information Security Program must include administrative, technical, and physical safeguards for the protection of nonpublic information and Information Systems.
Licensees must designate one or more employees, an affiliate, or an outside vendor to be responsible for the Information Security Program. Unlike the NYDFS, the NAIC Model does not specify particular qualifications for this designee. The risk assessment required of each Licensee must identify reasonably foreseeable threats to Nonpublic Information and Information Systems, including those that are accessible to, or held by, Third Party Service Providers. It must also assess (i) the likelihood and potential damage of these threats; and (ii) the sufficiency of policies, procedures, Information Systems and other safeguards. The effectiveness of the Licensee’s safeguards must be assessed no less than annually.
Based on the Risk Assessment, the Licensee must design its Information Security Program to mitigate identified risks, commensurate with the size and complexity of the Licensee’s activities, and the sensitivity of the Nonpublic Information. Third Party Service Providers are required to be included in the Risk Management Program. The NAIC Model lists 11 security measures to be implemented, as the Licensee deems appropriate. These include access controls, systems and data inventory, physical security, encryption of data and transmission over external networks and on mobile devices, application security, multi-factor authentication, testing and monitoring of systems and procedures, maintenance of audit trails, disaster recovery, and secure disposal.
The Risk Management requirements include obligations for awareness training, and the inclusion of cybersecurity risks in the enterprise risk management process of the Licensee.
For Licensees with a Board of Directors, the Board or a Board committee must require the development, implementation and maintenance of an Information Security Program, and a written report, at least annually. The written report must cover the overall status of the Information Security Program and the Licensee’s compliance with the NAIC Model, and material matters related to the Information Security Program, including Cybersecurity Events, violations of the Information Security Program, and recommendations for changes.
Third Party Service Providers
The NAIC Model requires Licensees to exercise due diligence in selecting Third Party Service Providers. Third Party Service Providers are defined as persons (other than government agencies) that are not Licensees that contract with a Licensee to maintain, process, store or otherwise access Nonpublic Information in providing services to the Licensee. Each Licensee must require its Third Party Service Providers to implement appropriate administrative, technical and physical measures to secure Information Systems and Nonpublic Information. As a result, many businesses that are not Licensees, but that provide a variety of services to Licensees, will be contractually held to new standards of cybersecurity driven by the NAIC Model.
Licensees are required to keep their Information Security Programs up to date to reflect changes in technology, threats, business arrangements (specifically including mergers and acquisitions, and other business relationships), and Information Systems.
Incident Response Plan
Each Licensee is required to establish a written incident response plan designed to promptly respond to and recover from any Cybersecurity Event (as defined below) that compromises the confidentiality, integrity, or availability of nonpublic information in its possession, Information Systems, or the continuing functionality of any aspect of the Licensee’s business or operations. The NAIC Model requires eight specific elements to be addressed in the incident response plan.
Each year, by February 15, each domestic insurer is required to submit to the Commissioner a written certification of compliance with the NAIC Model. Note that, unlike the NYDFS Cybersecurity Regulation, this requirement applies only to insurers, and not to other Licensees.
The NAIC Model includes certain, specific requirements in connection with a Cybersecurity Event, including specific requirements for investigations and a requirement to notify the Commissioner within 72 hours of determining that certain Cybersecurity Events have occurred. “Cybersecurity Event” is defined by the NAIC Model to mean an event resulting in unauthorized access to, disruption or misuse of an Information System or information stored on an Information System, other than (i) encrypted information (unless the security of the encryption is also jeopardized), or (ii) where the Licensee determines that the Nonpublic Information affected by the Cybersecurity Event has not been used or released, or has been returned or destroyed.
Licensees are required to investigate potential Cybersecurity Events promptly. At a minimum, the investigation by the Licensee or its outside vendor is required to determine the following facts to the extent possible:
- Whether a Cybersecurity Event has occurred;
- The nature and scope of the Cybersecurity Event;
- Nonpublic Information that may have been affected; and
- Reasonable measures to restore security of the compromised Information Systems
Once a Cybersecurity Event has been determined, the Licensee must provide notice (i) to the Commissioner of the department regulating insurance in the Licensee’s state of domicile or home state; or (ii) to the Commissioner of another state if the Licensee reasonably believes that the Cybersecurity Event affects the nonpublic information of 250 or more consumers residing in the state and either (a) requires notice to a government agency, or (b) has a reasonable likelihood of materially harming any consumer in the state, or any material part of the normal operations of the Licensee.
The notice must provide as much information concerning the Cybersecurity Event as possible, and the Model law includes thirteen specific data points to be provided in the notification. While there is no independent obligation under the NAIC Model to notify consumers, the Licensee is required to comply with applicable state breach notification laws, and to provide the copy of such notices to the Commissioners of the implicated states. As for Cybersecurity Events involving Third Party Service Providers, the NAIC Model requires Licensees to treat such events as their own, provided that the obligation to investigate and provide notice can be delegated by agreement between the Licensee and the Third Party Service Provider.
The Model Law also specifically provides that the reinsurers must provide notice to insurers of Cybersecurity Events.
Similarly, insurers are required to notify producers of record of Cybersecurity Events.
The NAIC Model provides that information provided to the department pursuant to the NAIC Model is confidential and privileged, and not subject to Freedom of Information Act and other similar requests, to subpoena, or to discovery in a civil case.
- 23 NYCRR 500.
- NAIC Model Law 668.
- S. 2497 and H. 7789 (RI 2018).
- H. 4655 (S.C. 2018).
- 23 NYCRR 500; 201 CMR 1700