The recent development and adoption of a model law to address cybersecurity risks and requirements was a multi-year road for the National Association of Insurance Commissioners (NAIC). (See timeline below). The new Model Law closely resembles the New York Department of Financial Services Cybersecurity Requirements for Financial Services Companies regulation that took effect on March 1, 2017. It prescribes a security program based on a risk assessment appropriate to the size and complexity of the insurance company and places the responsibility for an adequate program with the company’s board. The Model Law will likely be adopted in some form in most states and provide a national approach to cybersecurity for the insurance industry.
Key Requirements under the Model Law
The Model Law contains the following key sections:
The Model Law applies to a “licensee” pursuant to the insurance laws of [the state]. It does not apply to certain purchasing or risk retention groups chartered and licensed in other states or a licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction.
A cyberssecurity event is defined as “an event resulting in unauthorized access to, disruption or misuse of, an information system or information stored on such information system.” Encrypted nonpublic information is excluded if the encryption, process or key is not also acquired, released or used without authorization. Nonpublic information accessed by an unauthorized person that has not been used or released and has been returned or destroyed is also excluded.
The Model Law also includes exceptions to the Model Law, commissioner(s) enforcement powers and confidentiality protections to protect certain information that is provided to an insurance regulatory body pursuant to the Model Law or as a result of an investigation or examination pursuant to the Model Law.
The NAIC Journey to the Model Law