Insights: Article

What's in NAIC's Data Security Model Law

By Michael Nadeau

February 05, 2018

The recent development and adoption of a model law to address cybersecurity risks and requirements was a multi-year road for the National Association of Insurance Commissioners (NAIC). (See timeline below). The new Model Law closely resembles the New York Department of Financial Services Cybersecurity Requirements for Financial Services Companies regulation that took effect on March 1, 2017. It prescribes a security program based on a risk assessment appropriate to the size and complexity of the insurance company and places the responsibility for an adequate program with the company’s board. The Model Law will likely be adopted in some form in most states and provide a national approach to cybersecurity for the insurance industry.

Key Requirements under the Model Law
The Model Law contains the following key sections:

APPLICATION
The Model Law applies to a “licensee” pursuant to the insurance laws of [the state]. It does not apply to certain purchasing or risk retention groups chartered and licensed in other states or a licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction.

DEFINITION
A cyberssecurity event is defined as “an event resulting in unauthorized access to, disruption or misuse of, an information system or information stored on such information system.” Encrypted nonpublic information is excluded if the encryption, process or key is not also acquired, released or used without authorization. Nonpublic information accessed by an unauthorized person that has not been used or released and has been returned or destroyed is also excluded.

REQUIREMENTS

  • Each applicable licensee will be required to develop, implement and maintain a comprehensive written Information Security Program. The program will be based on a risk assessment and describe the administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee’s information system. It should be commensurate with the size and complexity of the licensee and the nature and scope of the licensee’s activities. This includes the use of third-party service providers and the sensitivity of the nonpublic information used by or in the possession of the licensee.
  • A licensee is to establish a written incident response plan. The plan is to describe how the licensee will respond to and recover from a cybersecurity event.
  • Each insurer domiciled in [the state] will be required to submit a written statement to the commissioner annually certifying that the insurer is in compliance with the requirements set forth the act. Each insurer is to maintain all records, schedules and data supporting the certificates for a period of five years.
  • Each licensee must promptly investigate a cybersecurity event. This includes events that have or may have occurred and applies to vendors and service providers designated to act on behalf of the licensee.
  • If a cybersecurity event has occurred, there are provisions for notification to the commissioner(s), consumers and producers of record. It also contains notice provisions for cybersecurity events of third-party service providers and of reinsurers to insurers.

The Model Law also includes exceptions to the Model Law, commissioner(s) enforcement powers and confidentiality protections to protect certain information that is provided to an insurance regulatory body pursuant to the Model Law or as a result of an investigation or examination pursuant to the Model Law.

For more information or to obtain a copy of the Insurance Data Security Model Law, visit the NAIC Website. Learn more about cybersecurity here.

The NAIC Journey to the Model Law

Latest Insights

September 18, 2018
Article
As the largest tax reform legislation in the past 30 years becomes reality, it is important to stay up-to-date on planning opportunities and how reform may impact you and your business. Our Tax Reform: Practical Insights examples aim to break down…
September 18, 2018
Tool
Get ahead of tax season with the Eide Bailly Tax Planning Guide. A supplemental strategy guide to help guide year-end and make the tax laws work for you.
September 18, 2018
Article
The SCOTUS Wayfair decision has prompted a new focus on state and local tax compliance. The decision to register, report, and comply is important.
September 17, 2018
Article
When an IRS Letter 226J is received, it is important to respond timely and with accurate information to eliminate, abate or reduce IRS calculated penalties
September 17, 2018
Firm News
Tom Goekeler, partner at Eide Bailly LLP, has been named chief practice officer of the South Central region, which currently covers our Oklahoma and Texas offices.
September 17, 2018
Article
The recent US Supreme Court decision that overturned Quill in the South Dakota v Wayfair case has many states making or considering law changes related to sales tax compliance for out-of-state sellers.
September 12, 2018
Article
The Tax Cuts and Jobs Act, signed December 22, 2017, significantly impacted inbound tax planning. Non-U.S. taxpayers doing business in the U.S. will need to consider the new tax laws.
September 12, 2018
Article
Applications have made a huge impact on our lives, allowing us to keep track of the complexities of our day-to-day and save for our futures. But it’s important to understand where we are laying our trust.
September 12, 2018
Article
The following steps outline key considerations for businesses as they work to comply with the new sales and use tax rules.