New cybersecurity regulations, including the FTCSafeguards Rule, NAIC Model Laws, and NY DFS 23 NYCRR 500,are now in effect. Compliance is no longer optional—it’s a necessity. Failureto comply can lead to hefty fines, reputational damage, and devastating databreaches.
The Federal Trade Commission (FTC) recently made amendmentsto the existing Safeguards Rule, which requires businesses of all sizes toprotect client data. These amendments broaden the definition of financialinstitutions and the requirements for protecting customer information.
The Safeguards Rule was originally created for financialinstitutions and businesses handling financial data, such as mortgage firms.However, the new amendments expand the definition to include any business thatregularly sends money to and from consumers, including insurance agencies.
• Designate a qualified individual to oversee their information security program.
• Conduct a third-party risk assessment of systems to determine foreseeable internal and external threats.
• Implement Multi-Factor Authentication (MFA) or another equivalent method for any individual accessing customer information.
• Encrypt all sensitive information, including medical records, credit cards, Social Security numbers, and birthdays.
• Develop a written risk assessment plan that includes technical scans and questionnaires to reveal security loopholes.
• Limit and monitor access to sensitive customer information, following the principle of least privilege.
• Train security personnel through employee awareness training to stay ahead of cyber liability and crime.
• Develop an incident response plan to be activated immediately when a security compromise occurs.
• Periodically assess service providers to ensure vendors are adhering to Safeguards Rule standards like CIS or NIST.
• Securely dispose of customer information no later than two years after its last use, unless legally required otherwise.
• Maintain logs of authorized user activity and scan for unauthorized access to systems.
It’s important to note that the Safeguards Rule alignssimilarly to existing regulations like New York’s Department of FinancialServices (NY DFS 23 NYCRR 500) and NAIC’s Model Laws currentlyimplemented in 22 states.
The main difference is that the FTC Safeguards Rule is afederal regulation that applies across the entire United States, while 23NYCRR 500 is state-specific to New York. NAIC's model laws serve as guidancefor states to adopt their own personal information protection laws.
States that have adopted the Insurance Data SecurityModel Law include: Alabama, Connecticut, Delaware, Georgia, Illinois,Indiana, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan,Minnesota, Mississippi, Missouri, Montana, Nevada, New Hampshire, New York,North Dakota, Ohio, Oklahoma, Oregon, Rhode Island, South Carolina, Tennessee,Texas, Vermont, Virginia, and Wyoming.
Secure Your Agency’s Future Today
Don’t wait any longer to address your cybersecuritycompliance needs. At Motiva, we understand the urgency of theseregulations. We’ll provide a Free Risk Assessment and discuss yourspecific situation to ensure you aren't a "sitting duck" for fines orbreaches.
Contact us today at 646-374-1820 or visit motiva.net toschedule your consultation.
