Financial companies, such as insurance agencies, have long been a target of cybercriminals who seek to exploit vulnerabilities in their agency management systems and gain access to sensitive customer information. It’s no surprise that cybercrime has increased 50% year over year, with an attack happening every 39 seconds.
Since 2021 alone, nearly 300 Americans have been affected by data breaches. Over 60% of small businesses that suffer a cyberattack go out of business even if they pay the demanded ransom, which now averages at $570,000.
To address these massive cybersecurity concerns, the National Association of Insurance Commissioners (NAIC) developed the Insurance Data Security Model Law in 2017, which standardizes regulations across the U.S. for cybersecurity best practices.
The NAIC used the New York DFS 23 NYCRR 500 Cybersecurity Regulation as the framework for the Model Laws’ standards. 23 NYCRR 500 is currently the most stringent cybersecurity regulation in the country and quickly has become the baseline standard. However, unlike NYDFS which affects all financial based companies, the NAIC Model Laws only apply to insurance industry companies, agencies, agents, public adjusters, and brokers.
While all 50 states have passed data breach notification laws, many are still catching up with implementing cybersecurity standards for the modern age.
Assess and manage risk: Conduct annual risk assessments to identify potential threats to the security of information systems. Implement and maintain an information security program to manage these risks.
Board oversight: Have board of director oversight in the information security program’s implementation and maintenance. This should include an annual review of the program.
Third-party service provider oversight: Only use trustworthy third-party service providers. Require them to implement appropriate safeguards to protect sensitive information.
Incident response plan: Develop a written incident response plan that outlines how to respond to and recover from a cybersecurity event.
Incident response testing: Periodically test the incident response plan to ensure that it is effective and up-to-date.
Cybersecurity awareness training: Provide training to employees on how to identify and report potential cybersecurity events.
Multi-factor authentication: Implement multi-factor authentication for anyone accessing nonpublic information.
Encryption: Encrypt nonpublic information when transmitted over external networks or when at rest on a portable device.
Access controls: Use access controls to limit access to nonpublic information to those who need it.
Data disposal: Develop and implement policies and procedures for the secure disposal of nonpublic information.
Information security monitoring: Regularly monitor information systems and networks for potential security events.
Program adjustments: Monitor and make necessary adjustments to the information security program to keep up with evolving technology and threats.
Cybersecurity insurance: Consider obtaining cybersecurity insurance to mitigate risk in the event of a cybersecurity incident.
Annual certification: Submit an annual written statement certifying compliance with the information security requirements to the state’s insurance commissioner.
If a licensee experiences a cybersecurity incident, they must conduct a prompt investigation, determine the nature and scope of the event, what information was involved, and restore the security of the information systems. If the event occurred in a system maintained by a third party, the licensee should ensure that the provider takes the necessary steps and documents them. All records concerning cybersecurity events should be kept for at least five years and must be handed over to the insurance commissioner if requested.
The NAIC Model Law also recommends that each licensee notifies their state insurance commissioner within 72 hours of discovering a cybersecurity event, and the commissioner of any other state where 250 or more individuals were affected by the event. Licensees should also notify affected parties within the time required by their state’s data breach notification laws. If the cybersecurity event occurred in a system maintained by a third party, the licensee should carry out the same notification process.
Under the NAIC Model Law, the regulations apply to insurers with ten or more employees, although some states have altered that number based on their own adoption of the laws.
The Insurance Data Security Model Law has been adopted in several states as of January 2023: including Alabama, Connecticut, Delaware, Georgia, Illinois, Indiana, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nevada, New Hampshire, New Jersey, New York, North Dakota, Ohio, Oklahoma, Oregon, Rhode Island, South Carolina, Tennessee, Texas, Vermont, Virginia, and Wyoming.
Compliance with the NAIC’s cybersecurity regulations is critical for insurance companies. Not only is it required by law, but it is also important for protecting the sensitive information of their customers. Cyber threats are becoming more sophisticated and frequent, and companies that do not take the necessary steps to protect themselves and their customers are putting themselves at risk of significant financial losses and damage to their reputation. Therefore, it is vital for insurance companies to prioritize cybersecurity.
With over 25 years of experience, we at Motiva Networks can help you plan and see if your data has been compromised with a Free Confidential Cybersecurity Risk Assessment courtesy of the Big “I” NY. Or you can schedule a quick 10-minute call with me directly to discuss any questions you might have HERE.
