The New FTC Safeguards Rule, NAIC Model Laws, NY DFS, and You: What Your Agency Needs to Know About Growing Cybersecurity Compliance Regulations.

The Federal Trade Commission (FTC) recently made amendments to the existing Safeguards Rule, which requires businesses of all sizes to protect client data. These changes, which were set to take effect in December 2022, will now be enforced starting June 9, 2023. These amendments broaden the definition of financial institutions and the requirements for protecting customer information.

The Safeguards Rule was originally created for financial institutions and businesses handling financial data, such as insurance agencies. However, the new amendments expand the definition to include any business that regularly sends money to and from consumers. These organizations are required to develop, implement, and maintain a comprehensive security program to protect their customers’ information.

To comply with the Safeguards Rule, insurance agencies must:

Designate a qualified individual to oversee their information security program. This person should be trained in information security, receive continuing education in security, and be responsible for ensuring that the organization is correctly executing the written information security plan.
Conduct a third-party risk assessment of systems. After completing that inventory, conduct an assessment to determine foreseeable risks and threats – internal and external – to the security, confidentiality, and integrity of customer information.
Implement multifactor authentication or another method of equivalent protection for any individual accessing customer information. Also known as "2FA," this process ensures that anyone logging in to accounts must authenticate the request via another device such as a cell phone or email.
Encrypt all sensitive information. This includes medical records, credit cards, clients' email addresses, phone numbers, Social Security information, driver's license information and birthdays.
Develop a written risk assessment plan. This assessment should include a technical scan and a questionnaire to reveal common security loopholes. It should be reviewed annually, but best practices suggest reviewing it quarterly or monthly if the business handles a lot of sensitive information and the owner has a low tolerance for risk.
Limit and monitor who can access sensitive customer information. For example, not giving the entire team access to the credit card processing system, but only allowing one employee and one backup person to access the information.
Train security personnel. Employee awareness training is key to not only complying with the law but also to getting and keeping insurance coverage on cyber liability, crime, and other insurance policies.
Develop an incident response plan. This plan should be in place for when a security compromise occurs.
Periodically assess the security practices of service providers. This includes ensuring that vendors are adhering to the Safeguards Rule and security frameworks such as CIS or NIST.
Securely dispose of customer information no later than two years after your most recent use of it to serve the customer. The only exceptions: if you have a legitimate business need or legal requirement to hold on to it or if targeted disposal isn’t feasible because of the way the information is maintained.
Anticipate and evaluate changes to your network or information systems. Any changes or upgrades to technology can undermine existing security measures.
Maintain logs of authorized user’s activity and scan for unauthorized access to systems.

It’s important to note that the Safeguards Rule aligns similarly to existing regulations for financial companies, such as New York’s Department of Financial Services 23 NYCRR 500 law and NAIC’s Model Laws currently implemented in 22 states.

The Federal Trade Commission’s (FTC) Safeguards Rule, the New York State Department of Financial Services’ (DFS) 23 NYCRR 500 regulation, and the National Association of Insurance Commissioners’ (NAIC) model laws, all have similarities in their approach to cybersecurity for insurance agencies. These regulations require businesses to implement comprehensive cybersecurity programs to protect sensitive customer information from cyber threats.

Both regulations require businesses to:

Designate a qualified individual to oversee their information security program.
Conduct annual risk assessments and a written plan reviewed regularly.
Limit and monitor who can access sensitive customer information.
Encrypt all sensitive information.
Train security personnel.
Develop an incident response plan.
Periodically assess the security practices of service providers.
Implement multifactor authentication or another method with equivalent protection for any individual accessing customer information.

The main difference is that the FTC Safeguards Rule is a federal regulation that applies to businesses across the United States, while 23 NYCRR 500 is a state-specific regulation that applies only to financial institutions operating in New York State. The DFS regulation also requires reporting certain types of cybersecurity events to DFS within 24-72 hours of becoming aware of the event not present in the FTC Safeguards Rule.

NAIC’s model laws are not mandatory regulations but they are drafted to serve as guidance for states to adopt their own laws. NAIC’s model laws include provisions for risk assessments, incident response plans, and regular cybersecurity training. NAIC’s model laws also require insurance agencies to implement reasonable controls to protect nonpublic personal information.

As of January 2023 the states that have adopted the Insurance Data Security Model Law include Alabama, Connecticut, Delaware, Georgia, Illinois, Indiana, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nevada, New Hampshire, New Jersey, New York, North Dakota, Ohio, Oklahoma, Oregon, Rhode Island, South Carolina, Tennessee, Texas, Vermont, Virginia, and Wyoming.

All three regulations have the same goal of protecting customer information and maintaining the trust of customers, but compliance with the specific regulations may vary based on the location of the business, the types of sensitive information being handled, and the specific laws adopted by the state. It is important for insurance agencies to stay informed about the latest cybersecurity regulations and best practices, and to work with experts in the field to ensure that their security measures are up to date.

It’s also important to note that insurance companies that operate in multiple states will be subject to the specific regulations and requirements of each state in which they operate, so compliance may vary based on the location of the business.

In summary, small businesses and insurance agencies must be aware of and comply with these regulations to protect nonpublic personal information and maintain the trust of customers.

Don’t wait any longer to address your cybersecurity compliance needs. The FTC Safeguards Rule and regulations from the NAIC and NY DFS are now being enforced and failure to comply can result in significant financial penalties, damage to reputation, and loss of customer trust. At Motiva, we understand the urgency of this matter and are here to help. Schedule a phone consultation with us now by clicking here or calling 646-374-1820. We’ll provide a Free Risk Assessment and discuss your concerns, questions, and specific situation. Don’t be a sitting duck with your agency’s security and your insured’s trust.

If you want to discuss this new rule with us and how to get started with a Risk Assessment, click here for motiva.net to schedule a phone consultation to discuss your concerns, questions and specific situation. If you prefer, you can call us at 646-374-1820.

Walter Contreras

Walter Contreras has over 25 years of experience in information technology, including cybersecurity, with a focus on the Insurance Industry. As both a computer scientist and a graduate of the Columbia University Business School’s Executive MBA program, Walter understands how the world’s digital transformation is impacting small and medium businesses. His mission is to deploy information technology to protect and empower entrepreneurs.