The New FTC Safeguards Rule, NAIC Model Laws, NY DFS, and You: What Your Agency Needs to Know About Growing Cybersecurity Compliance Regulations.

The Federal Trade Commission (FTC) recently made amendments to the existing Safeguards Rule, which requires businesses of all sizes to protect client data. These changes, which were set to take effect in December 2022, will now be enforced starting June 9, 2023. These amendments broaden the definition of financial institutions and the requirements for protecting customer information. 

The Safeguards Rule was originally created for financial institutions and businesses handling financial data, such as insurance agencies. However, the new amendments expand the definition to include any business that regularly sends money to and from consumers. These organizations are required to develop, implement, and maintain a comprehensive security program to protect their customers’ information. 

To comply with the Safeguards Rule, insurance agencies must: 

It’s important to note that the Safeguards Rule aligns similarly to existing regulations for financial companies, such as New York’s Department of Financial Services 23 NYCRR 500 law and NAIC’s Model Laws currently implemented in 22 states.

The Federal Trade Commission’s (FTC) Safeguards Rule, the New York State Department of Financial Services’ (DFS) 23 NYCRR 500 regulation, and the National Association of Insurance Commissioners’ (NAIC) model laws, all have similarities in their approach to cybersecurity for insurance agencies. These regulations require businesses to implement comprehensive cybersecurity programs to protect sensitive customer information from cyber threats.

Both regulations require businesses to:

The main difference is that the FTC Safeguards Rule is a federal regulation that applies to businesses across the United States, while 23 NYCRR 500 is a state-specific regulation that applies only to financial institutions operating in New York State. The DFS regulation also requires reporting certain types of cybersecurity events to DFS within 24-72 hours of becoming aware of the event not present in the FTC Safeguards Rule.

NAIC’s model laws are not mandatory regulations but they are drafted to serve as guidance for states to adopt their own laws. NAIC’s model laws include provisions for risk assessments, incident response plans, and regular cybersecurity training. NAIC’s model laws also require insurance agencies to implement reasonable controls to protect nonpublic personal information.

As of January 2023 the states that have adopted the Insurance Data Security Model Law include Alabama, Connecticut, Delaware, Georgia, Illinois, Indiana, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nevada, New Hampshire, New Jersey, New York, North Dakota, Ohio, Oklahoma, Oregon, Rhode Island, South Carolina, Tennessee, Texas, Vermont, Virginia, and Wyoming.

All three regulations have the same goal of protecting customer information and maintaining the trust of customers, but compliance with the specific regulations may vary based on the location of the business, the types of sensitive information being handled, and the specific laws adopted by the state. It is important for insurance agencies to stay informed about the latest cybersecurity regulations and best practices, and to work with experts in the field to ensure that their security measures are up to date.

It’s also important to note that insurance companies that operate in multiple states will be subject to the specific regulations and requirements of each state in which they operate, so compliance may vary based on the location of the business.

In summary, small businesses and insurance agencies must be aware of and comply with these regulations to protect nonpublic personal information and maintain the trust of customers.

Don’t wait any longer to address your cybersecurity compliance needs. The FTC Safeguards Rule and regulations from the NAIC and NY DFS are now being enforced and failure to comply can result in significant financial penalties, damage to reputation, and loss of customer trust. At Motiva, we understand the urgency of this matter and are here to help. Schedule a phone consultation with us now by clicking here or calling 646-374-1820. We’ll provide a Free Risk Assessment and discuss your concerns, questions, and specific situation. Don’t be a sitting duck with your agency’s security and your insured’s trust.

If you want to discuss this new rule with us and how to get started with a Risk Assessment, click here for to schedule a phone consultation to discuss your concerns, questions and specific situation. If you prefer, you can call us at 646-374-1820.