What Agents Need To Know About NAIC’s Insurance Data Security Model Law
What Agents Need To Know About NAIC’s Insurance Data Security Model Law

Financial companies, such as insurance agencies, have long been a target of cybercriminals who seek to exploit vulnerabilities in their agency management systems and gain access to sensitive customer information. It’s no surprise that cybercrime has increased 50% year over year, with an attack happening every 39 seconds [University of Maryland]. 

Since 2021 alone, nearly 300 Americans have been affected by data breaches. Over 60% of small businesses that suffer a cyber-attack go out of business even if they pay the demanded ransom, which now averages at $570,000.  

To address these massive cybersecurity concerns, the National Association of Insurance Commissioners (NAIC) developed the Insurance Data Security Model Law in 2017, which standardizes regulations across the U.S. for cybersecurity best practices.  

The NAIC used the New York DFS 23 NYCRR 500 Cybersecurity Regulation as the framework for the Model Laws’ standards. 23 NYCRR 500 is currently the most stringent cybersecurity regulation in the country and quickly has become the baseline standard. However, unlike NYDFS which affects all financial based companies, the NAIC Model Laws only apply to insurance industry companies, agencies, agents, public adjusters, and brokers. 

While all 50 states have passed data breach notification laws, many are still catching up with implementing cybersecurity standards for the modern age.  

The Model Law requires licensees to take specific actions to protect sensitive information from cyber threats. These actions include: 

  • Assess and manage risk: Conduct annual risk assessments to identify potential threats to the security of information systems. Implement and maintain an information security program to manage these risks.
  • Board oversight: Have board of director oversight in the information security program's implementation and maintenance. This should include an annual review of the program.
  • Third-party service provider oversight: Only use trustworthy third-party service providers. Require them to implement appropriate safeguards to protect sensitive information.
  • Incident response plan: Develop a written incident response plan that outlines how to respond to and recover from a cybersecurity event.
  • Incident response testing:Periodically test the incident response plan to ensure that it is effective and up-to-date.
  • Cybersecurity awareness training: Provide training to employees on how to identify and report potential cybersecurity events.
  • Multi-factor authentication: Implement multi-factor authentication for anyone accessing nonpublic information.
  • Encryption: Encrypt nonpublic information when transmitted over external networks or when at rest on a portable device.
  • Access controls: Use access controls to limit access to nonpublic information to those who need it.
  • Data disposal: Develop and implement policies and procedures for the secure disposal of nonpublic information.
  • Information security monitoring: Regularly monitor information systems and networks for potential security events.
  • Information security monitoring: Regularly monitor information systems and networks for potential security events.
  • Program adjustments: Monitor and make necessary adjustments to the information security program to keep up with evolving technology and threats.
  • Cybersecurity insurance: Consider obtaining cybersecurity insurance to mitigate risk in the event of a cybersecurity incident.
  • Annual certification: Submit an annual written statement certifying compliance with the information security requirements to the state's insurance commissioner.

If a licensee experiences a cybersecurity incident, they must conduct a prompt investigation, determine the nature and scope of the event, what information was involved, and restore the security of the information systems. If the event occurred in a system maintained by a third party, the licensee should ensure that the provider takes the necessary steps and documents them. All records concerning cybersecurity events should be kept for at least five years and must be handed over to the insurance commissioner if requested. 

The NAIC Model Law also recommends that each licensee notifies their state insurance commissioner within 72 hours of discovering a cybersecurity event, and the commissioner of any other state where 250 or more individuals were affected by the event. Licensees should also notify affected parties within the time required by their state’s data breach notification laws. If the cybersecurity event occurred in a system maintained by a third party, the licensee should carry out the same notification process. 

Under the NAIC Model Law, the regulations apply to insurers with ten or more employees, although some states have altered that number based on their own adoption of the laws. 

The Insurance Data Security Model Law has been adopted in several states as of January 2023: including Alabama, Connecticut, Delaware, Georgia, Illinois, Indiana, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nevada, New Hampshire, New Jersey, New York, North Dakota, Ohio, Oklahoma, Oregon, Rhode Island, South Carolina, Tennessee, Texas, Vermont, Virginia, and Wyoming. 

Compliance with the NAIC’s cybersecurity regulations is critical for insurance companies. Not only is it required by law, but it is also important for protecting the sensitive information of their customers. Cyber threats are becoming more sophisticated and frequent, and companies that do not take the necessary steps to protect themselves and their customers are putting themselves at risk of significant financial losses and damage to their reputation. Therefore, it is vital for insurance companies to prioritize cybersecurity. 

With over 25 years of experience, we at Motiva Networks can help you plan and see if your data has been compromised with a Free Confidential Cybersecurity Risk Assessment courtesy of the Big “I” NY. Or you can schedule a quick 10-minute call with me directly to discuss any questions you might have HERE.

There is no longer any excuse for not taking proper vital precaution in this day and age. Between the active threat of ransomware and hackers, to multiple facits of the law from state level to federal level for cybersecurity protections, all businesses must he National Association of Insurance Commissioners (NAIC) Privacy Protection Working Group (PPWG) released Insurance Consumer Privacy Protection Model Law #674 (Model 674) on February 1, 2023. New Model 674 was expressly drafted with the objective to supersede NAIC Insurance Information and Privacy Protection Model Act #670 and the Privacy of Consumer Financial and Health Information Regulation #672, which have been in place for decades and widely adopted.

The PPWG attempted to address several objectives and cover various issues in drafting Model 674: 

  • Enhance transparency in terms of how a consumer’s data is collected, processed, shared, and retained. Section 4 is of particular interest in terms of the limits imposed on insurers in terms of when consent would be required.
  • Address the issue of data minimization and broad sharing limitations.
  • Require consumer consent before personal information is shared with other entities, or entities outside the U.S. where there may not be conforming privacy protections protecting the information. This could significantly impact even affiliate sharing practices in place in the industry.
  • Definitively prohibit insurers from selling consumer’s personal information.
  • Ensure that a consumer has the right to have his or her personal information amended or corrected, unless an insurer can show good cause for refusal to make said amendment or correction.
  • Model 674 adds a record retention requirement rather than a “right to be forgotten” provision as has become common in recent state consumer data protection laws. This is due to the industry’s generally longer timeframe required to maintain consumer information. However, the model would impose a requirement on insurers to delete consumer data within a set period after it is no longer required by the insurer.
  • Oversight of third-party service providers remains primarily the responsibility of the licensed insurer.
  • There is a safe harbor provision for entities that comply with the Health Insurance Portability and Accountability Act (HIPAA).
  • Many of the concepts in Model 674 are derived from recent state privacy laws, although the PPWG acknowledges that the model will likely require amendments following industry input.

You can read the draft Model Law here and the cover letter here. Comments on the draft must be submitted by April 3, 2023.

What this means to you

Model 674 demonstrates that the NAIC is continuing to reevaluate its historical approach to privacy compliance requirements and is taking an ever-stricter approach consistent with the broader regulatory community. What remains to be seen is how Model 674, as adopted by states, will affect insurers’ compliance obligations vis-à-vis the patchwork of state data compliance laws and regulations that have recently been adopted or are currently under consideration

Walter-Contreras

Walter Contreras

Walter Contreras has over 25 years of experience in information technology, including cybersecurity, with a focus on the Insurance Industry. As both a computer scientist and a graduate of the Columbia University Business School’s Executive MBA program, Walter understands how the world’s digital transformation is impacting small and medium businesses. His mission is to deploy information technology to protect and empower entrepreneurs.

Related blogs