What Agents Need To Know About NAIC’s Insurance Data Security Model Law
What Agents Need To Know About NAIC’s Insurance Data Security Model Law

Financial companies, such as insurance agencies, have long been a target of cybercriminals who seek to exploit vulnerabilities in their agency management systems and gain access to sensitive customer information. It’s no surprise that cybercrime has increased 50% year over year, with an attack happening every 39 seconds [University of Maryland]. 

Since 2021 alone, nearly 300 Americans have been affected by data breaches. Over 60% of small businesses that suffer a cyber-attack go out of business even if they pay the demanded ransom, which now averages at $570,000.  

To address these massive cybersecurity concerns, the National Association of Insurance Commissioners (NAIC) developed the Insurance Data Security Model Law in 2017, which standardizes regulations across the U.S. for cybersecurity best practices.  

The NAIC used the New York DFS 23 NYCRR 500 Cybersecurity Regulation as the framework for the Model Laws’ standards. 23 NYCRR 500 is currently the most stringent cybersecurity regulation in the country and quickly has become the baseline standard. However, unlike NYDFS which affects all financial based companies, the NAIC Model Laws only apply to insurance industry companies, agencies, agents, public adjusters, and brokers. 

While all 50 states have passed data breach notification laws, many are still catching up with implementing cybersecurity standards for the modern age.  

The Model Law requires licensees to take specific actions to protect sensitive information from cyber threats. These actions include: 

If a licensee experiences a cybersecurity incident, they must conduct a prompt investigation, determine the nature and scope of the event, what information was involved, and restore the security of the information systems. If the event occurred in a system maintained by a third party, the licensee should ensure that the provider takes the necessary steps and documents them. All records concerning cybersecurity events should be kept for at least five years and must be handed over to the insurance commissioner if requested. 

The NAIC Model Law also recommends that each licensee notifies their state insurance commissioner within 72 hours of discovering a cybersecurity event, and the commissioner of any other state where 250 or more individuals were affected by the event. Licensees should also notify affected parties within the time required by their state’s data breach notification laws. If the cybersecurity event occurred in a system maintained by a third party, the licensee should carry out the same notification process. 

Under the NAIC Model Law, the regulations apply to insurers with ten or more employees, although some states have altered that number based on their own adoption of the laws. 

The Insurance Data Security Model Law has been adopted in several states as of January 2023: including Alabama, Connecticut, Delaware, Georgia, Illinois, Indiana, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nevada, New Hampshire, New Jersey, New York, North Dakota, Ohio, Oklahoma, Oregon, Rhode Island, South Carolina, Tennessee, Texas, Vermont, Virginia, and Wyoming. 

Compliance with the NAIC’s cybersecurity regulations is critical for insurance companies. Not only is it required by law, but it is also important for protecting the sensitive information of their customers. Cyber threats are becoming more sophisticated and frequent, and companies that do not take the necessary steps to protect themselves and their customers are putting themselves at risk of significant financial losses and damage to their reputation. Therefore, it is vital for insurance companies to prioritize cybersecurity. 

With over 25 years of experience, we at Motiva Networks can help you plan and see if your data has been compromised with a Free Confidential Cybersecurity Risk Assessment courtesy of the Big “I” NY. Or you can schedule a quick 10-minute call with me directly to discuss any questions you might have HERE.

There is no longer any excuse for not taking proper vital precaution in this day and age. Between the active threat of ransomware and hackers, to multiple facits of the law from state level to federal level for cybersecurity protections, all businesses must he National Association of Insurance Commissioners (NAIC) Privacy Protection Working Group (PPWG) released Insurance Consumer Privacy Protection Model Law #674 (Model 674) on February 1, 2023. New Model 674 was expressly drafted with the objective to supersede NAIC Insurance Information and Privacy Protection Model Act #670 and the Privacy of Consumer Financial and Health Information Regulation #672, which have been in place for decades and widely adopted.

The PPWG attempted to address several objectives and cover various issues in drafting Model 674: 

You can read the draft Model Law here and the cover letter here. Comments on the draft must be submitted by April 3, 2023.

What this means to you

Model 674 demonstrates that the NAIC is continuing to reevaluate its historical approach to privacy compliance requirements and is taking an ever-stricter approach consistent with the broader regulatory community. What remains to be seen is how Model 674, as adopted by states, will affect insurers’ compliance obligations vis-à-vis the patchwork of state data compliance laws and regulations that have recently been adopted or are currently under consideration