NAIC Cybersecurity Model Law

Dec. 13, 2017 

By Michael J. Del Giudice, CISSP, CRISC, and David A. Roberts, CPA

With the National Association of Insurance Commissioners (NAIC) adopting its Insurance Data Security Model Law, many insurance entities are focusing on how their states’ regulatory agencies will apply the model law’s cybersecurity risk management and notification requirements. Ultimately, however, regulatory compliance should be viewed as only one aspect of a robust and multifaceted cybersecurity strategy.

The NAIC Model Law – Why It Matters

The final release of the NAIC’s Insurance Data Security Model Law is the culmination of two years of debate and development, as part of an effort to establish uniform industry standards and practices regarding the protection of consumers’ personally identifiable information. Regulatory requirements for protecting consumer data and responding to breaches vary from state to state, so one of the chief objectives of the NAIC has been to improve consistency across various jurisdictions.

The NAIC is the standard-setting and regulatory support organization created and governed by the chief insurance regulators from the 50 states, the District of Columbia, and five U.S. territories. So while the model law itself is not binding, it is expected that most U.S. state legislatures will adopt most, if not all, of its language when drafting laws covering insurance entities’ data security, investigation, and notification requirements.

This consistency in language is particularly important since several states – most notably New York – have been developing their own cybersecurity risk management and notification requirements. To avoid further complicating things for insurance companies operating in more than one state, the final NAIC model law specifies that if a company is in compliance with New York’s “Cybersecurity Requirements for Financial Services Companies,” it should be considered in compliance with the NAIC model law requirements.

The model law itself underwent significant revisions since it was introduced in March 2016 – the current iteration actually is the sixth version of the document. The current language was approved by both the NAIC Cybersecurity Working Group and the organization’s Innovation and Technology Task Force. The NAIC adopted the current version of the model law on Oct. 24, 2017, during a joint meeting of the Executive Committee and Plenary. As such, the final version of the model law is available in time for the various states' legislative sessions.

The NAIC Model Law – A Closer Look

As one might expect, the development of the NAIC model law generated considerable controversy as competing standards, principles, and ideas were suggested, debated, and ultimately resolved. The foundation for the model law is found in several earlier NAIC documents including the NAIC Principles for Effective Cybersecurity Insurance Regulatory Guidance, which was adopted in April 2015.

This document was not a law or suggested legislation, but rather a set of 12 guiding principles for state insurance regulators, insurers, and producers to follow as they set out to establish standards for protecting consumers and their data. It addressed standard data security measures including incident response planning, and called on state insurance regulators to provide guidance for creating cybersecurity programs that are “flexible, scalable, practical, and consistent.”¹

Another 2015 document, issued later in the year, was the NAIC Road Map for Cybersecurity Consumer Protections. This road map contained a series of recommendations outlining a “bill of rights” for consumers regarding the protection of their personal and financial data. Among other principles, it spelled out consumers’ right to understand the types of data being collected, the privacy policies and protective steps being taken, and their right to notification and other appropriate measures in the event of a breach or identity theft.²

The final NAIC Insurance Data Security Model Law incorporates the earlier principles and road map documents and expands upon them. Following are some of the most significant provisions³:

• The law requires all insurance licensees doing business in the state to develop, implement, and maintain a comprehensive written information security program. This requirement applies to any person or nongovernmental organization that is required to be licensed, authorized, or registered pursuant to the state’s insurance laws, including insurers, agencies, and brokers. Exceptions are made for licensees with fewer than 10 employees, and for employees, agents, representatives, or designees who already are covered by another licensee’s information security program.
• Although early versions of the model law required the use of specific cybersecurity frameworks, the final version does not. Instead, it says only that the written information security program must contain “administrative, technical, and physical safeguards” for the protection of nonpublic information. The program also must be commensurate with the size and complexity of the licensee, the nature and scope of its activities, and the sensitivity of the nonpublic information that is in its control, either directly or through third-party providers.
• Licensees are required to perform annual risk assessments to evaluate the effectiveness of key controls, systems, and procedures, and must submit an annual certification to the state’s insurance commissioner certifying that the company is in compliance with all the security program requirements.
• Depending on the findings of the risk assessment, licensees must implement appropriate security measures such as access and authentication controls, physical access restrictions, encryption, testing and monitoring of systems to detect attacks and intrusions, and measures to protect against the destruction, loss, or damage of such information.
• The licensee’s information security program must include a written incident response plan designed to promptly respond to or recover from any cybersecurity event that compromises nonpublic information or the company’s information system itself.
• When a licensee discovers a data breach or cybersecurity event, it must notify its state insurance commissioner within 72 hours. If the breach affects the records of 250 or more residents of another jurisdiction, the licensee must notify that state’s officials as well.
• Rather than spelling out specific requirements for notifying affected consumers when a breach occurs as earlier versions of the model law did, the final version defers to each state’s existing data breach notification laws.
• The model law establishes oversight responsibilities by a company’s board of directors as well as specific details regarding third-party risk management requirements. It also includes an extensive list of standard definitions and general requirements, as well as details that must be included in each company’s information security plan.
• The law does not spell out penalties for violations, but instead defers to each state’s existing general penalty statutes.

The implementation schedules for the NAIC model law will vary from state to state, depending on the states’ legislative calendars. In most cases, however, insurers should expect that they will need to develop and implement a compliant information security plan for each of the various states in which they do business, and will need to do so in a relatively short time.

As mentioned earlier, any licensee that is in compliance with New York’s “Cybersecurity Requirements for Financial Services Companies” will be considered to be in compliance with this law as well. In addition, a licensee that maintains an information security program that meets the requirements of the Health Insurance Portability and Accountability Act (HIPAA) also will be considered to be in compliance with the information security program requirements, but it must submit a written statement certifying its compliance.

The Bigger Picture – IT Risk Management

The adoption of the NAIC model law is part of a broader industry trend that has seen regulatory requirements related to cybersecurity become increasingly specific and far-reaching. The cybersecurity regulations issued by the New York State Department of Financial Services and recent updates to HIPAA guidance are examples of this heightened concern over cybersecurity. Knowing this, virtually all insurance-related businesses should already be making plans and studying what other regulated industries have done to adopt effective cybersecurity measures.

It is important to understand, however, that regulatory compliance is only one component of the overall risk management environment. The need for compliance is an important consideration, and often serves as the driving force for securing necessary resources. But a successful approach will look beyond compliance to take a broader, more holistic view.

The overall goal of a cybersecurity program – and of IT risk management in general – is to provide for the confidentiality, integrity, and availability of information assets. Typically, this involves numerous complex and highly interrelated components, as depicted in the exhibit.

The IT Risk Management Process

Source: Crowe analysis

The complex challenge of IT risk management can be made less overwhelming by organizing the effort into four broad steps or phases:

1. Conduct risk and threat assessment. Inventory the relevant assets including applications, infrastructure, documentation, and third parties. Then evaluate the likelihood and potential impact of various types of incidents such as a breach or theft of data, as well as the effectiveness of existing controls designed to reduce the likelihood that an attack would be successful.
     
2. Define control objectives. A fundamental objective is to implement a unified control framework, whether based on the National Institute of Standards and Technology (NIST) framework or some other foundation. The framework should define the necessary controls to manage the identified risks.
     
3. Implement risk management programs. The organization should implement programs to execute the control objectives and to manage the identified risks. One way to reduce the average cost of a breach is to have a dedicated incident response team in place, which decreases cost by improving the effectiveness and efficiency of the organization’s responsiveness and reducing the overall effect when an incident occurs. Nevertheless, a significant number of organizations have no breach response plan in place, and even more have plans that have not been updated recently.
   
   In addition to the specific cybersecurity risk management programs illustrated in the exhibit, an effective overall third-party risk management effort also is important. Most organizations perform minimal oversight of their vendors’ control environments – a potentially costly weakness. The Ponemon study found that third-party involvement in the cause of a data breach increased the average cost to the organization by almost 9 percent (from $158 per record when third parties were not involved to $172 per record when they were).⁴
     
4. Conduct security assessments. By using strong internal audit practices, penetration testing, and other security assessments that are already in place, companies should evaluate independently the effectiveness of their risk management programs.

In the longer term, these specific steps can help support companies’ efforts to pursue a more strategic approach to risk management. Such a strategic approach will also include analysis of residual risk as part of the process of defining each organization’s overall risk appetite and tolerance. Building on that understanding, companies can then determine the appropriate treatment strategy – avoid, transfer, mitigate, or accept – for each of the identified gaps or unacceptable risks.

Security Awareness – a Shared Responsibility

Although the adoption of the NAIC model law has driven much of the recent discussion of cybersecurity issues in the insurance industry, it is important to recognize that cybersecurity is more than just a topic of passing concern. Rather, it is an ongoing, long-term challenge that requires strategic-level planning and commitment, along with consistently applied risk management practices.

As technological advances continue to accelerate, both the advantages and the risks will continue to increase. To deal with cybersecurity risk effectively – and to avoid becoming the next data breach headline – there must be an enterprisewide recognition that cybersecurity is not just the concern of the risk management or IT functions. Rather, security awareness is everyone’s responsibility, and everyone has a stake in effectively managing the risk.

¹ “Principles for Effective Cybersecurity: Insurance Regulatory Guidance,” NAIC webpage, http://www.naic.org/documents/committees_ex_cybersecurity_tf_final_principles_for_cybersecurity_guidance.pdf
² “NAIC Road Map for Cybersecurity Consumer Protections,” NAIC webpage, http://www.naic.org/documents/committees_ex_cybersecurity_tf_related_roadmap_cybersecurity_consumer_protections.pdf
³ “Insurance Data Security Model Law,” NAIC Fourth Quarter 2017, http://www.naic.org/documents/cmte_ex_cswg_related_ins_data_security_model.pdf
⁴ “2016 Cost of Data Breach Study: Global Analysis,” Ponemon Institute LLC, June 2016, http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=SEL03094WWEN, page 14.