NAIC Proposed Insurance Data Security Model Law Explained

Businessman in a black suit pressing finger on a small gray lightly shaded sign with the word Security and Lock in black

Michael Bahar , John S. Pruitt , Mary J. Wilson-Bilik , Alexander F. L. Sand | October 18, 2017 |

Businessman in a black suit pressing finger on a small gray lightly shaded sign with the word Security and Lock in black

The National Association of Insurance Commissioners (NAIC) proposed "Insurance Data Security Model Law" establishes minimum cyber-security standards consistent with New York's cyber-security regulation. The model law was approved in August 2017 by key NAIC bodies, providing an indication of increasing consensus among federal and state agencies regarding the core cyber-security practices that businesses across sectors will be expected to meet.

Both the Cybersecurity (EX) Working Group and the Innovation and Technology (EX) Task Force adopted the revised sixth version of the model law. Only Arkansas, New Mexico, and Utah voted against adoption of the model law at the Working Group level. The model law continues on to the Executive Committee and then to the joint Executive/Plenary for final adoption. The exact timing for the last approvals is uncertain.

The model law substantially tracks language from New York's recently adopted regulation, Cybersecurity Requirements for Financial Services Companies. Like New York's regulation, the model law essentially promotes a proactive, holistic, and risk-based cyber-strategy, including requirements such as the following.

  • Maintaining an information security program based on a cyber-security risk assessment
  • Evaluating and addressing cyber-security risks posed by third-party service providers
  • Requiring oversight by the board of directors
  • Establishing a written incident response plan
  • Providing an annual certification of compliance to departments of insurance
  • Investigating and providing notice to departments of insurance regarding cyber-security events

The model law, however, generally stops short of including many of the more specific and nuanced requirements included in the New York regulation, opting instead to require licensees to determine which controls listed in the model law are appropriate for them. Additionally, the model law establishes specific requirements for reinsurers to provide notice to insurers of cyber-security events, an issue that was not specifically addressed by the New York regulation. The model law also applies to a potentially different set of insurance "licensees" than the New York regulation but does similarly apply to life, property and casualty, and health insurers, as well as producers.

The revised sixth draft of the proposed model law made limited changes to the previous revision. Significant changes include the addition of a drafting note stating that companies in compliance with the New York regulation also meet the requirements of the model law, the removal and simplification of detailed requirements regarding third-party service providers, and revising the annual report requirement contained in the previous draft to instead contain an annual certification requirement in line with the New York regulation.

Eversheds Sutherland vertical black text logo

The proposed model law was originally intended to be finalized by the end of 2016 but failed to meet that deadline due to opposition from all sides to various sections of earlier drafts. The version adopted at the NAIC's 2017 Summer National Meeting was developed after New York Superintendent of Financial Services Maria Vullo urged the Cybersecurity (EX) Working Group to adopt New York's cyber-security regulation as its model at the NAIC's Spring National Meeting. By doing so, the NAIC moved away from attempting to establish a uniform consumer breach reporting requirement for insurers that had been the focus of earlier drafts. It is yet to be seen if the NAIC will continue to work toward that goal in a separate model law. For more information regarding the development of the model law, see "Legal Alert: NAIC Report: 2017 Spring National Meeting."

The New York Department of Financial Services (DFS) issued a final regulation that took effect on March 1, 2017, that applies new requirements for a cyber-security risk assessment and a cyber-security program to DFS-licensed individuals and entities including insurance companies, insurance agents, brokers, banks, money transmitters, and other financial services companies. For more information regarding the DFS cyber-security regulation, see "Legal Alert: NY DFS Publishes Final Cybersecurity Rules for Financial Services Companies."

The adoption of the model law by key NAIC bodies was a significant step in reinforcing the need among companies to act swiftly to implement a holistic, proactive, and risk-based approach to managing their cyber-security programs.

If you have any questions about this article, please feel free to contact Mr. Bahar by telephone at (202) 3830882, or e-mail; Mr. Pruitt by telephone at (212) 389–5053, or e-mail; Ms. Wilson-Bilik by telephone at (202) 383–0660, or e-mail; or Mr. Sand by telephone at (212) 287–7019, or e-mail.

(Reprinted with the permission of Eversheds Sutherland.)

Michael Bahar , John S. Pruitt , Mary J. Wilson-Bilik , Alexander F. L. Sand | October 18, 2017