Captive Insurance News

Free Captive Wire Report

Tax Considerations for Captive Insurers

A FREE 16-page special report courtesy of

Dig deep into important issues and trends in captive insurance. Download this FREE special report featuring practical knowledge and insights from nine respected captive insurance thought leaders!

Show Me My Free Report

NAIC Model Law Requirements Will Most Greatly Affect Smaller Insurers

Cyber Insurance-SF-2
August 21, 2017

The National Association of Insurance Commissioners (NAIC) Cybersecurity Working Group approved the "Insurance Data Security Model Law," which, if approved by the NAIC Executive Committee, will promote more rigorous cyber risk management practices in the US insurance market, Fitch Ratings says. At the same time, it will add to insurers' compliance costs and associated risks of penalties for compliance violations.

In its current form, the proposed model law is credit-neutral for the US insurance sector. It is largely complementary to other federal and state regulations for cyber security, including the New York State Department of Financial Services cyber security regulations from March 1, 2017, which apply to more than 3,000 financial service firms doing business in New York. The proposed model law still needs approval of the Innovation and Technology Task Force and NAIC Executive Committee to be considered a model law. Application of model laws requires state-by-state approval, which will take considerable time, and some individual states may adopt their own approaches to regulating insurers' cyber security.

The insurers Fitch Ratings says it rates have largely enhanced their data protection and network security practices in response to the growing threat of cyber attacks but face challenges in keeping pace with technological change and the resourcefulness of computer hackers. Insurers typically hold large volumes of private customer information that is attractive to hackers. Attacks can compromise data or disrupt websites, with detrimental financial, operational, or reputational consequences.

The NAIC's framework establishes industry standards for data security that will apply to a broad range of parties including insurance companies, agents, and brokers. Organizations will be required to have a written information security program for protecting sensitive data, including incident response and data recovery plans to demonstrate their preparedness for cyber events.

Companies will have to certify compliance annually to their state insurance commissioner and give notification of data breaches within 72 hours. The model law will also motivate insurers to incorporate cyber security into their overall enterprise risk management and corporate governance practices. Key provisions include minimum practices of board and senior management reporting and oversight of information security practices and monitoring of third-party service provider arrangements and the outcome of cyber security events.

Meeting the requirements of the model law will most greatly affect smaller insurance companies and distributors. Smaller organizations may have data security practices that fit the nature and scale of their business but may need to allocate significant new resources and bear significant costs to meet the requirements of the model law.

Demand for cyber liability insurance coverage may expand for entities subject to the model law's requirements. Property-casualty insurers are writing more cyber insurance business due, in part, to growing regulatory obligations. Cyber insurance has been a profitable business line for a number of specialist underwriters. However, as an emerging peril with limited historical loss data for pricing purposes, untested and varying policy language and terms, and challenges in quantifying risk aggregations and catastrophe loss potential, it presents considerable uncertainty for insurers.

Captive Insurance Company Reports
Follow on Twitter

Twitter Feed