Vermont Takes a Measured Approach to Captive Cyber Security Regulation

With cyber risks growing, Vermont regulators are taking a measured approach to determining how cyber security should factor in regulating captive insurance.

"With all of the high-profile breaches that have been in the news, it's pretty clear that none of us are immune to the risk of a cyber attack," said Christine Brown, assistant director of captive insurance in the Vermont Department of Financial Regulation (DFR).

Speaking as part of an "Ignite Talk" on "The Future of Cyber Regulation for the Captive Industry" during this year's virtual Vermont Captive Insurance Association annual conference, Ms. Brown noted that the National Association of Insurance Commissioners (NAIC) adopted a data security model law in October 2017.

"The model law outlines certain standards and best practices that insurance companies should include in an information security program to mitigate the potential damage of a data breach," Ms. Brown said. Those security programs should include frequent risk assessments; specific risk management measures to mitigate those risks; board oversight, including oversight of third-party service providers; and an incident response plan, she said.

The model law isn't currently an NAIC accreditation standard, she said. "I think about 11 states have adopted it to date, but the federal government urged states to adopt the model law with the threat of preempting the state's authority," Ms. Brown said. "So there has been pressure on states to adopt some sort of cyber-security law."

"It's important for companies to take steps to reduce cyber risk. We would not require parent companies or captives to insure cyber liability policies through their captive," said Sandra Bigglestone, director of captive insurance in the Vermont DFR. "That's a decision left up to the board and based on the needs of the captive owners."

"Much like the federal government and the NAIC for commercial insurers, captive regulators also need to understand what companies are doing to address the risk and to set some baseline expectations," Ms. Bigglestone said. "If the NAIC cyber-security model act becomes an accreditation standard, we will have to implement it for risk retention groups and other captive insurers that are subject to NAIC standards."

Ms. Bigglestone noted that while the NAIC was developing its model law, Vermont's Department of Financial Regulation drafted a best practices document that advises captives and parent companies to create an information security program that is commensurate with the captive's size and structure.

"Really, the expectation is for companies to assess cyber risk and related controls, to mitigate the risk, and to develop response and contingency plans," Ms. Bigglestone said. "We recognize that parent organizations and service providers that service the captive for the parent do have cyber-security programs already in place and protocols for protecting data and operations. And also, when conducting examinations, our examiners gain an understanding of the captive information systems environment and cyber-security programs if they exist."

Going forward, "the captive regulators in Vermont are aiming to proceed with a reasonable and measured approach, which will involve coordinating and understanding more about what are regulators are seeing to see if there's anything that might be missing and updating our best practices document to mirror the federal government initiative and distribute it to the industry, and it will be important for us to gain input from the captive industry, in particular when we introduce more formal requirements, much like the NAIC's cyber-security model act," Ms. Bigglestone said.