During the Jan. 24, 2017 conference call of the NAIC Cybersecurity (EX) Task Force, there was a lengthy discussion around the use of third parties, contracting with third parties and breach notification requirements of licensed insurers when a third party service organization has been breached. The discussion focused on specific actionable items arising from Section 4(f) of the draft model law, which states:
“The licensee shall contract only with third-party service providers that are capable of maintaining appropriate safeguards, as required by the state laws in which the licensee is located or other statutory authority, to protect for personal information in the licensee’s possession, custody or control, and the licensee shall be responsible for any failure by such third-party service providers to protect personal information provided by the licensee to the third-party service providers consistent with this Act.”
Comments from interested parties and regulators centered on the requirements of carriers in contracting with third parties, specifically:
Conversation transitioned to the authority of individual state insurance regulators to govern insurance industry service providers and the onus of individual companies to mandate compliance requirements on service providers. Challenges associated with third party service provider compliance with insurance regulations were also discussed. Specific conversation was given to very large service providers which service across industries, for which compliance would be a magnanimous effort, and small boutique service organizations, for which compliance would be cost prohibitive.
A significant volume of interested party comments on the NAIC Data Security Model Act are targeted to be addressed in subsequent bi-weekly conference calls.
In lieu of the authoritative guidance of state adoption of a final version of the Data Security Model Act, there are things insurers can do now to prepare that represent current corporate governance and information security best practices:
While the final language of the Data Security Model Act remains to be seen, the general context of the provisions of that act relating to third party service providers are clear: “Licensee’s can assign authority, but not responsibility. Insurance companies are responsible for all transactions performed on their behalf.”
For more information on this topic, or to learn how Baker Tilly insurance specialists can help, contact our team.