NAIC releases new version of Cybersecurity Model Law

The National Association of Insurance Commissioners (NAIC) Cybersecurity Task Force released its latest version of the Insurance Data Security Model Law on August 17, 2016. Key requirements of the Act, ambiguous areas, and items missing from the proposal are described in this post.

Key requirements

Overall, the proposed requirements do not present significant changes to current practices mandated by different states, or those considered industry best practices. Key requirements include:

• Implementing a formal information security program
• Performing a periodic risk assessment
• Implementing procedures to restrict access, protect data and system integrity, and test or monitor systems
• Ensuring that Board oversight occurs, including mandating reporting to the Board
• Overseeing third party vendors
• Investigating data breaches and notifying the insurance commission, if warranted

Ambiguous areas

Despite this being the second version, there are still areas that require clarification.

In several places, the draft mentions “generally accepted cybersecurity principles” – if only there was such a Holy Grail. There are a number of cybersecurity frameworks outlining recommended practices; the National Institute of Standards (NIST) principles are widely used, plus the American Institute of Certified Public Accountants (AICPA) Security Trust Principles and ISO 27001 are also used. The NAIC could go a long way towards harmonization if it stated which framework(s) would be acceptable.

The document states that insurers should “Utilize ‘state of the art techniques,’ such as multi-factor authentication procedures…” While one can understand that the NAIC wants to provide insurers with flexibility to tailor their cybersecurity programs to their size and level of complexity, the phrase “state of the art techniques” is a very unclear requirement. Dictionary.com defines “state of the art” as “the latest and most sophisticated or advanced stage of a technology, art, or science.” The latest version of most technology can be bug-ridden or expensive and this requirement could be difficult for many insurers to achieve given its lack of clarity.

The proposed Act states, “The licensee shall contract only with third-party service providers that are capable of maintaining appropriate safeguards for personal information,” yet the act is mute regarding reasonable expectations around vendor management, such as stakeholder involvement, risk assessment, information security review, third-party assurance reporting and data transitioning.

Noticeably missing

The Insurance Data Security Act thoroughly covers personally identifiable information (PII) and data breach response/notification, there are some components which are not included. Protected Health Information (PHI) requires equal consideration from a data security perspective, but was not included in the proposed Act. Also absent are data classification requirements. A key aspect of appropriately scoping information security protocols is an understanding of the types of sensitive information captured and transmitted in and out of your organization.

As a proposed Model Act, it will be some time before this law impacts insurers. There will be an additional comment period, and another period before state legislatures act on it. Insurers should monitor this proposal to prevent any surprises down the road.

For more information on regulatory compliance, or to learn how Baker Tilly's financial services specialists can help, contact our team.