Founder and Managing Director, Cyber Special Ops, LLC
Mr. Suhs serves as the Founder and Managing Director for Cyber Special Ops, LLC, a cyber risk company that provides its clients with Concierge Cyber®, a revolutionary new delivery solution for cyber risk services modeled on concierge medicine.
The National Association of Insurance Commissioners (NAIC) has made cybersecurity and data protection a top priority. In early 2016, the NAIC began drafting the Insurance Data Security Model Law with input from state insurance regulators and the insurance industry and formally adopted the model in October 2017. The NAIC has encouraged state adoption of the model by state insurance regulators to protect personally identifiable information.
To Whom Does the Act Apply?
The model requires insurers, insurance agents and other entities licensed by a state department of insurance to develop, implement, and maintain an information security program based on its risk assessment, with a designated employee in charge of the information security program. The model phases in requirements for compliance with the information security program and oversight of third-party service providers. Licensees determine the appropriate security measures to implement based on careful, ongoing risk assessment for internal and external threats. The model also requires licensees to investigate a cybersecurity event and notify the state insurance commissioner of a cybersecurity event. It also grants insurance commissioners the power to examine and investigate licensees to determine compliance with the law and provides state insurance regulators the authority to remedy data security deficiencies they find during an examination.
The model exempts licensees with fewer than 10 employees or licensees compliant with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The model does not create a private cause of action, nor does it limit an already- existing private right of action.
Is Cyber Risk Management a Board of Directors Issue?
Yes, the NAIC model takes cybersecurity out of an IT-related issue to a board of directors’ issue and requires someone to be reporting to the CEO and to the board of directors on data security, cybersecurity issues. Even if executive management delegates responsibilities to an individual or committee, the board is still required to receive a report from the delegate(s) complying with the requirements and to annually report on the overall status on the security program.
What are the Requirements of the NAIC Insurance Data Security Model Law?
- Licensees should implement a written information security program (“WISP”) designed to promptly respond to, and recover from, a cybersecurity event that compromises non-public information in its possession, the licensee’s information systems, or the continuing functionality of any aspect of the licensee’s business or operations. The WISP must be commensurate with the size and complexity of the licensee, the nature and scope of the licensee’s activities, including its use of third-party service providers and the sensitivity of the nonpublic information.
The program must include a written incident response plan (with certain enumerated requirements) designed to promptly respond to, and recover from, a cybersecurity event.
- Designate one or more employees, an affiliate, or an outside vendor designated to act on behalf of the licensee as responsible for the information security program;
- Identify reasonably foreseeable internal or external threats that could result in the unauthorized access to or transmission, disclosure, misuse, alteration, or destruction of nonpublic information including the security of information systems and nonpublic information that are accessible to or held by third-party service providers;
- Assess the likelihood and potential damage of these threats, considering the sensitivity of the nonpublic information;
- Assess the sufficiency of policies, procedures, information systems, and other safeguards in place to manage these threats, taking into consideration threats in each relevant area of the licensee’s operations, including employee training.
What about Third-Party Service Providers?
A licensee should:
- Exercise due diligence in selecting its third-party service provider; and
- Require a third-party service provider to implement appropriate administrative, technical, and physical measures to protect and secure the information systems and nonpublic information that are accessible to, or held by, the third-party service provider.
Call to Action:
To date, the NAIC Insurance Data Security Model Law has been adopted in 11 states: AL, CT, DE, IN, LA, MI, MS, NH, OH, SC and VA. All insurance licensees, with the involvement and support from their board of directors, should proactively begin a cyber risk management analysis and formulate an incident response plan now before their state adopts the NAIC Data Security Model Law. Data security isn’t just a technology issue. Data security is a business enabler that supports a licensee’s agility, productivity and customer loyalty.