The NAIC Insurance Data Security Model Law

Kurt.SuhsKurtis Suhs
Founder and Managing Director, Cyber Special Ops, LLC

Mr. Suhs serves as the Founder and Managing Director for Cyber Special Ops, LLC,  a cyber risk company that provides its clients with Concierge Cyber®, a revolutionary new delivery solution for cyber risk services modeled on concierge medicine.

The National Association of Insurance Commissioners (NAIC) has made cybersecurity and data protection a top priority. In early 2016, the NAIC began drafting the Insurance Data Security Model Law with input from state insurance regulators and the insurance industry and formally adopted the model in October 2017. The NAIC has encouraged state adoption of the model by state insurance regulators to protect personally identifiable information.

To Whom Does the Act Apply?

The model requires insurers, insurance agents and other entities licensed by a state department of insurance to develop, implement, and maintain an information security program based on its risk assessment, with a designated employee in charge of the information security program. The model phases in requirements for compliance with the information security program and oversight of third-party service providers. Licensees determine the appropriate security measures to implement based on careful, ongoing risk assessment for internal and external threats. The model also requires licensees to investigate a cybersecurity event and notify the state insurance commissioner of a cybersecurity event. It also grants insurance commissioners the power to examine and investigate licensees to determine compliance with the law and provides state insurance regulators the authority to remedy data security deficiencies they find during an examination.

The model exempts licensees with fewer than 10 employees or licensees compliant with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The model does not create a private cause of action, nor does it limit an already- existing private right of action.

Is Cyber Risk Management a Board of Directors Issue?

Yes, the NAIC model takes cybersecurity out of an IT-related issue to a board of directors’ issue and requires someone to be reporting to the CEO and to the board of directors on data security, cybersecurity issues.  Even if executive management delegates responsibilities to an individual or committee, the board is still required to receive a report from the delegate(s) complying with the requirements and to annually report on the overall status on the security program.

What are the Requirements of the NAIC Insurance Data Security Model Law?

  • Licensees should implement a written information security program (“WISP”) designed to promptly respond to, and recover from, a cybersecurity event that compromises non-public information in its possession, the licensee’s information systems, or the continuing functionality of any aspect of the licensee’s business or operations. The WISP must be commensurate with the size and complexity of the licensee, the nature and scope of the licensee’s activities, including its use of third-party service providers and the sensitivity of the nonpublic information.

The program must include a written incident response plan (with certain enumerated requirements) designed to promptly respond to, and recover from, a cybersecurity event.

  • Designate one or more employees, an affiliate, or an outside vendor designated to act on behalf of the licensee as responsible for the information security program;
  • Identify reasonably foreseeable internal or external threats that could result in the unauthorized access to or transmission, disclosure, misuse, alteration, or destruction of nonpublic information including the security of information systems and nonpublic information that are accessible to or held by third-party service providers;
  • Assess the likelihood and potential damage of these threats, considering the sensitivity of the nonpublic information;
  • Assess the sufficiency of policies, procedures, information systems, and other safeguards in place to manage these threats, taking into consideration threats in each relevant area of the licensee’s operations, including employee training.

What about Third-Party Service Providers?

A licensee should:

  • Exercise due diligence in selecting its third-party service provider; and
  • Require a third-party service provider to implement appropriate administrative, technical, and physical measures to protect and secure the information systems and nonpublic information that are accessible to, or held by, the third-party service provider.

 Call to Action:

To date, the NAIC Insurance Data Security Model Law has been adopted in 11 states: AL, CT, DE, IN, LA, MI, MS, NH, OH, SC and VA. All insurance licensees, with the involvement and support from their board of directors, should proactively begin a cyber risk management analysis and formulate an incident response plan now before their state adopts the NAIC Data Security Model Law. Data security isn’t just a technology issue. Data security is a business enabler that supports a licensee’s agility, productivity and customer loyalty.

Building Cyber Resilience Against Ransomware

Tim SmitTimothy Smit
Sr. Global Privacy and Cyber Security Risk Leader, Lockton Companies

Timothy develops long-range strategies directing clients how to optimize their data effectively and responsibly.  He focuses on privacy compliance, data protection, and the use of or introduction to digital technology.  He assists in identifying data privacy risks, operational risk, process improvement, and conducting data flow mapping exercises.  Timothy conducts risk assessments and develop strategic solutions for managing those risks along with building incident response programs and plans to improve operational resiliency to a cyber or privacy event.

Over the past six months, ransomware attacks have increased exponentially.  In some reports, the figure is reported as a 700% increase since March 2020. (1)

Adding to the complexity of the ransomware difficulties, on October 1, 2020, the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory regarding potential sanctions for facilitating ransom payments.  That same day, the Financial Crimes Enforcement Network (FinCEN) issued an advisory on ransomware and the use of financial systems to facilitate payment.  Our summary of the Advisories and attendant issues can be found here.

Given that ransom payments may no longer be a viable option or at a minimum, paying ransom to threat actors may be more difficult, organizations need to focus on preventing, identifying, responding, and recovering which outlines the foundation of becoming resilient to ransomware attacks.

What can organizations do to minimize their risks of ransomware attacks? 

On September 23, 2020, the National Institute of Standards and Technology (NIST) published Special Publication (SP) 800-53, Revision 5 entitled Security and Privacy Controls for Information Systems and Organizations. The SP contains 20 security and privacy control families.  While we do not address all 20 control families, we have highlighted several prioritized and focused controls that should be considered and potentially implemented by organizations from a ransomware loss control perspective.

The controls below will also map to possible questions insurance carriers are starting to ask in their cyber applications to better understand what proactive controls have been implemented at your organization, which may make you a better risk to them.

With more people working remotely, the increase in end point devices for organizations to manage and protect continue to grow.  Following the cyber kill chain model (2), here are a few ways to help your organization protect itself.

Identification and containing the incident is critical.  According to the 2020 Ponemon Institute Cost of a Data Breach Report (3), the average time to identify and contain an incident was 280 days.  That number has risen due to workforce members working remote and not necessarily identifying or reporting an incident to their organization.

Implementing tools that protect your workforce and their endpoint devices, or endpoint and device protection and response, is where we will begin.

Training & Education

Implement recurring security trainings for your workforce presented on their primary means of communication, i.e., desktops, laptops, mobile devices, or smart phones.  Focused trainings delivered on those devices will help your workforce identify phishing attempts on their primary communication tools.

One of the most common ways ransomware is launched within organizations is through a phishing attack.

Train and encourage your workforce to report anything suspicious in real time.  Your incident response teams need that information as soon as feasible to confirm the integrity of your systems and/or to start their investigation on how/where an attempt to infiltrate originated, so they can respond immediately and potentially eradicate the possibility of further attempts.

Technical Controls

Several technical controls for different endpoint protections that remove the likelihood of your organization succumbing to a targeted attack include:

  • implementing prescreen links in emails
  • scanning for files with exploits and,
  • stripping and detonation of attachments

These controls protect your organization, if malware circumvents your current controls in place, by identifying those infected files, attachments, etc., expediting your response to those issues rapidly, allowing you to contain incidents sooner, decreasing the probability of infected files cascading and propagating throughout your network, both internal and externally.

Segmentation of networks.  This control indirectly self-contains malware from cascading to your entire organization, as well, reducing the overall possible business interruption impact on your organization.

The implementation of configuration management, a patch management program, and intrusion detection and prevention systems alerting your security operations center (SOC) provides a quick reactionary force to engage and contain abnormal activity before it becomes a larger issue.

Vulnerabilities exploited by the threat actor leaves a digital footprint within your networks and should be captured, investigated and responded to, where needed.  Those efforts are improved with the implementation of security event logging solutions, applying threat intelligence to those events, conducting analysis of behaviors captured and respond to those incidents, prevent catastrophic losses to your organization.

Data inventories and data maps of information flow paths aid your organization in classifying critical data while overlaying the proper controls to protect that data based on its data classification. The data inventory sheds light on end-of-life (EOL) systems, operating systems, etc. that currently do not have additional security updates or patches available, which exposes your organization at a much higher rate to new threat agents making you non-compliant with most regulatory requirements that explicitly state you must protect your network and data.

One example of that is the HIPAA Security Rule 45 C.F.R. § 164.308 (a)(5)(ii)(B), which highlights that the entity must have protection from malicious software which implies you must apply patches on all systems.

Another example is the global PCI DSS standards that require each entity to “develop and maintain secure systems and applications by installing applicable vendor-supplied security patches.” (4)

Best practices also address the following response and recovering control aspects to build a resilient organization to a ransom attack.

Data inventorying provides your organization with a catalog of systems, categorized on importance to business operations and organizational goals and objectives.  It provides your organization with a prioritized list of critical systems and assets to protect most, data being proactively backed up and protected while the data is at rest, and accessible only by authorized users.

Data must be backed up, protected from unauthorized access and alteration or deletion with a planned and tested restoration plan which empowers your organization to be resilient to cyber-attacks, including ransomware attacks.  Backups may be locally conducted and stored, or they may be virtual within a cloud environment.

Authentication Controls

Implementing multi-factor authentication (MFA) is critical to confirm the identity of those accessing your systems and/or devices.  For example, if your organization utilizes MS Office365 (O365), MFA implementation is free and available today to implement.  If your organization does utilize O365, ensure that the Advanced Threat Protection add-on is being utilized.

MFA should be applied to protect every account, including privileged accounts.  Also, if you allow work emails to be forwarded to personal email accounts, ensure that your workforce has enabled MFA on their personal accounts, especially in today’s work from home setting.

Even though MFA will not prevent phishing emails from being clicked on or executed, it can prevent a successful phishing attempt from exploiting credentials, by over 90%. (5)

Incident Response

Incident response is an organized approach to addressing and managing privacy and data incidents.  The goal is to identify, respond, contain, and recover from the incident limiting damages and reducing business interruptions.

Incorporating training to identify and how to and when to report an incident is one component of the incident response plan.  Investigating the digital footprints of a bad actor is another component of the incident response plan.

Your incident response plan is the cornerstone to building resilience within your organization, where building cyber resilience is a necessity today.

Cyber Insurance Carriers

Organization’s that currently purchase a cyber liability insurance program have access to all the above- mentioned recommendations and many other services that are provided either as complimentary or at a reduced cost.  The insurers are helping their clients proactively improve their overall risk posture while reducing the probability of a cyber event causing a loss, which triggers a claim.



Configuration Management – Configuration management is a system’s engineering process for establishing and maintaining consistency of a product’s performance, functional, and physical attributes with its requirements, design, and operational information throughout its life.

End-of-Life (EoL) – “End-of-life” (“EOL”) is a term used with respect to a product supplied to customers, indicating that the product is in the end of its useful life (from the vendor’s point of view), and a vendor stops marketing, selling, or rework sustaining it. (The vendor may simply intend to limit or end support for the product.)

Patch Management – Patch management is the process that helps acquire, test and install multiple patches (code changes) on existing applications and software tools on a computer, enabling systems to stay updated on existing patches and determining which patches are the appropriate ones.

Segmentation of Networks – Network segmentation is an architectural approach that divides a network into multiple segments or subnets, each acting as its own small network. This allows network administrators to control the flow of traffic between subnets based on granular policies.





Retaining Black Talent: Part Three

For the third and final episode of their conversation, Brenda Shelly again joins Adeola Adele and Deidre Wright for the end of their discussion on retaining Black talent and accountability in the insurance industry. They conclude their conversation on affecting and sustaining change, and delve into what accountability really means and how it can and should impact the industry.

Listen to the first episode posted previously on the blog here, and the second episode here. We also encourage you to visit the PLUS and the PLUS Foundation websites for more discussions about race and diversity in the workplace.

Adeola Adele, Adele Law Group, PLLC

Adeola Adele is an attorney and former insurance industry executive with 20 years of combined legal and risk management consulting experience. Adeola left the industry in 2019 to start her solo law firm practice, Adele Law Group, PLLC, where she provides legal counsel and risk management consulting services to non-profit organizations, social enterprises and other mission-driven organizations.  Adeola was recognized in 2016 as a Woman to Watch by Business Insurance . She is currently a Board member at Pathfinders Justice Initiative and a member of NonProfit New York’s Government Relations Council.

Deidre Wright, ARMe

Deidre Wright is the CEO of Strategic Stories, helping executives and entrepreneurs brand themselves as industry celebrities; She’s a Board Advisor for Juniper Labs; alumni of Business Insurance, Marsh and Aon; Insurance Supper Club Member and past Co-Chair of San Francisco’s Dive In Fest, NAAIA’s Emerging Leaders Committee and Board Member of RIMS Rising Risk Professionals.

Brenda A. Shelly
Managing Director, Marsh JLT Specialty
Marsh & McLennan Companies

Brenda is a seasoned broker, client advisor and business development professional, with deep brokerage and risk management expertise, currently managing F500, IPO, and M&A clients, including their Claims Management, Directors & Officers Liability and other Financial Lines. Prior to her current role, Brenda served for five years as Marsh’s D&O Product Leader, Chairman of FINPRO’s Global Advisory Board and its Global Content Leader. Before that, she was FINPRO’s Pacific North Growth Leader, Bay Area Practice Leader, National Technology Leader and National IPO Leader.