The NAIC Insurance Data Security Model Law

Kurt.SuhsKurtis Suhs
Founder and Managing Director, Cyber Special Ops, LLC

Mr. Suhs serves as the Founder and Managing Director for Cyber Special Ops, LLC,  a cyber risk company that provides its clients with Concierge Cyber®, a revolutionary new delivery solution for cyber risk services modeled on concierge medicine.

The National Association of Insurance Commissioners (NAIC) has made cybersecurity and data protection a top priority. In early 2016, the NAIC began drafting the Insurance Data Security Model Law with input from state insurance regulators and the insurance industry and formally adopted the model in October 2017. The NAIC has encouraged state adoption of the model by state insurance regulators to protect personally identifiable information.

To Whom Does the Act Apply?

The model requires insurers, insurance agents and other entities licensed by a state department of insurance to develop, implement, and maintain an information security program based on its risk assessment, with a designated employee in charge of the information security program. The model phases in requirements for compliance with the information security program and oversight of third-party service providers. Licensees determine the appropriate security measures to implement based on careful, ongoing risk assessment for internal and external threats. The model also requires licensees to investigate a cybersecurity event and notify the state insurance commissioner of a cybersecurity event. It also grants insurance commissioners the power to examine and investigate licensees to determine compliance with the law and provides state insurance regulators the authority to remedy data security deficiencies they find during an examination.

The model exempts licensees with fewer than 10 employees or licensees compliant with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The model does not create a private cause of action, nor does it limit an already- existing private right of action.

Is Cyber Risk Management a Board of Directors Issue?

Yes, the NAIC model takes cybersecurity out of an IT-related issue to a board of directors’ issue and requires someone to be reporting to the CEO and to the board of directors on data security, cybersecurity issues.  Even if executive management delegates responsibilities to an individual or committee, the board is still required to receive a report from the delegate(s) complying with the requirements and to annually report on the overall status on the security program.

What are the Requirements of the NAIC Insurance Data Security Model Law?

  • Licensees should implement a written information security program (“WISP”) designed to promptly respond to, and recover from, a cybersecurity event that compromises non-public information in its possession, the licensee’s information systems, or the continuing functionality of any aspect of the licensee’s business or operations. The WISP must be commensurate with the size and complexity of the licensee, the nature and scope of the licensee’s activities, including its use of third-party service providers and the sensitivity of the nonpublic information.

The program must include a written incident response plan (with certain enumerated requirements) designed to promptly respond to, and recover from, a cybersecurity event.

  • Designate one or more employees, an affiliate, or an outside vendor designated to act on behalf of the licensee as responsible for the information security program;
  • Identify reasonably foreseeable internal or external threats that could result in the unauthorized access to or transmission, disclosure, misuse, alteration, or destruction of nonpublic information including the security of information systems and nonpublic information that are accessible to or held by third-party service providers;
  • Assess the likelihood and potential damage of these threats, considering the sensitivity of the nonpublic information;
  • Assess the sufficiency of policies, procedures, information systems, and other safeguards in place to manage these threats, taking into consideration threats in each relevant area of the licensee’s operations, including employee training.

What about Third-Party Service Providers?

A licensee should:

  • Exercise due diligence in selecting its third-party service provider; and
  • Require a third-party service provider to implement appropriate administrative, technical, and physical measures to protect and secure the information systems and nonpublic information that are accessible to, or held by, the third-party service provider.

 Call to Action:

To date, the NAIC Insurance Data Security Model Law has been adopted in 11 states: AL, CT, DE, IN, LA, MI, MS, NH, OH, SC and VA. All insurance licensees, with the involvement and support from their board of directors, should proactively begin a cyber risk management analysis and formulate an incident response plan now before their state adopts the NAIC Data Security Model Law. Data security isn’t just a technology issue. Data security is a business enabler that supports a licensee’s agility, productivity and customer loyalty.

Cybersecurity Litigation Review

This blog post was submitted in dialogue with the recent PLUS webinar “Cyber Risk is a D&O Risk.” You can view the recording of this webinar and past free webinars on the PLUS website here.

If you have blog content you’d be interested in submitting, please reach out to Katie Campbell at kcampbell@plusweb.org.

John Cheffers was hired to be a Director of Research for Watchdog Research in 2019 and creates content that is featured on the company blog.  He obtained his J.D. from Ave Maria School of Law in Naples Florida in 2019, where he was a member of the Law Review and graduated magna cum laude. Prior to that he worked for Audit Analytics as a Research Analyst.

Cybersecurity has gone from a niche concern to a hot topic in the D&O insurance world.  On September 23rd, this week, PLUS hosted a webinar on how companies can strategically handle cybersecurity concerns.  The speakers offered tremendous perspective on this dynamic and growing area, and we encourage everyone to listen to their fascinating conversation.

We are an independent research provider that uses an extensive database of public information to create easy-to-use reports for over 4,500 publicly traded companies.  Since we track cybersecurity incidents and all material litigation for public companies, we thought we could use this as an opportunity to provide a little color to the important discussions concerning cybersecurity.

Overview

We began by looking at incidents that occurred at companies listed on the NYSE and Nasdaq over the past ten years, and the growth rate of cybersecurity incidents is alarming: 

*The graphs and tables in this post were created by Joseph Burke, PhD, and derived the Audit Analytics database.

In 2010, only 0.1 % of companies reported a cybersecurity incident. In 2019, 2.2% of companies reported a cybersecurity incident. The growth of cybersecurity incidents over the past five years has been incredible and it is not clear when it will slow down. 

Another interesting facet is that the risk of a cybersecurity incident is much higher at a large company that it would be at a small company. Attacks on large companies are driving much of the growth in these numbers.

Cybersecurity Security Class Actions

A cyberbreach at a company creates all sorts of problems, including litigation. We identified all the security class action suits that were brought over cybersecurity issues and calculated the likelihood of being named in one of those suits. Unsurprisingly, the last ten years has shown significant growth in the risk of being named in a cybersecurity related lawsuit.

It is important to note that these percentages are for all companies.  Large cap companies have a significantly probability than is represented in the graph because they are both more likely to be the victim of a cybersecurity incident and are generally more likely to have a securities class action suit filed against them.  

Cybersecurity as a Leading and Covariate Indicator

Two of our researchers, Joseph Burke PhD and Joseph Yarbrough PhD, wrote a research paper calculating when particular flags from our reports were associated with an increased risk of securities class action litigation for 2014-2018. Companies with a cybersecurity incident were almost three times as likely to get named in a securities class action lawsuit the year that the incident occurred.

Additionally, cybersecurity incidents were one of the six leading indicators of securities class action suits.  An event is considered a leading indicator of litigation if the occurrence of that event is associated with an increased risk of litigation for the following year. 

Conclusion

The chance of being involved in a cybersecurity securities class action lawsuit is still relatively low, but it is increasing rapidly. Additionally, the risk profile is far higher for large companies, which are more likely to be a victim of a cybersecurity incident and more likely to get named in a securities class action lawsuit. 

If company boards wish to prevent having their company victimized twice (by hackers and by lawyers), then they need to make wise and strategic decisions to confront this growing threat.

Risk Associated with Latest Changes to Same Day ACH

Kurt.SuhsKurtis Suhs
Founder and Managing Director, Cyber Special Ops, LLC

Mr. Suhs serves as the Founder and Managing Director for Cyber Special Ops, LLC,  a cyber risk company that provides its clients with Concierge Cyber®, a revolutionary new delivery solution for cyber risk services modeled on concierge medicine.

The National Automated Clearing House Association (“NACHA”) is making enhancements to offer same day ACH more quickly, allow for larger per-transaction value, and add an additional processing window later in the day.  Here is a brief timeline and explanation of those changes:

  • March 20, 2019– the availability of funds for many Same Day ACH and other ACH credits will occur sooner in the day.
  • March 20, 2020– the per-transaction dollar limit for Same Day ACH will increase from $25,000 to $100,000.
  • March 19, 2021– access will be extended by enabling Same Day ACH transactions to be submitted to the ACH Network two hours later every business day.

So why is wire fraud expected to increase?  Why will it go up when banks are essentially providing the same service to customers that they do today, only giving them their money sooner? Well, the answer is because bad guys love speed and convenience. Same day ACH will enable fraudsters to abscond with money before the bank or its corporate customer even discovers the fraud.

Business Email Compromise Will Increase

In 2019, the FBI’s Internet Crime Compliant Center (IC3) received 23,775 Business Email Compromise (BEC) complaints with adjusted losses of over $1.7 billion. BEC is a sophisticated scam targeting both businesses and individuals performing a transfer of funds. The scam is frequently carried out when a subject compromises legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.

Account Takeover Will Increase

It is no secret that fraudsters are stockpiling online banking credentials in what we often refer to as “sleeper fraud,” where they keep accounts on hand until they are ready to attack the bank en masse. After same day ACH, we can expect to see escalated levels of account takeover since fraudsters can move the money in larger and faster quantities on compromised accounts.

 Online Banking Losses Will Increase

If you want to see what will happen to U.S. online banking accounts, just look to the U.K. for the most likely scenario.  Online banking losses in the U.K. doubled immediately after Faster Payments launched and never really came back down to the pre-Faster Pay levels afterwards.

Payment Fraud and Bill Pay Losses Will Increase

Organizations that track their ACH and Bill Pay Fraud losses, will probably notice a big uptick in Bill Pay-related fraud losses.  Fraudsters can set up new payees and send funds, or even divert funds to new locations using the same payee accounts by changing the details.  Bill Pay losses will increase with same day ACH.

Time is of Essence

Upon discovering wire fraud, organizations should file a suspicious activity report (SAR) to the FBI’s Internet Crime Complaint Center (IC3).  The mission of the IC3 is to provide the public with a reliable and convenience reporting mechanism to submit information to the FBI concerning suspected internet-facilitated criminal activity and to develop effective alliances with law enforcement and industry partners. Information is analyzed and disseminated for investigative and intelligence purposes to law enforcement and for public awareness. Since the establishment in February 2018, IC3 established the Recovery Asset Team (RAT) that has helped streamline communication with financial institutions and assist FBI field offices in the recovery of funds for businesses that report a fraudulent domestic wire transfer. The RAT, which was established as a standalone team in 2018, completed its first full year of operation in 2019, assisting in the recovery of over $300 million lost through online scams, for a 79% return rate of reported losses. Time is critical, typically within 48 hours of the transfer request, when dealing with BEC, so the RAT can communicate with the domestic financial institutions to freeze funds before they have been transferred.

Best Practices to Minimize Wire Transfer Loss

  • Always verify the authenticity of each wire transfer request. Call the person, using a number you have previously called — not one from the current wire transfer request — to verbally verify it.
  • Implement a call-back verification process when setting up payment instructions for a new vendor or making changes to payment instructions for an existing vendor.
  • Implement dual control and segregation of duties.
  • Set prudent wire transfer limits and/or outright prohibit the ability to initiate overseas wire transfers
  • Educate your employees to protect your financial assets.
  • Perform internal audits to ensure controls set up are being followed.
  • Develop adequate policies and procedures.

Review your business insurance policy. Does it cover financial losses due to theft of money? Coverage might be found in a Crime Policy with a Computer and Funds Transfer Fraud Insuring Agreement, a Business Owner’s Policy that provides coverage for Theft of Money and Securities or a Cyber Policy with Social Engineering Coverage.