The NAIC Insurance Data Security Model Law

Kurt.SuhsKurtis Suhs
Founder and Managing Director, Cyber Special Ops, LLC

Mr. Suhs serves as the Founder and Managing Director for Cyber Special Ops, LLC,  a cyber risk company that provides its clients with Concierge Cyber®, a revolutionary new delivery solution for cyber risk services modeled on concierge medicine.

The National Association of Insurance Commissioners (NAIC) has made cybersecurity and data protection a top priority. In early 2016, the NAIC began drafting the Insurance Data Security Model Law with input from state insurance regulators and the insurance industry and formally adopted the model in October 2017. The NAIC has encouraged state adoption of the model by state insurance regulators to protect personally identifiable information.

To Whom Does the Act Apply?

The model requires insurers, insurance agents and other entities licensed by a state department of insurance to develop, implement, and maintain an information security program based on its risk assessment, with a designated employee in charge of the information security program. The model phases in requirements for compliance with the information security program and oversight of third-party service providers. Licensees determine the appropriate security measures to implement based on careful, ongoing risk assessment for internal and external threats. The model also requires licensees to investigate a cybersecurity event and notify the state insurance commissioner of a cybersecurity event. It also grants insurance commissioners the power to examine and investigate licensees to determine compliance with the law and provides state insurance regulators the authority to remedy data security deficiencies they find during an examination.

The model exempts licensees with fewer than 10 employees or licensees compliant with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The model does not create a private cause of action, nor does it limit an already- existing private right of action.

Is Cyber Risk Management a Board of Directors Issue?

Yes, the NAIC model takes cybersecurity out of an IT-related issue to a board of directors’ issue and requires someone to be reporting to the CEO and to the board of directors on data security, cybersecurity issues.  Even if executive management delegates responsibilities to an individual or committee, the board is still required to receive a report from the delegate(s) complying with the requirements and to annually report on the overall status on the security program.

What are the Requirements of the NAIC Insurance Data Security Model Law?

  • Licensees should implement a written information security program (“WISP”) designed to promptly respond to, and recover from, a cybersecurity event that compromises non-public information in its possession, the licensee’s information systems, or the continuing functionality of any aspect of the licensee’s business or operations. The WISP must be commensurate with the size and complexity of the licensee, the nature and scope of the licensee’s activities, including its use of third-party service providers and the sensitivity of the nonpublic information.

The program must include a written incident response plan (with certain enumerated requirements) designed to promptly respond to, and recover from, a cybersecurity event.

  • Designate one or more employees, an affiliate, or an outside vendor designated to act on behalf of the licensee as responsible for the information security program;
  • Identify reasonably foreseeable internal or external threats that could result in the unauthorized access to or transmission, disclosure, misuse, alteration, or destruction of nonpublic information including the security of information systems and nonpublic information that are accessible to or held by third-party service providers;
  • Assess the likelihood and potential damage of these threats, considering the sensitivity of the nonpublic information;
  • Assess the sufficiency of policies, procedures, information systems, and other safeguards in place to manage these threats, taking into consideration threats in each relevant area of the licensee’s operations, including employee training.

What about Third-Party Service Providers?

A licensee should:

  • Exercise due diligence in selecting its third-party service provider; and
  • Require a third-party service provider to implement appropriate administrative, technical, and physical measures to protect and secure the information systems and nonpublic information that are accessible to, or held by, the third-party service provider.

 Call to Action:

To date, the NAIC Insurance Data Security Model Law has been adopted in 11 states: AL, CT, DE, IN, LA, MI, MS, NH, OH, SC and VA. All insurance licensees, with the involvement and support from their board of directors, should proactively begin a cyber risk management analysis and formulate an incident response plan now before their state adopts the NAIC Data Security Model Law. Data security isn’t just a technology issue. Data security is a business enabler that supports a licensee’s agility, productivity and customer loyalty.

The “Robinhood Effect”

Rob Yellen
D&O and Fiduciary Liability Product Leader, FINEX, Willis Towers Watson

Rob is a recognized expert in directors and officers liability with a rare combination of Financial Lines experience that includes serving as a chief underwriting officer, global head of product development and a foreign general insurance chief legal counsel for a leading insurance carrier.  Today, Rob counsels clients and serves as a thought leader and technical expert, trouble shooter, and claims resource on Financial Lines issues with a focus on D&O and Fiduciary products.  He co-leads the Willis Towers Watson Strategic Solutions Group and chairs its North American and Global FINEX Advisory committees.

The legend of Robin Hood has been around 700 years or so–an enduring, popular fairy tale of an outlaw hero and his band of Merry Men who robbed the rich and gave to the poor.  By comparison, Robinhood Markets, Inc., formed in 2013, looks to “provide everyone with access to the financial markets, not just the wealthy.” What makes Robinhood particularly interesting is its growth, how it is different and its impact, this year, on financial markets.

If growth and trading volume are the measures, Robinhood is succeeding.  Bloomberg reports that 1.7 million people opened brokerage accounts with Charles Schwab in the second quarter of 2020 — a 328% increase from the same period a year ago.  The Robinhood app added 3 million accounts in the first four months of 2020 and its payment order flow revenue doubled from Q1 to Q2. In June, Robinhood saw 4.3 million daily average revenue trades (DARTS)—higher than all of the major incumbent brokerage firms and more than E-Trade and Charles Schwab combined. In May, Robinhood raised $280 million in venture funding suggesting a then pre-money valuation of $8.3 billion.   Then, on August 17th, Robinhood announced it had raised another $200 million suggesting a $11.2 billion valuation.  So, yes.  Successful.

Robinhood and its peers have made an impact.  The Wall Street Journal reported on August 24th that the S&P 500 hit a record close on the prior Friday—its first since February.  FactSet reported that price/earnings ratio on the S&P 500 @25.26—the highest since 2002—when the dot.com bubble burst and the Nasdaq Composite stock market index fell 78% from its peak. Meanwhile, unemployment is high and earnings remain under pressure from the COVID-19 pandemic.    One trend credited in part for fueling this market and upsetting long-standing norms in capital markets is the tsunami-sized wave of retail trading by newbie investors.  Many of them have begun investing with zero-fee trading apps such as Robinhood, Webull and Youinvest, but traditional brokers have seen massive growth, too.

But Robinhood seems different.

  • Tracking: Until recently, Robinhood’s investors’ trading data—available by API-was compiled and reported by Robintrack.net.  Robintrack would report how many Robinhood users hold a particular stock over time. It generates charts showing the relationship between price and popularity, and compiles some lists using the data. This data had become an obsession for investors and analysts looking to gauge the impact of retail investors on market behavior.
  • Fractional Shares: Also, Robinhood offers fractional shares.  So, users can trade stocks and ETFs in pieces of shares, in addition to trading in whole share increments.    Fractional shares on Robinhood can be as small as 1/1000000 of a share, and trading fractional shares is real-time and commission-free.  Want to by $25 of Tesla (trading at $2,170.02/share pre-market on August 24th)? No problem.  Bloomberg reports [here] that, “[s]tarting in late April, traffic to the site exploded, jumping from about 4,000 to anywhere between 20,000 and 50,000 unique users per day.”  Robinhood’s users trade the riskiest products and at the fastest pace, according to research firm Alphacution for The New York Times.  In the first three months of 2020, Robinhood users traded nine times as many shares as E-Trade customers and 40 times as many shares as Charles Schwab customers, per dollar in the average customer account in the most recent quarter.
  • Gamelike App: Trading on the Robinhood app is different, too.  In what has been described as from “easy to use” to “gamelike,” Robinhood’s app fills users’ screens with digital confetti and information on other stocks that its users are buying. A recent Wall Street Journal article [here] questioned whether the app made trading too easy—reporting that behavioral researchers say the app’s simplicity encourages novice investors to take bigger risks.  While Robinhood asserts it doesn’t make recommendations to buy and sell securities, the app does shows users related stocks that other Robinhood users also own.
  • Incentives: Free stock??  Really?  It’s true. According to Robinhood’s website [here], “for every new friend you invite to join Robinhood, you can both earn a free stock! As soon as the conditions in your promotion are satisfied, we’ll credit both of your accounts with a free stock. You’re eligible to receive up to $500 in reward stocks each calendar year—so feel free to tell all your friends.”
  • Day Trading: Others blame unlimited free trading rather than Robinhood’s app for encouraging day-trading—and Robinhood asserts, “[t]he vast majority of Robinhood customers are not day traders.”
  • Payment Order Flow Revenue Model: Robinhood derives its revenues from a controversial practice known as “payment for order flow” in which companies pay to be the other side of a trade or to at least get the first right refusal.  This process could mean that a Robinhood order isn’t happening on a public exchange. Some say the process helps market efficiencies, but others question whether the user is getting the best price for their trade.

The Robinhood Effect:  Why are Robinhood’s users and other newbie investors being blamed for the irrational market behavior?  Some had argued that Robintrack.net and other information Robinhood provides its users drove a momentum play that could become a self-fulfilling prophecy.  Half of Robinhood’s 13 million users had never invested before signing up.  Do these newbie investors understand the financial risks?  Leon Cooperman, billionaire investor, doesn’t think so.  In a recent CNBC interview, he cautioned, “[t]hey are just doing stupid things, and in my opinion, this will end in tears.”    Where do those many of the newbie Robinhood users look for information?  From Tik Tok and other social platforms, naturally.  TikTok videos under #robinhoodstocks have more than 3.1 million views and #investing tag on TikTok has grown to 527.6 million views (both as of August 24th).  Cooperman may be right!

Will recent changes temper the Robinhood Effect?  Recently, Robinhood announced that it plans to curtail access to its API and certain data used by Robintrack.net that provided hourly updates on retail stock demand, and that became hot fad on Wall Street. The data from the app showed broad trends among Robinhood users’ trading to display which stocks were popular with its clients. Robinhood will stop providing the feed on which the site’s information asserting the move is based out of concern that that data was often “misconstrued” and “misunderstood.”  If these changes mean Robintrack.net is done (as seems to be the case), that may help Robinhood avoid some of the market attention it has received lately; however, it may not eliminate the momentum effect that some have attributed to Robinhood users and that may continue to be fueled by any information Robinhood continues to provide its users on the purchases of other users.

The Robinhood Effect, to me, is a D&O liability enigma.  How should we factor in the sometimes seemingly non-traditional behavior its impact on momentum investing? How should Robinhood users’ non-traditional information sources (like Tik Tok) impact how those users may factor into securities claims? I offer a few more specific questions that we may see answered sometime soon:

  • Should we look at stocks with high Robinhood/retail investor trading as having greater exposure to heightened severity? From a D&O liability perspective, inflated markets can signal the potential for increases in D&O losses with a significant potential for higher than normal severity.  If Robinhood investors exacerbate that inflation, they may also increase potential D&O claim severity. Does that inflation warrant recalibrating upward how much D&O coverage is needed?
  • How will, if at all, the seemingly different mix of information underlying trading by Robinhood users change how those users are factored into securities class actions?
  • Can a user with 1/1000 of a share be included in a class of shareholders? I suspect yes, but wonder how this fractional share ownership could impact securities class action in the future.
  • Can users who relied solely on the information Robinhood provides about its other users’ trading avail themselves of a presumption of Fraud-on-the-Market? Can defendants with significant Robinhood trading in their stocks rebut any such presumption if it does apply?  Would doing so be worth the effort?
  • Could the Robinhood Effect impact how class damages are calculated? Would documented Robinhood Effect inflation serve to support defense efforts to reduce and undermine plaintiff’s-style damages or the impact of inflationary disclosures?

Worth us keeping an eye on this Robinhood Effect.  No fee trading is likely here to stay.  Fractional trading is too.  While the investor information mix provided by any trading app can change with each revision, we may be revisiting Fraud-on-the-Market again sometimes soon.  Some of this phenomenon, at least, is more than a short-term fad.

D&O Round Table: Disruption and the Potential Effects on Organizations

In case you missed the PLUS Webinar on January 4, D&O Round Table: Disruption and the Potential Effects on Organizations, the full broadcast of that event is available for PLUS members to view in the Multimedia Library. Please note, you must be logged-in to the website and a current member of PLUS in order to view this content.