Insurance Data Security Model Law: A response to cybersecurity threats

The National Association of Insurance Commissioners (NAIC) recently adopted the Insurance Data Security Model Law to protect against increasing cybersecurity threats and data breaches. The new model law creates a standardized control baseline for data security safeguards with the goal of protecting nonpublic policyholder information. Here are some of the key provisions.

Information Security Program

Under the new law, each insurer would be required to maintain a comprehensive Information Security Program to protect the security of information systems and confidentiality of policyholder information against threats and unauthorized access. Annually, each insurer would submit to the state commissioner a written statement certifying compliance with the law's requirements and maintain all records, schedules, and data supporting this statement.

Ongoing risk assessments

Insurers would conduct ongoing risk assessments to identify internal and external threats that could result in unauthorized access and misuse of policyholder information. This includes an assessment of the likelihood and potential damage of these threats, along with the sufficiency of policies, procedures, and other safeguards in place to manage identified threats. The insurers would be required to assess the effectiveness of the safeguards’ key controls, systems, and procedures.

Mitigating identified risks

Each insurer’s board and senior management would be responsible for overseeing the implementation of a risk management program based on the ongoing assessments as well as the monitoring of that program. Risk management efforts would be aligned with the size and complexity of the organization, and they include addressing cybersecurity risks in the enterprise risk management process, staying informed of emerging threats and vulnerabilities, and providing employees with regular cybersecurity awareness training.

Incident response planning

As part of the Information Security Program, insurers also would design a written incident response plan in order to respond appropriately to any incident that compromises the confidentiality or integrity of policyholder information, information systems, or the continued functionality of operations.

The new law requires notifying the state commissioner within 72 hours of an identified cybersecurity event. 

Investigation and notification of a cybersecurity event

If an insurer learns that a possible cybersecurity event has occurred, it will conduct a prompt investigation to verify an incident has taken place, assess the nature and scope of the breach, identify sensitive data that may be affected, and restore the security of the compromised information systems. The new law requires notifying the state commissioner within 72 hours of an identified cybersecurity event. In addition, consumers must be notified in accordance with their respective state’s data breach notification laws.

Keep in mind, some states may take longer to ratify than others, and certain modifications are possible. For some organizations, implementing an information security program and related controls will require a significant investment of time and resources. Start planning now if you haven’t already begun.

If you have any questions about the new model law, please give us a call.