Be Prepared! NAIC Cybersecurity Model Law on the Way...
By Jean Adams-Harris, CPA, CFE, CISA, AES, MCM, Partner
Can you imagine returning to the days of paper documentation? It’s difficult to fathom the amount of physical space required to house that much paper. Fortunately, technology allows entities to store inordinate amounts of data fairly inexpensively. Unfortunately, without the right security in place, that data can be breached by hackers and misused.
Continue Reading from eInterpreter...
With that in mind, the National Association of Insurance Commissioners (NAIC) Cybersecurity (EX) Task Force is developing an Insurance Data Security Model Law (Cybersecurity Model Law). The bulk of the draft Cybersecurity Model Law addresses:
Implementing an Information Security Program
Each licensee (insurers/brokers/agents) must have a written information security program to protect consumer personal information. The security program should document the results of the licensee’s risk assessment and its plan to mitigate identified risks. The Board of Directors, or appropriate committee, will have oversight responsibility and require an annual written report that addresses the licensee’s compliance with and recommended changes to the security program. Licensees may contract with third-party service providers to implement and maintain a security program. However, the licensee is responsible for any third-party service failures.
Investigation and Notification of a Data Breach
Once a licensee is aware that a data breach has or could have occurred, it must promptly investigate the breach. If personal information has in fact been breached, the licensee must notify the following:
- Affected consumers
- Insurance commissioners
- Law enforcement agencies
- Payment card networks, when such information is involved
- Consumer reporting agencies, when 500 or more consumers are involved
The timing of and information contained in the notification is dependent upon the receiving party.
Comments on the Cybersecurity Model Law
The NAIC received upwards of 130 pages of comments from regulators and interested parties on each of its first and second drafts of the Cybersecurity Model Law. The comments have been focused on clearly defining certain terms (e.g. data breach and personal information) while providing flexibility in implementation such as allowing the use of NIST (National Institute of Standards and Technology) or other frameworks. The NAIC held three calls in the latter half of November to obtain further feedback and revise the second draft. Please visit the NAIC’s Cybersecurity (EX) Task Force’s webpage for the current draft of the Model Law and recent developments.
Author: Jean Adams-Harris, CPA, CFE, CISA, AES, MCM, Partner