Insurance Data Security Model Law: A Response to Recent Cybersecurity Threats
By John Fritz, Brendan MacKinnon, & Margarete Chalker, Plante Moran

We hear about more data breaches every day. The news is full of organizations who have experienced a breach of some sort and attempted to cover it up, pay a ransom for customer data, and there will continue to be more hacks as we are increasingly reliant on large amounts of data.

Continue Reading from eInterpreter...

Because of this, there is a continuing need to maintain higher data security standards as a proactive measure to protect both customer and employee data. The insurance industry has now responded to these dangers with a new model law.

As many of you know, the National Association of Insurance Commissioners (NAIC) recently adopted the Insurance Data Security Model Law to safeguard against increasing cybersecurity threats and data breaches. The new model law creates a standardized control baseline for data security safeguards with the goal of protecting nonpublic policyholder information. Here are some of the key provisions for you to consider and understand as you begin to implement the recommendations.

Information Security Program

Under the new law, each insurer would be required to maintain a comprehensive Information Security Program to protect the security of information systems and confidentiality of policyholder information against threats and unauthorized access. Annually, each insurer would submit to the state commissioner a written statement certifying compliance with the law's requirements and maintain all records, schedules, and data supporting this statement. 

Ongoing risk assessments

Insurers would conduct ongoing risk assessments to identify internal and external threats that could result in unauthorized access and misuse of policyholder information. This includes an assessment of the likelihood and potential damage of these threats, along with the sufficiency of policies, procedures, and other safeguards in place to manage identified threats. The insurers would be required to assess the effectiveness of the safeguards’ key controls, systems, and procedures.

Mitigating identified risks

Each insurer’s board and senior management would be responsible for overseeing the implementation of a risk management program based on the ongoing assessments as well as the monitoring of that program. Risk management efforts would be aligned with the size and complexity of the organization, and they include addressing cybersecurity risks in the enterprise risk management process, staying informed of emerging threats and vulnerabilities, and providing employees with regular cybersecurity awareness training.

Incident response planning

As part of the Information Security Program, insurers also would design a written incident response plan in order to respond appropriately to any incident that compromises the confidentiality or integrity of policyholder information, information systems, or the continued functionality of operations. 

Investigation and notification of a cybersecurity event

If an insurer learns that a possible cybersecurity event has occurred, it will conduct a prompt investigation to verify an incident has taken place, assess the nature and scope of the breach, identify sensitive data that may be affected, and restore the security of the compromised information systems. The new law requires notifying the state commissioner within 72 hours of an identified cybersecurity event. In addition, consumers must be notified in accordance with their respective state’s data breach notification laws.

It's important to remember that some states may take longer to ratify than others, and certain modifications are possible. For some organizations, implementing an information security program and related controls will require a significant investment of time and resources.

We recommend that organizations start planning now if you haven’t already begun. The increasing number of data breaches for both large and small companies will continue to bring the issue of data security to the forefront of both organizations’ strategic plans and consumer concerns.

To learn more, contact a member of the team below:

John Fritz 312-980-3354

Brendan MacKinnon 312-980-3397

Margarete Chalker 517-336-7548 

Return to December eInterpreter