Coming Soon to a State Near You: Cybersecurity Regulation

Dickinson, Mackaman, Tyler & Hagen, P.C.

Dickinson, Mackaman, Tyler & Hagen, P.C.

Ever since the New York Department of Financial Services (“NYDFS”) enacted its cybersecurity regulation for financial institutions and related organizations, other states have started to enact cybersecurity regulations of their own. South Carolina became the latest state to enact a version of the National Association of Insurance Commissioners (“NAIC”) model cybersecurity law, which is based on the NYDFS regulation.

The model NAIC law applies to organizations that are required to comply with state insurance laws. This would typically include insurance agencies and brokerages that do business in a particular state. Under the model law, these organizations are required to develop an information security program to mitigate the risk of a cybersecurity incident. That program must include:

  • Conducting routine risk assessments to determine the organization’s internal and external vulnerabilities, taking into consideration the likelihood of a particular kind of incident;
  • Assessing and developing policies designed to mitigate a particular vulnerability;
  • Training employees to help them identify particular risks and how to avoid them; and
  • Implementing other safeguards to mitigate identified risks.

This framework is nothing new for organizations that have already recognized that cybersecurity is a significant source of risk. Many regulations and guidance already recommend or require a risk assessment. What might be new for many organizations, however, is the NAIC model law’s recommendation of specific practices to consider implementing, such as:

  • Placing access controls on certain systems and data, and limiting employee access to certain systems and data;
  • Identifying and limiting the number of devices that can access core systems;
  • Restricting physical access to certain systems;
  • Encrypting sensitive nonpublic information;
  • Adopting secure development practices for in-house technology and applications;
  • Updating systems to comply with the information security program;
  • Implementing controls like multi-factor authentication to verify user identities;
  • Regularly test systems to determine whether they actually deter attempted intrusions;
  • Verifying that audit trails are maintained by internal systems;
  • Preparing backups to mitigate risk of loss from natural disasters; and
  • Developing  procedures for the disposal of nonpublic information.

Overall, NAIC’s model law is similar to cybersecurity guidance issued by many other regulators. This blog recently covered some of the common cybersecurity themes that cut across all industries.

Organizations of all kinds should pay close attention to the NAIC model law, and others like it, because the increasing pace of cybersecurity incidents shows no signs of slowing down. Organizations should consider whether compliance with something like the NAIC model law can assist their cybersecurity preparedness, even if the organization is in a different industry. Odds are good that eventually most organizations will have to comply with a cybersecurity regulation of some kind, so it makes sense for organizations to work with knowledgeable professionals to stay ahead of the curve.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dickinson, Mackaman, Tyler & Hagen, P.C. | Attorney Advertising

Written by:

Dickinson, Mackaman, Tyler & Hagen, P.C.

Dickinson, Mackaman, Tyler & Hagen, P.C. on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.