On October 24, the National Association of Insurance Commissioners (NAIC) Executive (EX) Committee and Plenary granted final approval to Version 6 (with technical corrections[i]) of the Insurance Data Security Model Law (Model). The Model is now available for consideration and adoption by the states. South Carolina and Vermont were the first to indicate their desire to submit the Model for their respective 2018 legislative calendars.
The Model, which ultimately seeks to create information security standards for insurers, required intensive efforts over the past 18 months by regulators, insurance industry representatives, and consumer advocates. Altogether, their work has generated six Model versions, numerous teleconferences, much negotiation, and over 640 pages of comments. Slipping in just before the end of National Cybersecurity Awareness Month,[ii] the final version of the Model passed with only one “No” vote.
As discussed in our August 14 client alert,[iii] the Model establishes risk-based "standards for data security and standards for the investigation of and notification to the Commissioner of a Cybersecurity Event applicable to Licensees." The Model defines licensees, with limited exceptions, as "individuals or non-governmental entities required to be authorized, registered, or licensed pursuant to a state's insurance laws." The Model's requirements include:
Based on a licensee’s individual risk assessment, the development, implementation, and maintenance of a comprehensive written information security program (ISP), including adjustments for changes in technology.
Oversight by the board of directors or appropriate board committee of the ISP and all third-party service providers, and the designation of a responsible person for the ISP.
Development of a written incident response plan.
Requirements regarding investigation and notification to the commissioner in the case of a cybersecurity event, which the Model defines as "an event resulting in unauthorized access to, disruption, or misuse of an information system or information stored on such system."
Annual certification to the commissioner that the licensee is in compliance with the Model's requirements, and a requirement to retain materials supporting the above certification for five years.
The Model significantly tracks New York's Cybersecurity Regulation (NY Regulation[iv]), and, in a drafting note, makes clear the NAIC’s intent that a licensee that is in compliance with the NY Regulation, is also in compliance with the Model.
The last remaining question is whether the Model will become an accreditation standard. This issue is the responsibility of the Financial Regulation Standards and Accreditation (F) Committee,[v] whose mission is to oversee the administration and enforcement of the NAIC Financial Regulation Standards and Accreditation Program. The industry will be watching its deliberations on this issue.
Carlton Fields Jorden Burt, P.A. will continue to monitor the Insurance Data Security Model Law's progress through the state legislative process and the NAIC’s F Committee.
[i] http://www.naic.org/documents/cmte_ex_171024_agenda_materials.pdf. The technical corrections are reflected in the Model redline contained in the Agenda and Materials document created for the October 24, 2017 Executive Committee and Plenary meeting.
[ii] https://www.dhs.gov/national-cyber-security-awareness-month. October 2017 marks the 5th Annual National Cybersecurity Awareness month, created by Presidential Proclamation on September 30, 2013.
[iii] See our August 14, 2017 alert "NAIC Cybersecurity Working Group Votes to Approve Insurance Data Security Model Law" https://www.carltonfields.com/naic-cybersecurity-working-group-votes-to-approve-insurance-data-security-model-law-08-14-2017/.