Ever since the New York Department of Financial Services (“NYDFS”) enacted its cybersecurity regulation for financial institutions and related organizations, other states have started to enact cybersecurity regulations of their own. South Carolina became the latest state to enact a version of the National Association of Insurance Commissioners (“NAIC”) model cybersecurity law, which is based on the NYDFS regulation.
The model NAIC law applies to organizations that are required to comply with state insurance laws. This would typically include insurance agencies and brokerages that do business in a particular state. Under the model law, these organizations are required to develop an information security program to mitigate the risk of a cybersecurity incident. That program must include:
This framework is nothing new for organizations that have already recognized that cybersecurity is a significant source of risk. Many regulations and guidance already recommend or require a risk assessment. What might be new for many organizations, however, is the NAIC model law’s recommendation of specific practices to consider implementing, such as:
Overall, NAIC’s model law is similar to cybersecurity guidance issued by many other regulators. This blog recently covered some of the common cybersecurity themes that cut across all industries.
Organizations of all kinds should pay close attention to the NAIC model law, and others like it, because the increasing pace of cybersecurity incidents shows no signs of slowing down. Organizations should consider whether compliance with something like the NAIC model law can assist their cybersecurity preparedness, even if the organization is in a different industry. Odds are good that eventually most organizations will have to comply with a cybersecurity regulation of some kind, so it makes sense for organizations to work with knowledgeable professionals to stay ahead of the curve.