Vendor Centric Blog

A Third-Party Compliance Snapshot for Insurance Companies

New Regulations for Insurers

 

Insurance companies collect and maintain significant amounts of sensitive, nonpublic information. Not surprisingly, they are a target of cyberattacks and a few have faced some of the largest data breaches reported to date. In response, the National Association of Insurance Commissioners (NAIC) adopted a Data Security Model Law in November 2017. The Model Law is intended to provide a benchmark for any cybersecurity program. 

 

The requirements in the Model Law track some familiar data security frameworks, such as the HIPAA Security Rule. It also has many similarities to the New York State Department of Financial Services (NYDFS) regulations (specifically the 23 NYCRR 500). Licensees are not subject to the Model Law unless the state where that licensee is licensed adopts a version of the Model Law. To date, the following nine (9) states have adopted a version of the NAIC Model Law (with other states talking about adoption in the future): 

 

  1. Alabama

  2. Connecticut

  3. Delaware

  4. Michigan

  5. Mississippi

  6. New Hampshire

  7. New York (NYDFS, not NAIC)

  8. Ohio

  9. South Carolina

 

What This Means to Licensed Insurance Companies

 

If your insurance company (underwriters, brokers and agents) is licensed in one or more of the states which have enacted these regulations, you are required to comply with the requirements.  It is important to have a discussion with stakeholders from Compliance, Risk and IT at a minimum to explore where you are in the process of establishing your cyber program and complying with the NYDFS and NAIC Model Law.  

This can include determining if you need to:

 

  • Establish your cyber program or third-party management program

  • Assess the program you already have in place to determine if it is in compliance

  • Perform an audit of activities to confirm that policies and procedures are being followed and adequately documented, on audit.

  • Identify ongoing support and resource requirements for Chief Information Security Officer (CISO) or Vendor Management Office (VMO).

 

This is not just an exercise of putting a policy in place and checking this off of a compliance checklist as there are ongoing risk management and operational activities which need to be certified on an annual basis to the state’s insurance commissioner.

 

If you have not already done so, you should complete a thorough internal review process with all key stakeholders including your CISO.  It is certainly advised that you should share findings of this review with your Board and keep them apprised of the status of your preparation.  Lastly, it is also a good practice to consult with external subject matter experts to ensure you have insights from people that have worked with these regulations previously and understand what other insurance companies (your peers) are doing to prepare for these regulations.

 

The positive outcome of all of these emerging regulatory actions is that your organization will have no choice but to ensure you have in place the people, policies and processes required to mitigate your information security risk.

 

Please reload

Subscribe to the

Vendor Centric 

Blog

Subscribe to the

Vendor Centric 

Blog

Our

Publications

Rethinking Vendors

Our flagship publication shares our philosophy on power and untapped value of vendor relationships.

The Nonprofit CFO's Guide to Virtual Credit Cards

 

A step-by-step guide to automating a/p payment processing and creating new streams of revenue.

Subscribe to

Our Podcast

Related Blog Posts

Please reload

Quick Links

Contact Us

9841 Washingtonian Boulevard Suite 200 Gaithersburg, Maryland 20878

 

(240) 813-1170

 

info@vendorcentric.com

Follow Us

  • Vendor Centric Facebook
  • Vendor Centric Twitter
  • Vendor Centric LinkedIn

Subscribe to our newsletter

Subscribe to our

Rethinking Vendors Podcast

Vendor Centric Podcast

Copyright © 2018 Vendor Centric. All rights reserved.