A Third-Party Compliance Snapshot for Insurance Companies

New Regulations for Insurers

Insurance companies collect and maintain significant amounts of sensitive, nonpublic information. Not surprisingly, they are a target of cyberattacks and a few have faced some of the largest data breaches reported to date. In response, the National Association of Insurance Commissioners (NAIC) adopted a Data Security Model Law in November 2017. The Model Law is intended to provide a benchmark for any cybersecurity program.

The requirements in the Model Law track some familiar data security frameworks, such as the HIPAA Security Rule. It also has many similarities to the New York State Department of Financial Services (NYDFS) regulations (specifically the 23 NYCRR 500). Licensees are not subject to the Model Law unless the state where that licensee is licensed adopts a version of the Model Law. To date, the following nine (9) states have adopted a version of the NAIC Model Law (with other states talking about adoption in the future):

1. Alabama
2. Connecticut
3. Delaware
4. Michigan
5. Mississippi
6. New Hampshire
7. New York (NYDFS, not NAIC)
8. Ohio
9. South Carolina

What This Means to Licensed Insurance Companies

If your insurance company (underwriters, brokers and agents) is licensed in one or more of the states which have enacted these regulations, you are required to comply with the requirements. It is important to have a discussion with stakeholders from Compliance, Risk and IT at a minimum to explore where you are in the process of establishing your cyber program and complying with the NYDFS and NAIC Model Law.

This can include determining if you need to:

• Establish your cyber program or third-party management program
• Assess the program you already have in place to determine if it is in compliance
• Perform an audit of activities to confirm that policies and procedures are being followed and adequately documented, on audit.
• Identify ongoing support and resource requirements for Chief Information Security Officer (CISO) or Vendor Management Office (VMO).

This is not just an exercise of putting a policy in place and checking this off of a compliance checklist as there are ongoing risk management and operational activities which need to be certified on an annual basis to the state’s insurance commissioner.

If you have not already done so, you should complete a thorough internal review process with all key stakeholders including your CISO. It is certainly advised that you should share findings of this review with your Board and keep them apprised of the status of your preparation. Lastly, it is also a good practice to consult with external subject matter experts to ensure you have insights from people that have worked with these regulations previously and understand what other insurance companies (your peers) are doing to prepare for these regulations.

The positive outcome of all of these emerging regulatory actions is that your organization will have no choice but to ensure you have in place the people, policies and processes required to mitigate your information security risk.