Cyber regulations reach insurance industry with NAIC insurance data security model law
At least 18 states have adopted their version of an insurance data security act — and more are coming. The U.S. Treasury has recommended all states implement insurance cybersecurity regulations in 2022.
Compliance deadlines vary across the country. In some states, rules around data security and notification requirements are already in effect.
The new regulations impose requirements on insurers to:
- Conduct annual risk assessments
- Maintain an information security program
- Investigate cybersecurity events
- Notify the insurance commissioner of cybersecurity events — within three days in most states
- Notify consumers affected by a cybersecurity event
Insurance industry led on model law
States are patterning their laws after the National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law. NAIC developed the model law in 2017, in response to federal calls for regulatory oversight. The model was created in an effort to standardize regulations across the U.S.
Where insurance data security laws are already in place?
So far, 18 states have enacted the NAIC Insurance Data Security Model Law. Below, shading indicates states where the initial information security program (ISP) compliance deadline has already passed:
| State | 1st ISP compliance deadline |
| Alabama | May 2020 |
| Connecticut | April 2021 |
| Delaware | July 2020 |
| Hawaii | July 2022 |
| Indiana | June 2021 |
| Iowa | January 2023 |
| Louisiana | August 2021 |
| Maine | January 2022 |
| Michigan | January 2022 |
| Minnesota | August 2022 |
| Mississippi | July 2020 |
| New Hampshire | January 2021 |
| North Dakota | August 2022 |
| Ohio | March 2020 |
| South Carolina | July 2019 |
| Tennesse | July 2022 |
| Virginia | July 2022 |
| Wisconsin | November 2022 |
Note for New York: Before the NAIC model law was complete, New York had already passed alternate legislation covering all financial services firms.
Who needs to comply?
In states that have enacted legislation, the law applies to licensees of the state insurance bureau. This includes (with some exceptions) insurance industry companies, agencies, agents, public adjusters and brokers.
Under the NAIC model law, the regulations apply to insurers with 10 employees or more. However, some states have softened that requirement.
In Wisconsin, for example, the law applies to licensed insurers with more than $10 million in year-end total assets, more than $5 million in gross revenue and at least 50 employees. Wisconsin has also made licensees exempt from the law if they can prove compliance with regulations under HIPAA or the Gramm-Leach-Bliley Act. Learn more here.
What are the insurance data security law requirements?
While state laws lay out general requirements for the protection of consumers’ nonpublic information, insurers are responsible for designing an ISP appropriate for the size and complexity of their business, the scope of their activities and the nature of the information they hold. Requirements include:
- Risk assessment: As a first step, insurers need to conduct an initial risk assessment. This includes identifying reasonably foreseeable internal and external threats, assessing potential damage and determining how well their systems and safeguards manage those threats.
- Information security program: The laws require insurers to maintain a comprehensive written information security program with appropriate physical, technical and administrative controls.
- Incident response plan: As part of the ISP, insurers need an incident response plan outlining how they will respond to and recover from a cybersecurity event.
Generally, the laws require prompt investigation once an organization is made aware that a cybersecurity event may have occurred. If an actual event occurs, the laws stipulate further rules and thresholds for notifying your state insurance commissioner and affected consumers. - Oversight of third-party service providers: Insurers will be required to exercise due diligence when working with third-party service providers and implement measures to protect systems and information. Most laws are set to phase in, giving insurers an extra year to meet this final requirement.
What insurance industry companies need to do now
Insurers need to review their information security programs and get ready to comply with the new laws that are either already here or are coming soon to their state.
Recognize that while the laws do create more regulatory requirements, compliance can help your organization improve its overall cybersecurity posture. Consumers expect you to protect their data, and this framework can help you do that
How Wipfli can help
Many initial information security program compliance deadlines have already passed, and more are coming up this year. Let Wipfli help you get into compliance with data security model law in your state(s).
Depending on your business’s needs, we offer a range of solutions. Let our team help you:
- Develop the foundation of your information security program and coach your team on how to comply with your state’s law.
- Complete a risk assessment to evaluate the effectiveness of your cybersecurity safeguards.
- Deploy technology to meet technical requirements.
- Implement managed detection and response to proactively monitor your network and defend against active threats.
- Maintain your ISP and stay compliant.
Our cybersecurity professionals bring experience in the insurance industry and can help your organization design a compliant program. Learn more.
Related content:
- Article: Data privacy vs. data security
- On-demand webinar: NAIC cybersecurity model rule implementation
- Article: $1.8 million penalty issued to financial services firms, signaling increased enforcement of NYDFS cybersecurity regulations
- Article: How CEOs can be proactive in cybersecurity
- Article: 3 benefits of blockchain for the insurance industry
Author(s)
