Understanding the NAIC Insurance Data Security Model Law

Analyzing a model cybersecurity law

Apr 11, 2019
Cybersecurity consulting Regulatory compliance

Payment card industry (PCI) cybersecurity regulations were designed to protect credit card holder data. In addition, the Health Insurance Portability and Accountability Act (HIPAA) regulations were developed for protected health information (PHI). Soon, insurance organizations will have to comply with yet another regulation: National Association of Insurance Commissioners (NAIC) regulations for insurance data.

In October 2017, the NAIC approved an Insurance Data Security Model Law. The NAIC’s model law establishes a legal framework for requiring insurance organizations to operate complete cybersecurity programs, including everything from planned cybersecurity testing and board-level involvement in the information security program to incident response plans and specific breach notification procedures.

Although it is currently only a model law and not enforceable until approved and adopted by individual states, the NAIC has an aggressive goal of encouraging “legislatures or regulatory bodies to adopt the model law, with as few changes as possible, in a majority of states within three years.” Additionally, once a state adopts the law, insurers will only have one year to comply with nearly all the regulations.

This timeline will affect mid-market insurers the most, as many still do not have many of the provisions of the law in place. With adoption and implementation imminent, it’s important to understand how these regulations might apply to your organization and what you can do now to start preparing for compliance.

What is it and what’s in it?

When the model law was first approved, NAIC’s president, Ted Nickel, said, “Regulators have a critical role to play in protecting consumers as the cyber landscape continues to evolve and this model law sets cybersecurity customs for insurers to help safeguard consumers.”

What are those cybersecurity customs that regulators will be looking for? The NAIC points to a list of 12 Principles for Effective Cybersecurity that provides a useful benchmark for any cybersecurity program. Additionally, the NAIC’s model law is closely aligned with New York State Department of Financial Services (NYDFS) regulations (specifically the 23 NYCRR 500). However, there are a few key differences between the NYDFS rules and the new NAIC regulations.

Board involvement

First and perhaps most important: the NAIC model law requires a company’s board of directors to oversee its information security program. Even if executive management delegates responsibilities to an individual or committee, the board is still required to “receive a report from the delegate(s) complying with the requirements” and to annually report on the overall status on the security program. Although NYDFS has similar regulations, NAIC language is stronger and more direct about the role of the board.

Annual testing

Although the NAIC’s requirement for board involvement is stricter than NYDFS regulations, NAIC’s requirements for annual testing are more lenient. NYDFS regulations specifically require penetration testing and vulnerability assessments. The NAIC model law, however, only states that organizations must “no less than annually, assess the effectiveness of the safeguards’ key controls, systems and procedures.” Once the law is adopted and implemented these requirements might be more specific, but for now the NAIC is vague about what kind of annual assessments are required.

Event reporting

Perhaps the most detailed requirements in the NAIC model law are those related to notifying the state’s insurance commissioner in the case of a cybersecurity event. Almost any event that involves the nonpublic information (NPI) of 250 or more customers must be reported to the commissioner within 72 hours of discovery.

Additionally, the NAIC provides a list of 13 categories of information that must be reported in the case of an event, including the date it occurred, how it was discovered, what data was accessed or lost, the estimated number of customers affected, whether the police were notified, etc. These requirements are much more thorough than the NYDFS regulations.

There are other differences between NAIC and NYDFS, but these are perhaps the most notable. For the most part, the two regulations are aligned well enough that organizations complying with one will not have much difficulty complying with the other.

How to prepare

If you are already working to comply with NYDFS, we suggest reviewing the NAIC Insurance Data Security Model Law as well as your own policies and procedures to ensure you are on the right track.

However, if you are just getting started, there are a few important steps you can take right now:

1. Establish a team

Determine the individuals or group that will manage the development of a security program. This can be developed in-house or outsourced to an experienced third party (such as a virtual chief information security officer (CISO)). This team should establish a security road map, set a timeline and regularly report to the board on its progress.

2. Assess your current state

Perform a risk assessment with a specific NAIC Insurance Data Security Model Law focus. Part of this process will involve conducting a data discovery to determine how NPI is stored, processed, transmitted and accessed within your environment. This includes mapping your current business processes and data flows as well as identifying roles and responsibilities for each of those processes.

3. Implement process changes

Once you have determined who owns each process as well as how much risk that process poses to your organization, the owner should then take responsibility for reducing or remediating that risk. You can achieve this by consolidating business processes and revising dataflows wherever possible to reduce scope and align with the proper framework. Additionally, by assigning a dollar figure to the process and risk associated with that process, your security team can provide the board with an understanding of where the next security dollar is best spent.

4. Conduct security assessments

Perform vulnerability assessments and penetration tests to identify specific vulnerabilities within your environment. Follow a prioritized remediation plan to address the vulnerabilities and strengthen external and internal security. To do this, you will also need to develop specific security programs such as a vulnerability management, patch management and security awareness.

5. Advance maturity

Develop monitoring and detection capabilities as well as defined incident response procedures. Leverage the results of annual assessments to prioritize remediation efforts and adjust your security road map to ensure you are progressing. Additionally, build and maintain security policies to ensure consistent repeatable processes.

6. Integrate security with third-party providers

The final step is to enforce the security standards onto third-party providers to ensure they too are protecting your customers’ sensitive information.

Take action

Beginning this process now, before the NAIC Insurance Data Security Model Law is adopted and implemented in your state, will help ensure a smooth transition. Organizations that invest time in developing secure infrastructure, processes and culture will not only achieve a higher level of security, they will do so in a more financially efficient manner than those who perpetually waste resources on last-minute, short-term fixes.

Customers expect you to protect their data. Measures implemented to meet the requirements in the model law, therefore, may well also give your organization a competitive edge in discussions with clients. In this way, you can transform these new regulations from a challenge to an opportunity.

RSM contributors