In a year punctuated by high-profile, costlyinformation-security breaches, at least one headline served as areminder that people — not machines, software,programming or algorithms — are often the weakest link when itcomes to cybersecurity.

Two months ago, news outlets in Colorado reported that a localchiropractor's discarded patient files showed up in an unsecuredalley dumpster. The paper records included individuals' names,addresses, Social Security numbers, insurance information andhealth history.

"You think (your private information) is going to be secure,"one of the people impacted by the event told Denver’s Fox31news. "…Not left out in an alley for people to get at, look at, andpossibly commit fraud or whatever with your Social Security numberand valuable information."

Leaving such sensitive information out in the open may seemshortsighted and negligent to risk-averse insurance industryprofessionals. But some IT experts argue that in cyber space,failing to update a routine software patch, which was reportedlythe cause of this year's milestone Equifax breach, is basically the sameas leaving the door wide open to a company's digital storagecloset.

This much we know

Cybersecurity has risen to be among the top finance andinsurance industry concerns. The number and types of cyber threatsis expected to multiply quickly, along with the already-staggeringlosses related to such events.

Members of the National Association of Insurance Commissioners(NAIC) recognized the rising need for guidance around cybersecurityinsurance regulation in 2014 and 2015 when they formed andpopulated a Cybersecurity Task Force.

"It had become pretty apparent that regulators needed to take adeep dive with respect to what the cyber security framework was orwasn't in the insurance space," says Adam Hamm. The former NAICpresident helped found the organization's Cybersecurity Task Force,and now serves as a managing director at the internationalbusiness consultancy Protiviti.

Regulators bear fruit

In October, NAIC members adopted an Insurance Data SecurityModel Law to provide guidance for carriers, agents, brokersand their business partners with regard to data security,investigation and breach notification.

"Considering the recent series of data breaches, cybersecurityis more important now than ever," Ted Nickel, NAIC president andWisconsin Insurance Commissioner, said in a press releaseabout the model law. "Regulators have a critical role to play inprotecting consumers as the cyber landscape continues to evolve andthis model law sets cybersecurity customs for insurers to helpsafeguard consumers."

Here are five things that people working in and with theinsurance industry should know about the NAIC's Insurance DataSecurity Model Law and the insurance industry's ongoing work to getahead of cyber threats.

The National Association of Insurance Commissioners recentlyadopted the Insurance Data Security Model Law during a jointmeeting of the Executive Committee and Plenary at the end ofOctober, which is the same month dubbed National CyberSecurity Awareness Month by the U.S. Department of HomelandSecurity. (Photo: Shutterstock)

No. 5: The NAIC model law acknowledges the evolving cyber risklandscape.

Adam Hamm served as North Dakota's elected insurancecommissioner from 2007 to 2016. He says cyber risk is as urgent anissue as he ever worked on during that decade as an insuranceregulator.

It follows that insurers, agents and brokers face a pressingneed not only to protect their own data but also to build productsand services that safeguard clients and customers.

Cyber insurance is growing and changing, Hamm said, andregulators need to help drive those conversations.

"The point that we're at now, with the maturity of the cyberinsurance market, is there's this lack of numbers and data," Hammsays. "That means (cyber risk) is a tough question to answer,because there aren't really any spots that are aggregatingthe hard data — specifically claims data."

Two years and six drafts later

The NAIC's Insurance Data Security Model Law progressed throughthe NAIC Innovation and Technology (EX) TaskForce and what is now called the Cybersecurity WorkingGroup, which solicited input from regulators as well asindustry and consumer representatives throughout the draftingprocess.

"We've made significant progress on cybersecurity this year andpassing this model law creates a platform that enhances our missionof protecting consumers," said Raymond G. Farmer, NAICSecretary-Treasurer, South Carolina Insurance Director and chair ofthe Cybersecurity Working Group.

The NAIC's Insurance Data Security Model Law defines a"cybersecurity event" as any act that results in unauthorizedaccess to and misuse of a company's digital records. (Photo:iStock)

No. 4: The NAIC model law is informed by New York State'scybersecurity requirements for financial companies.

On March 1, New York become the first state in the country toenact a law requiring banks, insurance companies and otherfinancial services institutions to maintain a cybersecurityprogram.

The law applies to any company regulated by the New YorkDepartment of Financial Services (DFS) and was "designedto protect consumers' private data and ensure the safety andsoundness of New York’s financial services industry."

The law sets into motion minimum cybersecurity requirements thatshould protect consumers while preventing future cyber breaches.These minimum standards include:

— Controls relating to the governanceframework for a robust cybersecurity program, includingrequirements for a program that is adequately funded and staffed,overseen by qualified management, and reported on periodically tothe most senior governing body of the organization;

— Risk-based minimumstandards for technology systems including accesscontrols, data protection including encryption, and penetrationtesting;

— Required minimumstandards to help address any cyber breaches,including an incident response plan, preservation of data torespond to such breaches, and notice to DFS of material events;and

— Accountability byrequiring identification and documentation of materialdeficiencies, remediation plans and annual certifications ofregulatory compliance to DFS.

New York's entire financial services community was required tobecome compliant with the law by the end of August, givinginsurance companies there a step up with regard to falling in linewith recommendations made in the NAIC's model law.

A key difference between the New York Department of FinancialServices law and the NAIC's proposed legislation is that the latterwould only apply to the insurance industry.

A "model law" is more of a recommendation than arequirement. (Photo: iStock)

No. 3: A NAIC model law is not the same as enacted law.

The NAIC's Insurance Data Security Model Law creates a frameworkfrom which insurance regulators in each state can buildtheir own cybersecurity rules. As a "model law," it is not legallybinding.

Larry Hamilton is leader of the insurance regulatory practiceat Mayer Brown, the international law firm based in Chicagothat maintains a robust cybersecurity and data privacy practice.Hamilton explains:

"It will only apply to licensees in any given state if it'senacted into law by the legislature of that state. Furthermore,each state will have the freedom to modify the wording of the modellaw as it sees fit, if and when it does enact the model law in thatstate."

It is possible, though some say unlikely, that theNAIC could move to make its model law part of its nationalaccreditation standards.

In addition to outlining cybersecurity steps for insurancecarriers, agents and brokers, the model law also applies tothird-party insurance industry business partners. (Photo:iStock)

No. 2: The NAIC model law outlines specific cybersecuritypractices for insurance businesses.

Jeff Taft is a financial services regulatory attorney at MayerBrown.

Taft explains that the NAIC's model law requires every insurancelicensee to maintain a written cybersecurity policy and toimplement a risk-based cybersecurity program.

A licensee must also satisfy specific requirements related toits:

• Information security program,
• Risk assessment and management,
• Third party service providers,
• Incident reporting and notification,
• Annual certifications,
• Exceptions and exemptions, and
• Confidentiality.

A complete draft of the model law isavailable to review on the NAIC's website. (Photo: iStock)

No. 1: Company boards are expected to take the lead.

The model law outlines a system and sets out a type of checksand balances for any licensee's information security program byrequiring annual program reporting to the board of directors.This report must include recommendations to remedy any potentialweak links in the company's IT security program.

"This concept of reporting up to the board and board oversightis very much a part of the New York Department of FinancialServices Cybersecurity Regulation and is also found in the modellaw," Hamilton says. "That level of board accountability is quiteimportant."