On Oct. 24, the National Association of Insurance Commissionersformally approved the Insurance Data Security Model Law.

The NAIC is a standard setting and regulatory supportorganization consisting of the top insurance regulators from the 50states, District of Columbia and five U.S. territories.

The model law applies to “licensees,” which are defined aspersons and nongovernmental business entities subject to theinsurance laws of the state adopting the model law.

In Pennsylvania, for example, this would encompass insurancecompanies and insurance producers (i.e., agents, agencies andbrokers). Notably, this applies to nonresident licensees except forpurchasing groups, risk retention groups or when acting as assuminginsurer.

For example, a financial expert in a state that has not adoptedthe model law, is potentially subject to the model law if they arealso licensed in another state that has adopted the model law.Thus, it will be important to track what states enact the model lawand also how uniformly the model law is enacted state to state.

Standards

The intent of the model law is to establish standards for datasecurity, the investigation of cybersecurity events andnotification of the commissioner of cybersecurity events. In orderto understand how the model law attempts to meet those objectivesit is necessary to understand how the model law has defined thedifferent elements that are involved in cybersecurity.

A cybersecurity event is defined as “an event resulting inunauthorized access to, disruption or misuses of, an informationsystem or information stored on such information system.”Information system is defined broadly as “a discrete set ofelectronic information resources organized for the collection,processing, maintenance, use, sharing, dissemination or dispositionof electronic information …” and expressly includes “specializedsystems such as industrial/process controls systems, telephoneswitching and private branch exchange systems, and environmentalcontrol systems.”

Information security program means “the administrative,technical and physical safeguards that a licensee uses to access,collect, distribute, process, protect, store, use, transmit,dispose of or otherwise handle nonpublic information.”

Written Security Program Required

The model law requires licensees to implement a comprehensivewritten information security program based on the licensees' riskassessment. As part of the information security program thelicensee must designate an individual (who can come from a thirdparty) to be responsible for the information security program.

The risk assessment must:

• Identify reasonably foreseeable internal and external threats tononpublic information including any information systems ornonpublic information that are controlled or accessible bythird-party service providers;

• Assess the likelihood and severity of damage by these potentialthreats;

• Assess the sufficiency of existing policies, procedures andtechnology in place to protect against such threats; and

• Implement information safeguards to manage the identifiedthreats and at least annually assess their effectiveness.

The model law puts special emphasis in assessing the licensees'policies, procedures, information systems and safeguards withrespect to:

• Employee training and management;

• Information systems including information classification,governance, processing, storage, transmission and disposal; and

• Detecting, preventing and responding to attacks, intrusions,orother system failures.

Required Investigation and Notification

The model law also contains detailed provisions regarding theinvestigation of and notification regarding cybersecurity events.Licensees must investigate whenever there is or may have been acybersecurity event. The investigation can be performed by anoutside vendor on behalf of the licensee.

There are separate notification requirements for thecommissioner, consumers and reinsurers. The commissioner also hasthe authority to investigate licensees' compliance with the modellaw and to take action to enforce the model law.

Importantly, the model law provides for confidentiality ofinformation provided pursuant to a licensee's annual certificationunder Section 4(I) and much of the information that must bereported to the commissioner following a cybersecurity event underSection 6 and investigations under Section 7.

The model law expressly provides that these documents are notsubject to freedom of information act or similar laws, subpoenas ordiscovery in civil actions and are inadmissible in civilactions.

In addition, licensees subject to HIPPA that have establishedand maintain information security programs pursuant to HIPPA aredeemed to be in compliance with Section 4. In Section 10 the modellaw contemplates penalties for noncompliance in accordance with theenacting state's general penalty statute. Section 11, which isnoted as optional, allows for the implementation of additionalrules and regulations necessary to carry out the provisions of themodel law.

N.Y. Cybersecurity Rules

The model law is similar, but not identical, in structure andscope to New York's recent cybersecurity rules applicable to banks,insurance companies and other financial services companies, 23NYCRR 500 (N.Y. cyber rules). The model law contains a draftingnote indicating it is the drafters' intent that if a licensee is incompliance with the N.Y. cyber rules then the licensee is incompliance with the model law.

Like the N.Y. cyber rules the model law is based on a riskassessment or risk management approach to cybersecurity. Thisapproach is widely regarded as a best practice in terms of approachto cybersecurity. What is still very much in question is theability of regulations of this type to actually improvecybersecurity. As both the model law and N.Y. cyber rules tacitlyacknowledge, there is no perfect answer or approach tocybersecurity.

Security measures necessary and appropriate for large companieswill often not fit smaller companies and vice versa. Examplesinclude the frequency and sophistication of penetration and othertesting methods and the scope and intensity of employee training.Further, it is widely accepted by security experts that everybodyis vulnerable no matter how rigorous their cybersecurity is. Canregulations effectively improve cybersecurity in this type of riskenvironment? We shall see.

Open Questions

Another critical hurdle facing the model law that will greatlyimpact how effective it is in improving cybersecurity, is howwidely and uniformly it is adopted by states. These are issues thatoften plague model laws regardless of subject and there arenumerous examples of limited adoption, lack of uniformity ofadoption, or both in existing model laws. Penalties and enforcementare another area that could potentially vary greatly state tostate.

The NAIC looks to have come up with a fairly balanced approachto cybersecurity regulation and companies large and small would bewise to follow many of the processes and procedures required by themodel law. But there are many open questions surrounding the modellaw the answers to which will determine its success at improvingcybersecurity in the insurance industry and as a model for otherindustries to follow.