In a year punctuated by high-profile, costly information-security breaches, at least one headline served as a reminder that people — not machines, software, programming or algorithms — are often the weakest link when it comes to cybersecurity.
Two months ago, news outlets in Colorado reported that a local chiropractor’s discarded patient files showed up in an unsecured alley dumpster. The paper records included individuals’ names, addresses, Social Security numbers, insurance information and health history.
“You think (your private information) is going to be secure,” one of the people impacted by the event told Denver’s Fox31 news. “…Not left out in an alley for people to get at, look at, and possibly commit fraud or whatever with your Social Security number and valuable information.”
Leaving such sensitive information out in the open may seem shortsighted and negligent to risk-averse insurance industry professionals. But some IT experts argue that in cyber space, failing to update a routine software patch, which was reportedly the cause of this year’s milestone Equifax breach, is basically the same as leaving the door wide open to a company’s digital storage closet.
This much we know
Cybersecurity has risen to be among the top finance and insurance industry concerns. The number and types of cyber threats is expected to multiply quickly, along with the already-staggering losses related to such events.
Members of the National Association of Insurance Commissioners (NAIC) recognized the rising need for guidance around cybersecurity insurance regulation in 2014 and 2015 when they formed and populated a Cybersecurity Task Force.
“It had become pretty apparent that regulators needed to take a deep dive with respect to what the cyber security framework was or wasn’t in the insurance space,” says Adam Hamm. The former NAIC president helped found the organization’s Cybersecurity Task Force, and now serves as a managing director at the international business consultancy Protiviti.
Regulators bear fruit
In October, NAIC members adopted an Insurance Data Security Model Law to provide guidance for carriers, agents, brokers and their business partners with regard to data security, investigation and breach notification.
“Considering the recent series of data breaches, cybersecurity is more important now than ever,” Ted Nickel, NAIC president and Wisconsin Insurance Commissioner, said in a press release about the model law. “Regulators have a critical role to play in protecting consumers as the cyber landscape continues to evolve and this model law sets cybersecurity customs for insurers to help safeguard consumers.”
Here are five things that people working in and with the insurance industry should know about the NAIC’s Insurance Data Security Model Law and the insurance industry’s ongoing work to get ahead of cyber threats.
The National Association of Insurance Commissioners recently adopted the Insurance Data Security Model Law during a joint meeting of the Executive Committee and Plenary at the end of October, which is the same month dubbed National Cyber Security Awareness Month by the U.S. Department of Homeland Security. (Photo: Shutterstock)
No. 5: The NAIC model law acknowledges the evolving cyber risk landscape.
Adam Hamm served as North Dakota’s elected insurance commissioner from 2007 to 2016. He says cyber risk is as urgent an issue as he ever worked on during that decade as an insurance regulator.
It follows that insurers, agents and brokers face a pressing need not only to protect their own data but also to build products and services that safeguard clients and customers.
Cyber insurance is growing and changing, Hamm said, and regulators need to help drive those conversations.
“The point that we’re at now, with the maturity of the cyber insurance market, is there’s this lack of numbers and data,” Hamm says. “That means (cyber risk) is a tough question to answer, because there aren’t really any spots that are aggregating the hard data — specifically claims data.”
Two years and six drafts later
The NAIC’s Insurance Data Security Model Law progressed through the NAIC Innovation and Technology (EX) Task Force and what is now called the Cybersecurity Working Group, which solicited input from regulators as well as industry and consumer representatives throughout the drafting process.
“We’ve made significant progress on cybersecurity this year and passing this model law creates a platform that enhances our mission of protecting consumers,” said Raymond G. Farmer, NAIC Secretary-Treasurer, South Carolina Insurance Director and chair of the Cybersecurity Working Group.
The NAIC’s Insurance Data Security Model Law defines a “cybersecurity event” as any act that results in unauthorized access to and misuse of a company’s digital records. (Photo: iStock)
No. 4: The NAIC model law is informed by New York State’s cybersecurity requirements for financial companies.
On March 1, New York become the first state in the country to enact a law requiring banks, insurance companies and other financial services institutions to maintain a cybersecurity program.
The law applies to any company regulated by the New York Department of Financial Services (DFS) and was “designed to protect consumers’ private data and ensure the safety and soundness of New York’s financial services industry.”
The law sets into motion minimum cybersecurity requirements that should protect consumers while preventing future cyber breaches. These minimum standards include:
— Controls relating to the governance framework for a robust cybersecurity program, including requirements for a program that is adequately funded and staffed, overseen by qualified management, and reported on periodically to the most senior governing body of the organization;
— Risk-based minimum standards for technology systems including access controls, data protection including encryption, and penetration testing;
— Required minimum standards to help address any cyber breaches, including an incident response plan, preservation of data to respond to such breaches, and notice to DFS of material events; and
— Accountability by requiring identification and documentation of material deficiencies, remediation plans and annual certifications of regulatory compliance to DFS.
New York’s entire financial services community was required to become compliant with the law by the end of August, giving insurance companies there a step up with regard to falling in line with recommendations made in the NAIC’s model law.
A key difference between the New York Department of Financial Services law and the NAIC’s proposed legislation is that the latter would only apply to the insurance industry.
A “model law” is more of a recommendation than a requirement. (Photo: iStock)
No. 3: A NAIC model law is not the same as enacted law.
The NAIC’s Insurance Data Security Model Law creates a framework from which insurance regulators in each state can build their own cybersecurity rules. As a “model law,” it is not legally binding.
Larry Hamilton is leader of the insurance regulatory practice at Mayer Brown, the international law firm based in Chicago that maintains a robust cybersecurity and data privacy practice. Hamilton explains:
“It will only apply to licensees in any given state if it’s enacted into law by the legislature of that state. Furthermore, each state will have the freedom to modify the wording of the model law as it sees fit, if and when it does enact the model law in that state.”
It is possible, though some say unlikely, that the NAIC could move to make its model law part of its national accreditation standards.
In addition to outlining cybersecurity steps for insurance carriers, agents and brokers, the model law also applies to third-party insurance industry business partners. (Photo: iStock)
No. 2: The NAIC model law outlines specific cybersecurity practices for insurance businesses.
Jeff Taft is a financial services regulatory attorney at Mayer Brown.
Taft explains that the NAIC’s model law requires every insurance licensee to maintain a written cybersecurity policy and to implement a risk-based cybersecurity program.
A licensee must also satisfy specific requirements related to its:
- Information security program,
- Risk assessment and management,
- Third party service providers,
- Incident reporting and notification,
- Annual certifications,
- Exceptions and exemptions, and
No. 1: Company boards are expected to take the lead.
The model law outlines a system and sets out a type of checks and balances for any licensee’s information security program by requiring annual program reporting to the board of directors. This report must include recommendations to remedy any potential weak links in the company’s IT security program.
“This concept of reporting up to the board and board oversight is very much a part of the New York Department of Financial Services Cybersecurity Regulation and is also found in the model law,” Hamilton says. “That level of board accountability is quite important.”