The insurance industry and financial services sector are subject to some of the most recent and comprehensive data privacy and protection laws and regulations in the United States. Insurance regulators across the country have taken note of high-profile breaches involving U.S. insurers and have made cybersecurity and consumer data protection a top priority. As a result, some states have developed comprehensive cybersecurity laws and regulations that specifically apply the insurance or financial services industries.
The New York Department of Financial Services’ landmark Cybersecurity Regulations for insurance companies and financial institutions, were passed in 2017 and have since taken effect. The rule requires insurance companies, banks, and other financial services companies regulated by the New York DFS to adhere to strict standards to protect consumers from cyber threats.
The rule implements a host of requirements including the creation and filing of an Annual Risk Assessment, which will be used to evaluate an entity’s cybersecurity policies. The assessment must include how identified risks will be evaluated; how the entity’s systems and controls will be evaluated for adequacy; and how risks will be either accepted or mitigated. Another key requirement of New York’s regulation is the establishment of a Cybersecurity Policy.
The Cybersecurity Policy should be developed based on the Risk Assessment, and must be approved by the company’s Board of Directors, or board committee, as appropriate. The Policy is the company’s statement of how it will protect data. There are required elements of the Policy, including software protections, physical safeguards, training requirements, and breach response plans. The decision-making process behind the development of the policy, and any subsequent amendments, should be well documented because, like the Risk Assessment, the Cybersecurity Policy can be reviewed by regulators and their examiners.
Companies must have written policies for ensuring third-party contractors do not compromise data. The policies must include guidance for identifying risks posed by third party service providers, minimum standards that must be adopted by contractors, guidance for selecting contractors, and guidance for the periodic evaluation of service providers.
Although planning for cybersecurity breaches is implicit in the requirements, there is a specific requirement for Incident Response Plans. These written plans must be prepared in advance based on the Risk Assessment, and should describe the procedures personnel will follow, the roles and responsibility of to remediate or mitigate the harm caused. There is also a notice requirement to the Superintendent of the New York DFS for types certain breaches, although important, it is not a blanket requirement to report every breach. If the entity must report the breach to another government agency or supervisory body, such as the Financial Industry Regulatory Authority or another insurance department, then notice must also be provided to the Superintendent of the New York DFS. Other breaches must only be reported if there is a “reasonable likelihood of material harm” to the entity.
In early 2016, the National Association of Insurance Commissioners (NAIC) began drafting the Insurance Data Security Model Law. This model was adopted by the NAIC in October 2017 following extensive deliberations and input from state insurance regulators, consumer representatives and the insurance industry. State adoption of the model is critical for state insurance regulators to have the tools they need to better protect sensitive consumer information
The New York Cyber regulation had a significant impact on the development of the NAIC Model. The Model requires insurers and other entities licensed by a state department of insurance to develop, implement, and maintain an Information Security Program (ISP). Licensees investigate cybersecurity events in accordance with its requirements and notify the state’s insurance commissioner of any cybersecurity events.
The ISP must contain administrative, technical, and physical safeguards for the protection of non-public information and the licensee’s information security system. The ISP should also be commensurate with the size and complexity of the licensee, the nature and scope of the licensee’s activities, including its use of third-party service providers, and the sensitivity of the non-public information used by the licensee or in the licensee’s possession, custody or control. The ISP must be developed and maintained based on an ongoing internal risk assessment.
Alabama, Connecticut, Delaware, Michigan, Mississippi, New Hampshire, and Ohio now join South Carolina as early adopters of the NAIC law.
It is important to note that, since each state will likely adopt its own version of the NAIC model, the New York Cybersecurity Regulation, or some variant of the two, we can expect to see variation between state requirements over the next several years. Companies will need to decide how best to approach compliance with potentially inconsistent requirements.
In that regard, companies must ensure that they have robust compliance protocols in place to stay abreast of new and developing laws in order to ensure that they achieve a culture of compliance within required timeframes. In addition, given the ever-evolving U.S. regulatory landscape, companies should begin implementing certain internal cybersecurity measures prior to adoption by regulators.
To that end, companies can look to legal and regulatory schemes like the New York DFS Cybersecurity Regulation, the CCPA, and the NAIC Model as examples of requirements they will likely be required to comply with in the future.
Companies should conduct an annual risk assessment. The risk assessment should be used to inform the entity’s cybersecurity written policies and procedures. Written guidelines must include how identified risks will be evaluated, the adequacy of the entity’s systems and controls, and how risks will be either accepted or mitigated. The assessment should be a meaningful review of the company’s cyber resiliency. If done right, it should help an entity understand its vulnerabilities and plan accordingly. Some key areas that the cybersecurity program must cover include software protections, physical safeguards, training, and breach response plans.
Insurance company boards must be involved in their companies’ cybersecurity and data privacy activities and must go beyond merely “check-the-box” compliance. Cybersecurity risk is quickly morphing into enterprise risk, which creates the need for a whole-company approach. This means that cybersecurity is not just a problem for the company’s IT department—today, it is everyone’s problem, especially the board.
This article was originally published in the Winter 2020 edition of the Demotech Difference (www.demotech.com).