On October 24, 2017, following an 18 month deliberative process, the U.S. National Association of Insurance Commissioners (NAIC) voted to approve the Insurance Data Security Model Law (Cyber Model Law). The law, which establishes standards for data security and the investigation and notification of cybersecurity events in the insurance industry, will become effective once it is adopted by individual states.
The Cyber Model Law requires each insurer, agent and other entities — collectively referred to as licensees — regulated by U.S. state insurance departments to design and implement an information security program, commensurate with the size and complexity of the organisation that will protect against any threats or hazards to the security, integrity, or confidentiality of nonpublic information or systems to minimise the likelihood of harm to any consumer.
Key Recommendations Regarding the Cyber Model Law
- Once the Cyber Model Law has been enacted into state law, licensees will have to submit an annual certification of compliance to their domiciliary state insurance commissioner by February 15 of each year that certifies compliance with Section 4 of the Cyber Model Law, which outlines the information security program.
- Licensees should integrate the requirements of the Cyber Model Law into their current information security and compliance programs to allow for a holistic approach to compliance with regulations and the management of cybersecurity risks.
- Similarly, licensees should work to create a logical integration between their cyber risk management program and their broader enterprise risk management program to allow cybersecurity risks to better inform the risk posture of the organisation. This integration can help streamline board reporting and support strategic decision-making.
- Licensees should ensure that there is a good understanding of the effectiveness of their control environment across all lines of business, in addition to having a well-documented policy and procedure library. This will allow licensees to provide meaningful evidence of compliance with internal and external stakeholders.
The Cyber Model Law and New York’s Cybersecurity Regulation
The Cyber Model Law and the New York Department of Financial Services (NYDFS) cybersecurity regulation (Part 500), which went into effect on March 1, 2017, are similar in many ways. Indeed, a drafting note of the Cyber Model Law says that the intent of the law is that compliance with the NYDFS regulation is equivalent to compliance with the law. However, licensees also subject to the NYDFS cybersecurity regulation should take care to ensure that they can comply with all of the Cyber Model Law requirements.Initial considerations should include the following:
- Both the Cyber Model Law and the NYDFS cybersecurity regulation require discrete, top-down enterprise cybersecurity risk assessments. Careful consideration should be given to the design and execution of these assessments, as they are foundational, rather than complementary, to the subsequent requirements of each regulation.
- The Cyber Model Law, like the NYDFS cybersecurity regulation, requires licensees to implement a cybersecurity program that manages the risks facing their nonpublic information. Covered entities of the NYDFS cybersecurity regulation can look to the Cyber Model Law to inform the development of their cyber risk management and cybersecurity program as required by NYDFS Part 500.02.
- The Cyber Model Law and the NYDFS cybersecurity regulation both take risk-based approaches to the controls they require of licensees and covered entities. Organisations subject to these rules should document clear connections between the decisions made regarding cybersecurity controls and the cybersecurity risk assessment conducted annually as required by Section 4 of the Cyber Model Law and Part 500.09 of the NYDFS cybersecurity regulation.
Overview of the Cyber Model Law
The requirements of the Cyber Model Law are centred on a written information security program that is to contain administrative, technical and physical controls for the protection of nonpublic information. These controls are to be developed, implemented and maintained by each licensee.
This program, as defined by the Cyber Model Law, is to include the following capabilities:
Each licensee will need to, at least annually, conduct an information security risk assessment in order to identify the reasonably foreseeable internal or external threats that could result in the compromise of the nonpublic information within the licensee’s information systems or accessible to, or held by, third-party service providers. This risk assessment will need to effectively accomplish the following.
- Assess the likelihood and potential damage of threats to the organisation’s information and systems, taking into account the sensitivity of the data held therein.
- Assess the sufficiency of policies, procedures, controls and other safeguards in place to manage these threats, including the annual effectiveness assessment of key controls, systems and procedures.
- Inform the implementation of modified or additional controls to manage the threats identified in the assessment.
Informed by its information security risk assessment, a licensee will need to determine which of the following security measures are appropriate to implement in order to effectively manage its risk posture:
The selected security measures in the table above will need to be implemented in addition to the following required measures:
- Third-party service provider due diligence and security control requirements
- Defined and periodically re-evaluated nonpublic information retention schedule, including a mechanism for destruction of non-public information no longer necessary to retain
- Monitoring, evaluation and adjustment, as appropriate, of the information security program consistent with any changes in technology, data sensitivity, threat landscape or business environment
Enterprise Risk Management and Board Oversight
A licensee will need to integrate the results of its risk assessment into its broader enterprise risk management processes.
Additionally, if the licensee has a board of directors, the board or an appropriate board committee must require executive management or its delegates to develop, implement and maintain the information security program and report in writing at least annually the overall status of the information security program and its compliance with the Cyber Model Law, including:
- Risk assessment results
- Risk management and control decisions
- Third-party service provider arrangements
- Monitoring and testing results
- Cybersecurity events and responses
- Recommendations for changes in the information security program
Cyber Incident Identification, Response and Notification
Licensees are required to have a written incident response plan designed to promptly respond to and recover from any cybersecurity event compromising the confidentiality, integrity or availability of its nonpublic information.
In addition, if a licensee learns that a cybersecurity event has or may have occurred, it will need to conduct an investigation to determine whether an event has in fact occurred, the nature and scope of the event, and the data involved.
The licensee should then take reasonable steps to restore the security of the compromised systems in order to prevent additional compromise.
Each licensee will be required to notify the state insurance commissioner no less than 72 hours following the determination that a cybersecurity event has occurred. It is also required to maintain records concerning all cybersecurity events for no less than five years.
Annual Certification to Commissioner of Domiciliary State
Each insurer will be required to submit to their domestic insurance commissioner an annual written statement by February 15 certifying that the insurer is in compliance with the requirements set forth in Section 4 of the Cyber Model Law (the information security program). Each insurer has to maintain all records, schedules and data supporting the certificate for examination by the insurance department for a period of five years.
Any areas, systems or processes identified by the insurer that require material improvement, updating or redesign should be documented by the insurer with the remediation efforts planned and underway to address such areas, systems or processes. Such documentation must be available for inspection by the insurance commissioner.
Like the NYDFS cybersecurity regulation, the risk assessment is foundational to the Cyber Model Law. The regulators will be looking for a comprehensive information security risk assessment that informs administrative, technical and physical controls for the protection of nonpublic information, including a written incident response plan. It is important for insurers to show that the results of the risk assessment have been properly integrated within an organisation’s broader enterprise risk management program. Given its importance, appropriate attention should be given to developing the risk assessment and ensuring its efficient and thorough implementation.
The individual, or group of individuals, charged with certifying the insurer’s compliance with the cybersecurity regulations, must be able to review sufficient written evidence and documentation to allow them to properly certify the firm’s compliance. To do this effectively, entities need to ensure record keeping and continuous monitoring of the firm’s implementation of its cybersecurity program and its ongoing maintenance.
The authors wish to thank Protiviti’s Steve Massengill for his significant contribution to this paper.