In a year punctuated by high-profile, costlyinformation-security breaches, at least one headline served as areminder that people — not machines, software,programming or algorithms — are often the weakest linkwhen it comes to cybersecurity.

Two months ago, news outlets in Colorado reported that a localchiropractor's discarded patient files showed up in an unsecuredalley dumpster. The paper records included individuals' names,addresses, Social Security numbers, insurance information andhealth history.

Related: Top 10 writers of cybersecurityinsurance

"You think (your private information) is going to be secure,"one of the people impacted by the event told Denver's Fox31 news. "…Not left out in an alleyfor people to get at, look at, and possibly commit fraud orwhatever with your Social Security number and valuableinformation."

Leaving such sensitive information out in the open may seemshortsighted and negligent to risk-averse insurance industryprofessionals. But some IT experts argue that in cyber space,failing to update a routine software patch, which was reportedlythe cause of this year's milestone Equifax breach, is basically the sameas leaving the door wide open to a company's digital storagecloset.

This much we know

Cybersecurity has risen to be among the top finance andinsurance industry concerns. The number and types of cyber threatsis expected to multiply quickly, along with the already-staggeringlosses related to such events.

Related: Get ready: A cyber attack iscoming

Members of the National Association of Insurance Commissioners(NAIC) recognized the rising need for guidance around cybersecurityinsurance regulation in 2014 and 2015 when they formed andpopulated a Cybersecurity Task Force.

"It had become pretty apparent that regulators needed to take adeep dive with respect to what the cyber security framework was orwasn't in the insurance space," says Adam Hamm. The former NAICpresident helped found the organization's Cybersecurity Task Force,and now serves as a managing director at the internationalbusiness consultancy Protiviti.

Related: 7 challenges insurers face in the cyber insurancemarket

Regulators bear fruit

In October, NAIC members adopted an Insurance Data Security Model Law to provide guidancefor carriers, agents, brokers and their business partners withregard to data security, investigation and breach notification.

"Considering the recent series of data breaches, cybersecurityis more important now than ever," Ted Nickel, NAIC president andWisconsin Insurance Commissioner, said in a press release about the model law. "Regulators have acritical role to play in protecting consumers as the cyberlandscape continues to evolve and this model law sets cybersecuritycustoms for insurers to help safeguard consumers."

Here are five things that people working in and with theinsurance industry should know about the NAIC's Insurance DataSecurity Model Law and the insurance industry's ongoing work to getahead of cyber threats.

The National Association of Insurance Commissioners recentlyadopted the Insurance Data Security Model Law during a jointmeeting of the Executive Committee and Plenary at the end ofOctober, which is the same month dubbed National CyberSecurity Awareness Month by the U.S. Department of HomelandSecurity. (Photo: Shutterstock)

No. 5: The NAIC model law acknowledges the evolving cyber risklandscape.

Adam Hamm served as North Dakota's elected insurancecommissioner from 2007 to 2016. He says cyber risk is as urgent anissue as he ever worked on during that decade as an insuranceregulator.

It follows that insurers, agents and brokers face a pressingneed not only to protect their own data but also to build productsand services that safeguard clients and customers.

Related: 6 tips for selling cyber insurance

Cyber insurance is growing and changing, Hamm said, andregulators need to help drive those conversations.

"The point that we're at now, with the maturity of the cyberinsurance market, is there's this lack of numbers and data," Hammsays. "That means (cyber risk) is a tough question to answer,because there aren't really any spots that are aggregating thehard data — specifically claimsdata."

Two years and six drafts later

The NAIC's Insurance Data Security Model Law progressed throughthe NAIC  Innovation and Technology (EX)Task Force and what is now calledthe Cybersecurity Working Group, which solicitedinput from regulators as well as industry and consumerrepresentatives throughout the drafting process.

"We've made significant progress on cybersecurity this year andpassing this model law creates a platform that enhances our missionof protecting consumers," said Raymond G. Farmer, NAICSecretary-Treasurer, South Carolina Insurance Director and chair ofthe Cybersecurity Working Group.

Related: Emerging cyber risks

The NAIC's Insurance Data Security Model Lawdefines a "cybersecurity event" as any act that results inunauthorized access to and misuse of a company's digital records.(Photo: iStock)

No. 4: The NAIC model law is informed by New York State'scybersecurity requirements for financial companies.

On March 1, New York become the first state in the country toenact a law requiring banks, insurance companies and otherfinancial services institutions to maintain a cybersecurityprogram.

The law applies to any company regulated by the NewYork Department of FinancialServices (DFS) and was "designed to protectconsumers' private data and ensure the safety and soundness of NewYork's financial services industry."

The law sets into motion minimum cybersecurity requirements thatshould protect consumers while preventing future cyber breaches.These minimum standards include: 

— Controls relating tothe governance framework for a robust cybersecurity program, includingrequirements for a program that is adequately funded and staffed,overseen by qualified management, and reported on periodically tothe most senior governing body of the organization;

— Risk-based minimumstandards for technology systems including accesscontrols, data protection including encryption, and penetrationtesting;

— Required minimumstandards to help address any cyber breaches, including anincident response plan, preservation of data to respond to suchbreaches, and notice to DFS of material events; and

— Accountability byrequiring identification and documentation of materialdeficiencies, remediation plans and annual certifications ofregulatory compliance to DFS.

New York's entire financial services community was required tobecome compliant with the law by the end of August, givinginsurance companies there a step up with regard to falling in linewith recommendations made in the NAIC's model law.

Related: 3 wise cybersecurity solutions for2017

A key difference between the New York Department of FinancialServices law and the NAIC's proposed legislation is that the latterwould only apply to the insurance industry.

A "model law" is more of a recommendation than arequirement. (Photo: iStock)

No. 3: A NAIC model law is not the same as enacted law.

The NAIC's Insurance Data Security Model Law creates a frameworkfrom which insurance regulators in each state can buildtheir own cybersecurity rules. As a "model law," it is not legallybinding.

Related: NAIC Clarifies Role: It Is Not aRegulator

Larry Hamilton is leader of the insurance regulatory practiceat Mayer Brown, the international law firm based inChicago that maintains a robust cybersecurity and data privacypractice. Hamilton explains:

"It will only apply to licensees in any given state if it'senacted into law by the legislature of that state. Furthermore,each state will have the freedom to modify the wording of the modellaw as it sees fit, if and when it does enact the model law in thatstate."

It is possible, though some say unlikely, that the NAICcould move to make its model law part of its national accreditationstandards.

Related: Regulators take note: Consumers want betterinsurance technology

In addition to outlining cybersecurity steps for insurancecarriers, agents and brokers, the model law also applies tothird-party insurance industry business partners. (Photo:iStock)

No. 2: The NAIC model law outlines specific cybersecuritypractices for insurance businesses.

Jeff Taft is a financial services regulatory attorney at MayerBrown.

Taft explains that the NAIC's model law requires every insurancelicensee to maintain a written cybersecurity policy and toimplement a risk-based cybersecurity program.

A licensee must also satisfy specific requirements related toits:

• Information security program,
• Risk assessment and management,
• Third party service providers,
• Incident reporting and notification,
• Annual certifications,
• Exceptions and exemptions, and
• Confidentiality.

Related: 4 keys to bridging the cyber insurancegap

A complete draft of the model law is available toreview on the NAIC'swebsite. (Photo: iStock)

No. 1: Company boards are expected to take the lead.

The model law outlines a system and sets out a type of checksand balances for any licensee's information security program byrequiring annual program reporting to the board ofdirectors. This report must include recommendations to remedyany potential weak links in the company's IT security program.

Related: 5 hallmarks of insurance industry digitalleaders

"This concept of reporting up to the board and board oversightis very much a part of the New York Department of FinancialServices Cybersecurity Regulation and is also found in the modellaw," Hamilton says. "That level of board accountability is quiteimportant."

See also:

3 things to do when looking for cyberinsurance

What to expect: the cyber liability insuranceapplication process

Here are the top 10 P&C groups, as ranked byNAIC