The NAIC's Insurance Data Security Model Law has been well received at the federal level, with the Treasury Department strongly endorsing it and recommending that Congress consider adopting federal legislation. (Illustration: Stuart Briers for ALM Media)
In October 2017, the NAIC adopted an Insurance Data Security Model Law that builds on existing data privacy and consumer breach notification obligations. The Model Law requires every insurance licensee in a state (unless they qualify for an exemption) to maintain a written cybersecurity policy and implement a risk-based cybersecurity program. The Model Law also requires a licensee to satisfy specific requirements related to:
- Risk assessment and management;
- Oversight of third-party service providers;
- Incident reporting, investigation and notification;
- Annual certification, and;
- Exceptions (if eligible).
In the United States, the business of insurance is regulated primarily at the state level. That means that the Model Law will not actually apply to a licensee unless and until it is enacted into law by a jurisdiction where that licensee is licensed.
Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader
Your access to unlimited PropertyCasualty360 content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- All PropertyCasualty360.com news coverage, best practices, and in-depth analysis.
- Educational webcasts, resources from industry leaders, and informative newsletters.
- Other award-winning websites including BenefitsPRO.com and ThinkAdvisor.com.
Already have an account? Sign In
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
