The NAIC is a standard setting and regulatory support organization consisting of the top insurance regulators from the 50 states, District of Columbia, and five U.S. territories.
The model law applies to “licensees” which are defined as persons and nongovernmental business entities subject to the insurance laws of the state adopting the model law.
In Pennsylvania, for example, this would encompass insurance companies and insurance producers (i.e., agents, agencies and brokers). Notably, this applies to nonresident licensees except for purchasing groups, risk retention groups or when acting as assuming insurer.
For example, a broker resident in a state that has not adopted the model law, is potentially subject to the model law if they are also licensed in another state that has adopted the model law. Thus, it will be important to track what states enact the model law and also how uniformly the model law is enacted state to state.
The intent of the model law is to establish standards for data security, the investigation of cybersecurity events and notification of the commissioner of cybersecurity events. In order to understand how the model law attempts to meet those objectives it is necessary to understand how the model law has defined the different elements that are involved in cybersecurity.
A cybersecurity event is defined as “an event resulting in unauthorized access to, disruption or misuses of, an information system or information stored on such information system.” Information system is defined broadly as “a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information …” and expressly includes “specialized systems such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental control systems.”
This broad definition encompasses both traditional computer networks and devices, but also other machines that fall under the rubric “the internet of things” and systems such as HVAC systems which have been the entry point for hackers in notable data breaches. Information security program means “the administrative, technical and physical safeguards that a licensee uses to access, collect, distribute, process, protect, store, use, transmit, dispose of or otherwise handle nonpublic Information.”
Nonpublic information is defined more broadly than most data breach notification laws and includes business related information of the licensee the disclosure of which could cause a material adverse impact on the licensee’s business, operations or security. Nonpublic information also includes any information about a consumer which can be used to identify the consumer in combination with any one or more of Social Security number, driver’s license or other identification number, account number, credit or debit card number, security code, access code or password to a financial account, or biometric records.
Nonpublic information also includes any data other than age and gender derived from a health care provider or the consumer related to the consumer’s past, present or future physical, mental, or behavioral health or condition or that of the consumer’s family. Publicly available information means any information that a licensee has a reasonable basis to believe is lawfully made available to the general public from federal, state or local government records; widely distributed media; or, disclosures to the general public required by federal, state, or local law.
Written security program required
The model law requires licensees to implement a comprehensive written information security program based on the licensees’ risk assessment. As part of the information security program the licensee must designate an individual (who can come from a third party) to be responsible for the information security program.
The risk assessment must:
- identify reasonably foreseeable internal and external threats to nonpublic information including any information systems or nonpublic information that are controlled or accessible by third-party service providers;
- assess the likelihood and severity of damage by these potential threats;
- assess the sufficiency of existing policies, procedures, and technology in place to protect against such threats; and
- implement information safeguards to manage the identified threats and at least annually assess their effectiveness.
The model law puts special emphasis in assessing the licensees’ policies, procedures, information systems and safeguards with respect to:
- employee training and management;
- information systems including information classification, governance, processing, storage, transmission and disposal; and
- detecting, preventing, and responding to attacks, intrusions, or other system failures.
Continuing risk management
The model law also mandates that licensees perform continuing risk management with respect to cybersecurity issues. A licensee, commensurate with its size and complexity of activities, shall design its information security programs to mitigate the risk identified in the risk assessment.
At a minimum a licensee must evaluate the appropriateness of implementing 11 enumerated security measures including implementing access controls with authentication on information systems, restricting access at physical locations with nonpublic information, encryption and to regularly test and monitor systems and procedures to identify actual and attempted attacks or intrusions.
Licensees must also include cybersecurity risks in their enterprise risk management process, stay informed regarding emerging threats and vulnerabilities, and provide its personnel with cybersecurity awareness training as necessary to reflect risks identified in the risk assessment.
The model law also mandates oversight of the information security program by a licensee’s board of directors, if applicable. Other responsibilities include oversight of third-party service providers, ongoing monitoring, evaluation, and adjustment as necessary of the information security program, establishment of a written incident response plan and annual certification of compliance with Section 4 to the (insurance) commissioner.
Required investigation & notification
The model law also contains detailed provisions regarding the investigation of and notification regarding cybersecurity events. Licensees must investigate whenever there is or may have been a cybersecurity event. The investigation can be performed by an outside vendor on behalf of the licensee.
There are separate notification requirements for the commissioner, consumers and reinsurers. The commissioner also has the authority to investigate licensees’ compliance with the model law and to take action to enforce the model law.
Importantly, the model law provides for confidentiality of information provided pursuant to a licensee’s annual certification under Section 4(I) and much of the information that must be reported to the commissioner following a cybersecurity event under Section 6, and investigations under Section 7.
The model law expressly provides that these documents are not subject to freedom of information act or similar laws, subpoenas or discovery in civil actions and are inadmissible in civil actions.
The commissioner is authorized to use such documents as necessary in any action or proceeding it institutes to enforce the model law under Section 7. There is an exception for licensees with fewer than 10 employees, including independent contractors, and individual licensees who are covered by the information security program of another licensee.
In addition, licensees subject to HIPPA that have established and maintain information security programs pursuant to HIPPA are deemed to be in compliance with Section 4. In Section 10 the model law contemplates penalties for noncompliance in accordance with the enacting state’s general penalty statute. Section 11, which is noted as optional allows for the implementation of additional rules and regulations necessary to carry out the provisions of the model law.
N.Y. cybersecurity rules
The model law is similar, but not identical, in structure and scope to New York’s recent cybersecurity rules applicable to banks, insurance companies and other financial services companies, 23 NYCRR 500 (N.Y. cyber rules). The model law contains a drafting note indicating it is the drafters’ intent that if a licensee is in compliance with the N.Y. cyber rules then the licensee is in compliance with the model law.
Like the N.Y. cyber rules the model law is based on a risk assessment or risk management approach to cybersecurity. This approach is widely regarded as a best practice in terms of approach to cybersecurity. What is still very much in question is the ability of regulations of this type to actually improve cybersecurity. As both the model law and N.Y. cyber rules tacitly acknowledge there is no perfect answer or approach to cybersecurity.
Security measures necessary and appropriate for large companies will often not fit smaller companies and vice versa. Examples include the frequency and sophistication of penetration and other testing methods and the scope and intensity of employee training. Further, it is widely accepted by security experts that everybody is vulnerable no matter how rigorous their cybersecurity is. Can regulations effectively improve cybersecurity in this type of risk environment? We shall see.
Another critical hurdle facing the model law that will greatly impact how effective it is in improving cybersecurity, is how widely and uniformly it is adopted by states. These are issues that often plague model laws regardless of subject and there are numerous examples of limited adoption, lack of uniformity of adoption, or both in existing model laws. Penalties and enforcement are another area that could potentially vary greatly state to state.
The NAIC looks to have come up with a fairly balanced approach to cybersecurity regulation and companies large and small would be wise to follow many of the processes and procedures required by the model law. But there are many open questions surrounding the model law the answers to which will determine its success at improving cybersecurity in the insurance industry and as a model for other industries to follow.
Christopher M. Brubaker (firstname.lastname@example.org) of Clark Hill concentrates his practice in complex commercial litigation and insurance matters. He regularly provides advice to companies on insurance and cyberrisk issues related to transactions and risk management and also advises companies on regulatory matters involving insurance and environmental laws, rules and regulations. He frequently speaks and writes on cybersecurity matters for legal and professional groups.