States not rushing to pass NAIC cybersecurity model

Related: NAIC may add $12 million to 2018–2020 tech budget

Working group's capstone event

The model's adoption is somewhat of a capstone event for the NAIC's Cybersecurity Working Group, which was formed as a task force reporting to the NAIC's Executive Committee in November 2014. At the time it was established, the task force had a rather unambitious agenda. Its duties were to monitor issues, collect information, and make undefined recommendations to the Executive Committee. The group's focus was intensely sharpened, however, in January 2015 when health insurer Anthem revealed it had experienced a breach that affected some 80 million consumers, putting insurance regulators on notice that insurance companies were prime targets of hackers.

The task force soon entered a period of swift activity that is not the norm for NAIC proceedings. It started issuing quickly developed products, offering interested parties short time frames to weigh in with comments suggesting modifications. It started by developing a set of regulatory principles and then moved on to a so-called "bill of rights" that consumers could or should expect in the wake of a breach affecting information held by an insurance company. Whether the document should describe rights under existing law as opposed to aspirations that might be addressed in a model became the point of significant contention, and it was modified and retitled as a "roadmap" for consumer expectations meant to be fulfilled by laws that would be enacted.

The first draft of the model — addressing both data security requirements as well as describing a new breach response protocol including consumer notification requirements — was released for comment in March 2016 and interested parties were given 21 days to submit comments, a process that resulted in 128 pages of commentary citing a wide range of issues with the draft.

Modifications addressing a number of issues raised by NAMIC and other interested parties were made in the next draft, but there were still many matters that needed to be worked through, necessitating first a two-day session of in-person meetings and subsequently the formation of a drafting group of regulators and interested parties that convened in November 2016. NAMIC participated in both forums, advocating for changes to make the model more risk-based and flexible to recognize the diversity of licensees to which it would apply, as well as feasible and workable from a compliance perspective.

Related: New study urges comprehensive approach is needed to manage cyber risks

New York weighs in

Meanwhile, the New York State Department of Financial Services had been focusing on cybersecurity issues and had developed a proposed regulation to establish standards for all financial services entities under its jurisdiction. Initially, the New York initiative was viewed as problematic by some concerned about the complications that would arise from various states adopting differing measures in this area rather than following a model law approach.  However, once the initiative was adopted in final form in March 2017, regulators involved in the NAIC project started to think about whether the New York regulation might serve as a model for the model law.

Another significant development that took place around the same time, one that NAMIC supported, was the advancement of the idea of bifurcating the model's data security requirements from the insurance-only security breach content to focus on the former in recognition of many areas of disagreement surrounding the latter.  That idea and the notion of incorporating aspects of the New York regulation were discussed at the NAIC's Spring National Meeting and the draft that was issued following that meeting was not far from the ultimate final version.

Substantive changes were being made right up until the last minute before the model's adoption. One late addition was a drafting note stating that the drafters of the model intend that compliance with New York's regulation constitutes compliance with the NAIC model. It is unclear how that provision will affect the implementation and application of the model law in practice.

Key elements

Among the key elements of the model law are the following:

• It would require licensees to develop, implement, and maintain a comprehensive written Information Security Program and to designate someone to be responsible for the system.
• It would require a risk assessment of policies and procedures and safeguards in areas including employee training, system design; implementation of safeguards to address identified threats; and an annual assessment as well as mitigation of identified risks.
• It calls for the involvement of the organization's board through an annual report regarding the status of the program.
• It requires licensees to "exercise due diligence" in selecting third-party service providers.
• It requires submission of an annual certification of compliance to the licensee's domestic commissioner and documentation of remedial efforts to respond to identified issues.
• It requires licensees to promptly investigate any cybersecurity events to determine nature and scope, to identify nonpublic information that may have been involved, and take steps to restore security; records regarding such events must be kept for five years.
• It requires licensees to notify the commissioner "as promptly as possible but in no event later than 72 hours" after it has been determined that a cybersecurity event has occurred. Such notice must include as much information as possible from list (when, how and who, for example) and the licensee has an ongoing obligation to send updated information to the commissioner.
• It provides confidentiality protection to information in the control or possession of the department.

Unanswered questions

Although the development of the model law has been completed, there are several key questions that have never been answered. One is whether there is a need or appetite for a state law that applies only to insurance entities, as opposed to laws that apply to all business entities. During the drafting process, when the draft still contained extensive new security breach protocols for insurance licensees, several insurance commissioners expressed skepticism about the prospect of introducing such a bill in their respective states.

Another important issue is whether the NAIC will make the model law an accreditation requirement, meaning it would have to be enacted in a sufficiently similar manner in each state.  While insurers and regulators alike have cited enhanced consistency and uniformity as a goal of the model law initiative, it is not certain that the accreditation program is an appropriate means of achieving that goal.  Although a cybersecurity event can affect an insurer's financial situation, the model law is not a financial model law in the normal sense of other NAIC accreditation requirements.

As the model law is introduced in state legislatures, it is sure to be subject to proposed amendments by interested parties.  One thing that NAMIC and others advocated for but was left out of the model was language to specify that the law would represent the exclusive standards for cybersecurity standards for licensees to which it applies, to eliminate the potential for conflicting or inconsistent standards.  Additionally, while the model contains confidentiality language to protect information submitted by a licensee to an insurance department following a breach, there will be efforts to strengthen its provisions to be more consistent with other NAIC model laws in this area.

Related: 6 common misconceptions about cybersecurity

Paul Tetrault is state and policy affairs counsel for the National Association of Mutual Insurance Companies.