The NAIC Cyber Security Model Law Is Ready for Its Debut

September 20, 2017 | Jay D. Kenigsberg | Privacy, Data & Cyber Law

The National Association of Insurance Commissioners (NAIC) has advanced its Insurance Data Security Model Law (“Model Law”) for likely adoption at its annual Fall National Meeting this December.

The purpose of the new Model Law will be to improve the insurance sector’s ability to respond to cyber incidents. The “insurance sector” includes insurers, agents and brokers, basically any entity licensed under a state’s insurance laws.

The Model Law was developed contemporaneously with the New York Department of Financial Services Regulation 500, which became effective March 31, 2017. If adopted by member states, it  requires a written information security program to protect sensitive data, an annual compliance certification and a data recovery plan with a 72-hour breach notification (only when unauthorized access to information has occurred).

Under the Model Law, targeted entities must adopt a cyber security program based on the entity’s risk assessment. The cyber security program will, therefore, differ from company to company based on the size of the entity involved, but in each case consideration must be given to access controls, encryption, multi-factor authentication, adequacy of controls of third-party vendors, testing and monitoring, creation of audit trails, and cyber security awareness training for employees.

Smaller companies (entities with fewer than 10 employees) are exempt, as are entities that have complied with HIPAA’s data security requirements.

If NAIC formally adopts the Model Law this December, as it is expected to do, the next step would be for state legislatures to weigh in and determine whether to enact it or something similar.

With today’s increased awareness of cyber threats, incidents and damages, most states are expected to adopt the Model Law. This may not have as great an impact in New York as it will in other states because companies doing business in New York are already addressing cyber security under New York’s Regulation 500.

In anticipation of widespread adoption of the Model Law, nationwide insurers should examine the requirements now so that their legacy systems and procedures can be made compliant in a cost-effective and timely manner.

Related Publications


Legal updates and news delivered to your inbox