Background and Executive Summary

by Chandu C. Patel, FCAS, MAAA, Rusty Kuehn, FCAS, MAAA, and Kim Piersol, FCAS, MAAA

The NAIC is working to develop an Insurance Data Model Security Law to establish standards for data security. This includes establishing standards for investigating a data breach and providing requirements for notifying regulators and consumers. The earlier NAIC Roadmap for Cybersecurity Consumer Protections and Principles for Effective Cybersecurity: Insurance Regulation Guidance guide the making of the Insurance Data Security Model Law.

A summary of the major components of the current version of the draft Model Law is as follows:

  • The Licensee is required to develop and maintain a comprehensive written Information Security Program. This Program must be designed based on a comprehensive risk assessment and it should be tailored to manage the risks that are identified through the risk assessment.
  • The Board of Directors will maintain oversight of the program.
  • If the program is developed and maintained by a third party, due diligence of the third-party provider is required.
  • An incident response plan must be developed and will contain a written plan to respond to and recover from a Cybersecurity Event.
  • An annual certification must be produced for the Commissioner of the domiciliary state.
  • When a Cybersecurity Event occurs, an investigation must be conducted. The Model Law describes what needs to be investigated and specifies the requirements about how the Commissioner must be notified of the Cybersecurity Event.
  • The Model Law also describes the power of the Commissioner to investigate the Licensee for any violations of the act.

The remainder of this article provides highlights of important sections of the current version of the Model Law.

To keep up with the NAIC cybersecurity efforts, please refer to http://www.naic.org/cipr_topics/topic_cyber_risk.htm. It contains a detailed summary of NAIC actions to ramp up cybersecurity efforts with links to all published material. In addition, the page discusses cyber risk management and cyber liability policies.

Sections 1 & 2 Title and Purpose and Intent

The NAIC Cybersecurity (EX) Working Group has proposed an Insurance Data Security Model Law to establish the standards for data security.  This Model Law also addresses the investigation of a breach of data security resulting in a Cybersecurity Event and the notification to the Commissioner of the domiciliary state. The Model Law is in its 6th version as of August 3, 2017.

Section 3 Definitions

The cybersecurity terms utilized in the Insurance Data Security Model Law paper are defined in this section of the Model Law.

Section 4 Information Security Program

The Licensee should develop, implement, and maintain a comprehensive written Information Security Program. This program is based on the Licensee’s risk assessment of the protection of Nonpublic Information and the Licensee’s Information System. The standards for the program differ for each individual provider by size and complexity, nature and scope of activities, sensitivity of Nonpublic Information used, and the custody or control each Licensee should develop.

The objectives of the Information Security Program are to:

  • Protect the security and confidentiality of Nonpublic Information as well as the security of the Information System
  • Protect against threats to the security or integrity of Nonpublic Information and the Information System
  • Protect against unauthorized access to Nonpublic Information, and minimize the likelihood of harm to any consumer
  • Define and periodically reevaluate a schedule for retention of Nonpublic Information and its destruction when no longer needed

Risk Assessment

The Licensee should designate either an employee, affiliate or outside vendor to act for the Licensee responsible for the preparation of the Information Security Program.

This entity will identify foreseeable internal and external threats that could result in unauthorized access, transmission, disclosure, misuse, alteration or destruction of Nonpublic Information. This includes the security of Information Systems and Nonpublic Information of Third-Party Service Providers.

The Licensee will assess the likelihood and potential damage of the threats based on consideration of the sensitivity of Nonpublic Information.

They will assess the adequacy of procedures, policies, information systems and other safeguards to manage the threats, including those in the operations. These threats include employee training and management, information systems (including network and software design, information classification, governance, processing, storage, transmission and disposal), detection, prevention, and responding to attacks, intrusions, or other systems failures.

Safeguards must be implemented and assessed annually. A summary of the assessment is to be included in the annual report.

Risk Management

Based on its risk assessment, the Licensee must design the Information Security Program to manage the risk. The identified risks are to be mitigated commensurate with the size and complexity of activities, use of third party providers, and sensitivity of the Nonpublic Information used.

Determination of which security measures are appropriate to implement should include but not be limited to:

  • Place access controls on the Information System
  • Identify and manage the data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes according to their importance to the business objections and risk strategy
  • Restrict access at physical locations containing Nonpublic Information to authorized individuals
  • Protect all Nonpublic Information while being transmitted over an external network and/or stored on a laptop, portable computer, storage device, or other media by encryption or other satisfactory means
  • Adopt secure development practices for in-house applications and procedures for evaluating, assessing and testing the security of externally developed applications
  • Modify the Information System in accordance with the Licensee’s Information Security Program
  • Utilize effective controls on any individual accessing Nonpublic Information which may include multi-factor authentication procedures
  • Regularly test and monitor systems and procedures to detect actual and attempted attacks on Information Systems
  • Include audit trails within the Information Security Program intended to detect and respond to Cybersecurity Events and designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the Licensee
  • Implement measures to protect against destruction, loss, or damage of Nonpublic Information due to environmental hazards
  • Develop, implement, and maintain procedures for the secure disposal of Nonpublic Information

The enterprise risk management program should include cybersecurity risks. Monitoring of emerging threats is very important. The Licensee should utilize security measures when sharing information, dependent on the type of information, and the character of the sharing.

Cybersecurity awareness training must be provided to personnel and updated to reflect risks identified.

Oversight by Board of Directors

The board of directors or appropriate committee should require the executive management or its delegates to develop, implement and maintain the Information Security Program. A report should be written at least annually discussing the overall status of the Information Security Program and compliance with this act. Also, material matters related to the Information Security Program regarding risk assessment, risk management, control decisions, results of testing, Cybersecurity Events and recommendations of changes in the Information Security Program need to be included in the report.

If executive management delegates any of the responsibilities, they must receive a report from the delegate complying with the Board of Director requirements.

Oversight of Third Party Service Provider Arrangements

Due diligence needs to be exercised in selecting the Third-Party Service Provider. A Licensee shall also require a Third-Party Service Provider to implement effective administrative, technical, and physical measures to protect and secure the Information System and Nonpublic Information accessibility.

Program Adjustments

The Licensee should monitor, evaluate, and adjust the Information Security Program consistent with changes in technology, sensitivity of Nonpublic Information, internal or external threats to information, and changes in the business environment.

Incident Response Plan

Each Licensee must establish a written incident response plan to promptly respond to and recover from any cybersecurity event that compromises the Nonpublic Information, the Information System, or business operations.

The incident response plan must address:

  • Internal processes for responding to event
  • Goals of the incident response plan
  • Definition of clear roles, responsibilities, and levels of decision-making
  • External and internal communications
  • Requirements for remediation of weakness of the Information System and controls
  • Documentation and report of cybersecurity events and response activities
  • Evaluation of the incident response plan following a cybersecurity event

Annual Certification to Commissioner of Domiciliary State

Each insurer domiciled in the state should submit to the Commissioner a written statement of certification by February 15. All records supporting the statement must be maintained for five years. The Licensee must document identification and any remedial efforts planned and keep these documents for inspection by the Commissioner.

Section 5 Investigation of Cybersecurity Event

When a cybersecurity event occurs, the Licensee must conduct a prompt investigation.

At a minimum, the Licensee should determine as much as possible of the following information:

  • If an event occurred
  • The nature and scope of the event
  • Any Nonpublic Information that may have been involved in the event
  • Reasonable measures to restore the security of the Information Systems

If a Cybersecurity Event occurs in a system maintained by a third-party provider, the Licensee needs to complete the steps of the investigation of a Cybersecurity Event. They must maintain records of Cybersecurity Events for at least five years from the date of the event and must produce the records upon demand of the Commissioner.

Section 6 Notification of Cybersecurity Event

The Licensee shall notify the Commissioner of the cybersecurity event promptly within 72 hours.  The criteria for such a notification is as follows:

  • The state is the home state of the insurer or producer
  • The Licensee believes that the Nonpublic Information involved relates to 250 or more consumers residing in this state
  • The event results in either of the following:
    • a cybersecurity event impacting the Licensee of which notice is required to be provided to any government body, self-regulatory agency or any other supervisory body pursuant to any state or federal law or,
    • a cybersecurity event that is reasonably likely to materially harm any consumer residing in this state or any material part of the normal operations of the Licensee

The Licensee shall provide as much of following information as possible in electronic form as directed by the Commissioner, update and supplement the initial and any subsequent notifications to the Commissioner concerning Cybersecurity Events, providing:

  • Date of event
  • A description of how the information was exposed, lost, stolen, or breached
  • How the event was discovered
  • Whether any lost, stolen, or breached information has been recovered and how the recovery was performed the identity of the source of the cybersecurity event
  • Whether the Licensee has filed a police report or has notified any regulatory, government, or law enforcement agencies
  • A description of the sensitive information that was accessed without authorization. This sensitive information includes data elements such as medical information, financial information or other information allowing identification of the consumer
  • The time the Information System was compromised by the Cybersecurity Event
  • The Licensee shall provide the best estimate for the total number of consumers affected by the Cybersecurity Event in the state in the initial report to the Commissioner and update this estimate with each subsequent report
  • The results of any internal review identifying a lapse in either automated controls or internal procedures or whether all automated controls or internal procedures were followed
  • A description of the efforts being taken to remediate the conditions which permitted the Cybersecurity Event to occur
  • A copy of the Licensee’s privacy policy and a statement outlining the steps the Licensee will take to investigate and notify consumers affected by the Cybersecurity Event
  • The name of a contact person who is both familiar with the Cybersecurity Event and authorized to act for the Licensee
Notification to consumers

The Licensee should comply with the state’s data breach notification law. When a Licensee is required to notify the Commissioner, a copy of the notice sent to the Commissioner under the statute should be provided to Consumers.

Notice Regarding Cybersecurity Events of Third-Party Service Providers

In the case of a Cybersecurity Event in a system maintained by a Third-Party Service Provider, the Licensee should notify the Commissioner according to the model law standard. The computation of Licensee’s deadlines begins on the day after the Third-Party Service Provider notifies the Licensee of the Event or the Licensee otherwise has actual knowledge of the Cybersecurity Event, depending on which is sooner. Nothing in this Act shall prevent an agreement between the Licensee and another Licensee, a Third-Party Service Provider or any other party to fulfill any of the investigation requirements or notice requirements imposed in the model law.

Notice Regarding Cybersecurity Events of Reinsurers to Insurers

Any assuming insurer or an entity acting as an assuming insurer or in custody or control of a Licensee, or acting as an assuming insurer without a direct contractual relationship with the affected consumers shall notify its affected ceding insurers and the Commissioner of the state of domicile within 72 hours of determination that a Cybersecurity Event has occurred.

In the case of a Cybersecurity Event involving Nonpublic Information that is in the custody or control of a Third-Party Service Provider of a Licensee that is an assuming insurer, the assuming insurer shall notify its affected ceding insurers and the Commissioner of its state of domicile within 72 hours of receiving notice from its Third-Party Service Provider that a Cybersecurity Event has occurred.

The ceding insurers that have a direct contractual relationship with affected Consumers should fulfill the Consumer notification requirements imposed under the state’s breach notification law and any other notification requirements relating to a Cybersecurity Event described in this article.

Notice Regarding Cybersecurity Events of Insurers to Producers of Record

The insurer shall notify the producers of record of all affected Consumers as directed by the Commissioner in the case of a Cybersecurity Event involving Nonpublic Information in the custody or control of a Licensee that is an insurer or its Third-Party Service Provider for which a Consumer accessed the insurer’s services through an independent insurance producer. The insurer is excused from this obligation for those instances in which it does not have the current producer of record information for any individual Consumer.

Section 7 Power of Commissioner

The Commissioner shall have the power to examine and investigate the affairs of any Licensee to determine whether the Licensee is engaged in any conduct in violation of this Act. This power is in addition to the powers which the Commissioner has under applicable statutes governing the investigation or examination of insurers. Any such investigation or examination shall be conducted in accordance with applicable statutes governing the investigation or examination of insurers. Whenever the Commissioner has reason to believe that a licensee is engaged in conduct in this State which violates this Act, the Commissioner may take any action that is necessary or appropriate to enforce the provisions of this Act.

Section 8 Confidentiality

No comment

Section 9 Exceptions

No comment

Section 10 Penalty

No comment

Section 11 Rules and Regulation

No comment

Section 12 Severability

No comment

Section 13 Effective Date

No comment