Subscribe to Our Monthly Newsletters

Stay updated on trending legal insights and get our attorneys' take on the latest industry news.

Marketing by

Paul Zimmerman

Photo of M&R Blog

asnida marwani ©

With New York Cybersecurity Rules in Place, the NAIC Looks to Follow Suit

Michelman & Robinson has written extensively on the cybersecurity requirements for financial services companies that were issued by the New York Department of Financial Services and went into effect on March 1, 2017. These cyber rules, as codified, require insurance and insurance-related companies as well as brokers, agents and adjusters licensed in New York to assess their specific cyber risk profiles and design cybersecurity programs that address such risk in a “robust fashion.”

Now, in the wake of the passage of this law in New York, the National Association of Insurance Commissioners (NAIC) is on the doorstep of adopting an Insurance Data Security Model Law that closely mirrors it in some aspects. And if adopted, the model law will serve as a template for legislation to be enacted state-by-state.

Like New York’s cyber rules, the NAIC’s version would require so-called “covered entities” to implement programs to secure sensitive data “[c]ommensurate with the size and complexity of the Licensee.” Whereas the New York law identifies specific measures that companies must take (subject to narrow exemptions), the NAIC focuses primarily on covered entities structuring their own programs based on self-identified risks, allowing them to “[d]etermine which security measures [listed in the act] . . . are appropriate to implement.”

Of note, both the New York cyber rules and NAIC model act require the designation of an employee or outside vendor to assume responsibility for an organization’s Information Security Program. Regardless of size or risk assessment, the model law specifically requires that “[a]s part of its Information Security Program, each Licensee shall establish a written incident response program” to promptly respond to potential cybersecurity incidents. Also, the NAIC would mandate annual compliance and notification of state insurance commissioners within 72 hours of determining the occurrence of a data breach or similar hack.

There is more. While both the model and New York’s cyber rules create exemptions for small businesses (less than 10 employees including independent contractors), the NAIC has not created carve-outs based on the covered entity’s total assets or annual revenue. One other major difference between the two programs is the requirement for third-party penetration testing, which is mandatory for New York licensees (unless they qualify for a limited exemption) but not required under the NAIC model act.

Many companies transacting insurance, even those outside of New York, are already paying heed to and implementing some measure of the New York cyber rules. As such, the consistency that the NAIC’s model law offers may be welcome throughout the industry – one that recognizes that cyber risk is real and ripe for management by way of regulation. At the very least, it is a strong policy statement that cyber risk is a facet of modern business that must be addressed by all licensees. However, the NAIC’s version of the cyber rules could leave unresolved a question that plagues businesses struggling to meet federal and state regulators’ security expectations – what constitutes “adequate security” and what happens when a business’s opinion of “commensurate” security practices falls short of a regulator’s ambiguous (and largely undefined) criteria?

The NAIC’s Executive Committee and Plenary will consider the model law at its upcoming meeting in December.

This blog post is not offered as, and should not be relied on as, legal advice. You should consult an attorney for advice in specific situations.