The National Association of Insurance Commissioners (“NAIC”) has signaled that insurance regulators may be the first government agencies to adopt the framework for cybersecurity regulation that was recently set out in the New York Department of Financial Services (“NYDFS”) cybersecurity rules, which went into effect on August 28, 2017.
The Cybersecurity (EX) Working Group and the Innovation and Technology (EX) Task Force of NAIC approved the Insurance Data Security Model Law (“Model Law”) in August 2017. The Model Law will be submitted to the Executive Committee for approval on December 3, 2017 and subsequently to the joint Executive Committee and Plenary for final approval on December 4, 2017.
The Model Law closely tracks the NYDFS cybersecurity rules, and provides another indication that the NYDFS cyber rules are rapidly becoming industry best practices for cybersecurity.
The Model Law, like the NYDFS rules, provides that regulated entities must certify compliance with the obligations and must provide notice of a cyber breach within 72 hours. But in some instances the Model Law is even more exacting than the NYDFS rules. For example, under the Model Law, any Cybersecurity Event – defined as “an event resulting in unauthorized access to, disruption or misuse of, an Information System or information stored on such Information System” – triggers the 72-hour notification requirement, while the NYDFS rules require notification only when the company has suffered an attack that would trigger notice to a different regulatory authority or has a “reasonable likelihood of materially harming any material part of the normal operation” of the institution, which is a higher standard.
We will provide updates on the progress of the Model Law, as well as other regulators who are considering following the NYDFS cyber rules framework. If the Model Law is adopted, we will keep a close eye on whether insurers will start requiring their customers to adopt some or all of these same cybersecurity measures as conditions for receiving coverage or reduced rates for cyber insurance.