States impose new cybersecurity regulations on insurance sector
Insurance companies across the U.S. are being pushed into reviewing their data security protocols, following a series of high-profile breaches and cyberattacks in the last few years.
States are enacting cybersecurity legislation specific to the insurance industry, led by South Carolina, Ohio and Michigan, which have already passed data security laws for insurers over the past 12 months.
The governor of Mississippi approved new measures on April 3. Connecticut and New Hampshire also have bills moving forward in their legislatures.
All of these states are using the ‘Insurance Data Security Model Law’ of 2017 (AKA “MDL-668”) from the National Association of Insurance Commissioners, which drew the law from the New York Department of Financial Services’ cybersecurity regulation.
Ohio example: Development of information security programs
Ohio was the second state to adopt a version of MDL-668 when Ohio’s Senate Bill 273 came into effect on March 20, creating new requirements for Ohio insurance companies, including health insurance plans, to develop and implement specific information security programs to safeguard nonpublic business and personal information.
The new law applies to all individuals or non-governmental entities required to be authorized, registered, or licensed under Ohio insurance laws. All Licensees are required to develop, implement, maintain, and fully document a comprehensive information security program, based on the Licensee's internal risk assessment, to safeguard the Licensee’s non-public information, which is defined as business and personal information, the disclosure of which would harm the business, or expose certain personal details of a customer.
As an absolute minimum, a Licensee’s information security plan is required to achieve the following:
Protect the security and confidentiality of nonpublic information and the security of the information system;
Protect against any threats or hazards to the security or integrity of nonpublic information and the information system;
Protect against unauthorized access to or use of nonpublic information and minimize the likelihood of harm to any consumer; and
Define and periodically reevaluate a schedule for retention of nonpublic information and a mechanism for its destruction when no longer needed.
In a statement, Jeffrey Taft, partner at Mayer Brown LLP said:
“There’s no doubt that cybersecurity is the biggest risk facing the financial services industry,”. …The enactment of these laws, whether it’s the NYDFS cyber rule, or the NAIC model rule, is just evidence of how much the regulators understand that and how they want the regulated entities to understand that risk.”
As part of their information security program, Ohio Licensees are also required to:
Designate a party to act on behalf of the Licensee and be responsible for the information
Identify reasonably foreseeable internal or external threats that could result in unauthorized access, transmission, disclosure, misuse, alteration, or destruction of nonpublic information, including threats to the security of information systems and nonpublic information accessible to, or held by, third-party service providers, defined as entities contracted with a Licensee to maintain, process or store nonpublic information, to ensure their information security programs are adequate;
Assess the likelihood and potential damage of internal or external threats based upon the sensitivity of the nonpublic information;
Assess the sufficiency of safeguards in place to manage the threats described above;
Implement information safeguards to manage the threats identified in its ongoing assessment; and
Not less than annually, assess the effectiveness of the safeguards' key controls, systems, and procedures.
Variations of the model law
Data security and insurance professionals anticipate that a growing number of states will adopt similar legislation over the course of the next few years, saying that firms should be aware of the varying requirements between existing laws and those enacted in the future, to ensure full compliance.
Alan Berliner, former assistant director and chief legal counsel for the Ohio Department of Insurance said. “States will look at this as a pro-consumer protection.”
When state laws, such as New York’s, impact insurance companies doing business there, “other states will say ‘if our insurance companies need to comply with the law, we ought to have our own laws,’” added Berliner, now a partner and insurance counsel at Thompson Hine LLP.
Both the model and individual state adaptations of the law usually require covered entities to have fully documented:
information security programs;
complete risk assessments, and;
maintain incidence response plans,
as well as other provisions. Insurance firms that are already compliant with with the New York cybersecurity regulation have a somewhat simplified route to compliance with other state laws due to the similarity of requirements, attorneys have said.
Andreas Kaltsounis, a privacy and data security partner at BakerHostetler, said, so far, data breach notification requirements and exemption provisions represent the most significant differences in the state laws. State versions of the law also have different exemption criteria based on “number of employees, company revenue, or company assets,” Kaltsounis added.
Ohio’s new law allows licensees with certain cybersecurity programs to use an affirmative defense against tort claims that allege the licensee failed to implement reasonable cybersecurity controls.
A tort, in common law jurisdictions, is a civil wrong that causes a claimant to suffer loss or harm resulting in legal liability for the person who commits the tortious act.
But despite the variations in the laws, insurers operating on a national scale will gear up for the most stringent requirements, adopting the “lowest common denominator approach,” Taft said.
Compliance - going forward
Covered entities may have to modify vendor contracts to comply with third-party service provider provisions, Taft said.
“For a lot of companies, that’s a particular pain point, because it requires them to get some third party to agree to do certain things as part of their contractual relationship,” … Entities also will have to look at their vendor management systems to make sure they maintain high standards”.
Just like any other organization that holds peoples’ sensitive information, insurance companies could potentially be affected by unauthorized access to their network or email systems remotely, Kaltsounis said.
“To combat this, insurers should implement multi-factor authentication for remote access to resources—this control is highlighted by the NYDFS regulation and the NAIC model law,” he said.
Meanwhile, data security experts warn that insurers need to remember that simply having information security programs and protocols alone will not guarantee that the processes will work. Covered entities must test their response to incidents, quality of employee training, and efficacy of other policies on an ongoing basis, in order to ensure that all protocols are effective.
“Most people are getting good about having policies and procedures. Where they fall down is implementing policies and customizing them,”