What is the NAIC Data Security Model Law?
The National Association of Insurance Commissioners (NAIC) Data Security Model Law (Model Law) requires insurers and other entities licensed by state insurance departments to develop, implement, and maintain an information security program that contains key cyber security safeguards and management oversight. The NAIC was law adopted in 2017 as serves as the basis of many state-level laws.
What is the purpose of the Security Model Law?
As the name suggests, the model law provides a blueprint for separate state-level laws requiring insurance companies (“Licensees”) to protect customer data and respond to possible breaches. The official law states the following:
The purpose and intent of this Act is to establish standards for data security and standards for the
NAIC Model Laws, Regulations, Guidelines and Other Resources
investigation of and notification to the Commissioner of a Cybersecurity Event applicable to Licensees.
For example, the State of Virginia recently released the Virginia Insurance Data Security Act. The compliance deadline is July 2022. While this act applies to licensees in Virginia only, it is based on the model cyber law.
How many states have adopted the NAIC Model Law?
As of this article, 21 states have passed laws based on the NAIC model law: AL, AK, CT, DE, HI, IA, KY, LA, ME, MD, MI, MN, MS, NH, ND, OH, SC, TN, VT, VA, and WI. It is safe to assume that any insurance company or related entity should prepare to address these cyber requirements, even if their state has not yet adopted a law.
What are the key requirements of the NAIC Model Security Law?
The Model Cyber Law contains several sections that relate specifically to building and deploying a cyber security program to protect “Nonpublic Information” (NPI). Here is a short summary of the core requirements:
- Develop a written information security program – This includes information security policies, procedures and plans to support the program.
- Assign information security responsibility – Assign qualified internal or external staff to be responsible for the information security program.
- Perform periodic risk assessments – Identify, analyze and prioritize threats to data
- Implement key cyber security safeguards – Implement “controls” to mitigate the threats to the confidentiality, integrity and availability of data. (A “control baseline.”)
- Prepare incident response plans and procedures – Implement policies and procedures to identify security events that may lead to a possible data breach.
- Regularly monitor and report on program status – Create both technical and management level reports on the content and effectiveness of the program. This would include any information security events or incidents.
- Service Provider oversight – Assess and mitigate the cyber risk of third-party vendors.
- Provide Board-level oversight – Make sure that cyber security is part of the highest level of corporate governance
These requirements are not new to cyber security. In fact, these form the basis of any defensible cyber security program. In order to comply with any state-level laws, insurance companies must develop, document, deliver and demonstrate compliance with an information security program that has these key elements.
Formal Management Attestation
One of the main themes of this model law is documented management oversight. One of the key requirements is an annual report to the Board of Directors on the effectiveness of the program. Another key requirement is formal management attestation of the effectiveness of the program. This implies that companies will not be considered in compliance if they simply put a program in place and do not actively monitor the effectiveness of the program.
Annually, each insurer domiciled in this State shall submit to the Commissioner, a written statement by February 15, certifying that the insurer is in compliance with the requirements set forth in Section 4 of this Act.
Annual Certification to Commissioner of Domiciliary State
This takes management accountability for cyber security to a new level. The requirements are clear: Cyber Security is more than technical controls. It is not sufficient to implement technologies such as access control, MFA, firewalls and logs and consider the program complete. A complete (“defensible”) cyber security program incudes the controls that can demonstrate management involvement and accountability.
Specific Cyber Security Controls
The following is a list of specific controls that form the basis for a cyber security program. (Note: Our Common Control Library (CCL) covers each of these areas).
(a) Access Controls – Place access controls on Information Systems, including controls to authenticate and
permit access only to Authorized Individuals to protect against the unauthorized
acquisition of NPI (Nonpublic Information);
(b) Data and Asset Inventory – Identify and manage the data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes in accordance with their relative importance to
business objectives and the organization’s risk strategy;
(c) Physical Security – Restrict access at physical locations containing NPI, only to Authorized Individuals;
(d) Data Encryption – Protect by encryption or other appropriate means, all NPI while being transmitted over an external network and all NPI stored on a laptop computer or other portable computing or storage device or media;
(e) Secure Development Practices – Adopt secure development practices for in-house developed applications and procedures for evaluating, assessing or testing the security of externally developed applications utilized by the Licensee;
(f) Modify the Program – Update and modify the Information System (controls) in accordance with the Licensee’s Information Security Program;
(g) Multi-Factor Authentication (MFA) – Utilize effective controls, which may include Multi-Factor Authentication procedures for any individual accessing NPI;
(h) Security Monitoring and Testing – Regularly test and monitor systems and procedures to detect actual and attempted attacks or intrusions;
(i) Audit Logs – Include audit trails within the Information Security Program designed to detect and
respond to Cybersecurity Events and designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the Licensee;
(j) Data Center Security – Implement measures to protect against destruction, loss, or damage of NPI due to environmental hazards, such as fire and water damage; and
(k) Information Disposal – Develop, implement, and maintain procedures for the secure disposal of NPI
in any format.
Again, the previous list of controls are common to many existing cyber security frameworks such as ISO 27002 or NIST-CSF. The challenge is to build, document and maintain an effective program with all of these key cyber controls.
Simplify NAIC Model Law Compliance
Insurance companies and related entities can streamline compliance with the NAIC Data Security Model Law using our ComplianceShield platform. ComplianceShield enables your business to quick define and document all key requirements of the model law, including a robust library of information security policy templates. The platform also supports key requirements for creating and maintaining management visibility into the information security program. Learn more or request a free trial today!