The National Association of Insurance Commissioners Cybersecurity (EX) Working Group has adopted the sixth and final version of the Insurance Data Security Model Law.
Following its annual summer meeting in August, the Cybersecurity (EX) Working Group, which reports to the Innovation and Technology Task Force, adopted the sixth and final draft of the law, with slight amendments, including one replacing the need for an annual report with a written statement clarifying compliance.
The definition of a licensee was also amended to include insurers acting as an assuming insurer that is domiciled in another state or jurisdiction.
Confidentiality privileges were also clarified in Section 8.
The model will next be considered by the NAIC’s executive committee, as the parent committee of the Cybersecurity Working Group.
Once approved at that level, it will go to the joint meeting of the Executive Committee and plenary, where all of the NAIC Members will vote.
The entire process should be completed by the fall national meeting in December at the latest.
Once adopted by plenary, states will begin introducing legislation in time for their legislative sessions, which typically begin in January.
The model will have to be passed in each individual state to become effective, with the implementation date based on each state’s legislation.
Firms will have one year from the chosen date to put the core of the regulation into action, stipulating the creation of an information security programme, an incident response plan, and an annual certification.
Each firm will also have two years to provide oversight of its third party service providers, although regulations regarding those third party firms were relaxed in the final draft of the law.
According to a drafting note in the model law if a licensee is in compliance with part 500, title 23 of the New York State cyber regulations, the licensee will also be in compliance with the model law.
The regulations mandate that if a cyber event impacts more than 250 or more consumers residing in a state, then the state commissioner must be notified of the breach within 72 hours.
It also requires than an insurer designate an employee, affiliate, or outside vendor to head its information security programme.
Consumer notification of any breaches must completed in line with each state’s existing breach notification laws.
Consequences for non-compliance will be different state by state, but according to an NAIC spokesperson most states already have something similar to the South Carolina administrative penalty statute, which details fines of up to $15,000, or $30,000 for a wilful violation.
According to the South Carolina law, non-compliance could also lead to the suspension or revocation of the violator’s ability to do business in the state in addition to any fines levied.