Council Foundation Logo Leaders Edge

October 26, 2017

The National Association of Insurance Commissioners (NAIC) adopted its Insurance Data Security Model Law on Tuesday, leaving it up to the states to enact and adopt the framework. If enacted by the states, brokers, carriers and other licensed entities will be required, by law, to implement cyber security programs in accordance with the model law.

“The model law, adopted during National Cybersecurity Awareness Month, creates rules for insurers, agents and other licensed entities covering data security, investigation and notification of breach. This includes maintaining an information security program based on ongoing risk assessment, overseeing third-party service providers, investigating data breaches and notifying regulators of a cybersecurity event,” according to an NAIC press release.

The model law will likely be considered in a handful of states in 2018, but the scope of states expected to enact the law is not known. In light of the Equifax breach, increased receptivity to proposals requiring cybersecurity ­­­­compliance is anticipated. Whether or not this leads to widespread adoption of the model remains a question.

The final model law adopted by the NAIC contains three main changes to previous versions:

  • Some flexibility in the requirements, depending on the size, scope, and sophistication of the licensee. The model law recognizes the spectrum of companies involved, especially for agents and brokers.
  • Organizations in compliance with the Health Insurance Portability and Accountability Act (HIPPA) are now exempt from relevant provisions of the model law.
  • The model law reflect many of the requirements imposed under the recently enacted New York District of Financial Services (NYDFS) Cybersecurity Regulation, so licensees in compliance with the New York rule will also likely be in compliance with the requirements of the model.

The Council will monitor state activity related to the NAIC Data Security Model Law and will continue to provide updates. If you have questions regarding the NAIC’s Insurance Data Security Model Law, please contact The Council’s General Counsel, John Fielding, at

Recent Studies

Content Analysis of Cyber Insurance Policies: How do Carriers Price Cyber Risk?
The Rand Corporation
The Rand Corporation recently released an extensive report examining the cyber insurance industry, specifically on policy language, the mechanisms behind risk assessments, and coverage limits and exclusions. While most believe a lack of clarity and uniformity exists behind policy language, the study found that consistency among policies is greater than most would assume – good news for the industry.

Managing Cyber Risk: Understanding the Opportunity
Harvard Business Review, Sponsored by JLT
Cyber threats are multiplying, and coming from all sides. And they are costly. Even large, sophisticated, data-centric organizations can learn—abruptly—that they have only an illusion of control over cybersecurity. To better understand how organizations worldwide are responding to threats from cyber attacks and breaches, and in particular the degree to which they are incorporating these issues into their strategic planning, Harvard Business Review Analytic Services surveyed 278 individuals in a wide range of industries, roughly evenly split between large organizations with 10,000 or more employees and those with fewer.