NAIC Adopts Data Security Model Law

The National Association of Insurance Commissioners (NAIC) adopted its Insurance Data Security Model Law on Tuesday, leaving it up to the states to enact and adopt the framework. If enacted by the states, brokers, carriers and other licensed entities will be required, by law, to implement cyber security programs in accordance with the model law.

“The model law, adopted during National Cybersecurity Awareness Month, creates rules for insurers, agents and other licensed entities covering data security, investigation and notification of breach. This includes maintaining an information security program based on ongoing risk assessment, overseeing third-party service providers, investigating data breaches and notifying regulators of a cybersecurity event,” according to an NAIC press release.

The model law will likely be considered in a handful of states in 2018, but the scope of states expected to enact the law is not known. In light of the Equifax breach, increased receptivity to proposals requiring cybersecurity ­­­­compliance is anticipated. Whether or not this leads to widespread adoption of the model remains a question.

The final model law adopted by the NAIC contains three main changes to previous versions:

  • Some flexibility in the requirements, depending on the size, scope, and sophistication of the licensee. The model law recognizes the spectrum of companies involved, especially for agents and brokers.
  • Organizations in compliance with the Health Insurance Portability and Accountability Act (HIPPA) are now exempt from relevant provisions of the model law.
  • The model law reflect many of the requirements imposed under the recently enacted New York District of Financial Services (NYDFS) Cybersecurity Regulation, so licensees in compliance with the New York rule will also likely be in compliance with the requirements of the model.

The Council will monitor state activity related to the NAIC Data Security Model Law and will continue to provide updates. If you have questions regarding the NAIC’s Insurance Data Security Model Law, please contact The Council’s General Counsel, John Fielding, at

Recent Studies

Content Analysis of Cyber Insurance Policies: How do Carriers Price Cyber Risk?
The Rand Corporation
The Rand Corporation recently released an extensive report examining the cyber insurance industry, specifically on policy language, the mechanisms behind risk assessments, and coverage limits and exclusions. While most believe a lack of clarity and uniformity exists behind policy language, the study found that consistency among policies is greater than most would assume – good news for the industry.

Managing Cyber Risk: Understanding the Opportunity
Harvard Business Review, Sponsored by JLT
Cyber threats are multiplying, and coming from all sides. And they are costly. Even large, sophisticated, data-centric organizations can learn—abruptly—that they have only an illusion of control over cybersecurity. To better understand how organizations worldwide are responding to threats from cyber attacks and breaches, and in particular the degree to which they are incorporating these issues into their strategic planning, Harvard Business Review Analytic Services surveyed 278 individuals in a wide range of industries, roughly evenly split between large organizations with 10,000 or more employees and those with fewer.

Leader’s Edge: The Internet Goes Dark

The internet has gone down. How long can your business withstand the interruption? One day? Two days? One week? What if the outage were widespread? How long would it take for the financial impact to be ruinous?

The answer is not long at all. The internet is as essential to commerce today as are people. Without a connection, employees might as well stay home and watch Netflix. Oops, can’t do that either.

Read on.

What We’re Reading

Merck Cyber-Attack May Cost Insurers $275 million: Verisk’s PCS
Insurers could pay $275 million to cover the insured portion of drugmaker Merck’s loss from a cyber-attack in June, according to a forecast by Verisk Analytics’ Property Claim Services (PCS) unit.

Cyber Insurance: Three Ways to Reduce Carrier Risk
A growing demand for cyber insurance is being met by new offerings from carriers. But evolving cyber threats call for a new approach. Three key elements can help protect carriers from the potentially massive risk of offering cyber insurance.

Industry Must Develop Common Cyber Risk Currency
Diversification is essential for evolving the cyber insurance market, yet expanding the cyber remit beyond data confidentiality and further into areas such as operational technology risk, data availability and integrity demands a common cyber risk currency, according to Guy Carpenter’s Morley Speed, managing director, and Carolyn Morley, chairman, global casualty.

US Attorney and Law Enforcement Partners Announce Formation of Connecticut Cyber Task Force
United States Attorney Deirdre M. Daly and representatives of federal, state and local law enforcement recently announced the formation of the Connecticut Cyber Task Force to investigate complex crimes in cyberspace.

Trump Administration to Draft New Cybersecurity Strategy
The Trump administration is planning to write a new cybersecurity strategy, White House Homeland Security Adviser Tom Bossert said Tuesday, suggesting that the slew of Obama-era cyber plans and strategies are fast outliving their usefulness.

The Ever Expanding Scope of Cyber Risks: All Policy Lines Beware
Insureds, insurers and reinsurers are continually faced with new types of risks and claims that fall within the rubric of “cyber.” What is a cyber risk is often broadly construed as anything related to the use of a computing device or network. As cyber risks expand, so do their impact on insurance lines, both those designed to apply to them and those that are impacted inadvertently in what has become known as “silent cyber” coverage.

State Updates on Cybersecurity Regulations: NYDFS Cybersecurity Rule and Colorado’s Rule Applicable to Broker-Dealers and Investment Advisors
New York and Colorado continue to take the lead in cybersecurity requirements for regulated financial institutions. The New York Department of Financial Services (DFS) issued the first state cybersecurity regulation directed at its regulated financial institutions. Meanwhile Colorado’s Division of Securities adopted the new cybersecurity rules it had proposed earlier this year applicable to broker-dealers purchasing securities in Colorado and investment advisors who do business in the state.