Cybersecurity for the Insurance Sector: Understanding the NAIC's Insurance Data Security Model Law Elizabeth Kelleher Dwyer, Esq. Superintendent of Insurance Department of Business Regulation April 19, 2018 © 2016 National Association of Insurance Commissioners All Rights Reserved

Importance of Cybersecurity Business and Consumer Data Protection Cybercrime is rising 2017 Data Breaches: Equifax Verizon Uber RNC Contractor Deloitte Dun & Bradstreet © 2016 National Association of Insurance Commissioners All Rights Reserved

Insurance Data Security Model Law Aug. 7, 2017: Adopted by the Cybersecurity (EX) Working Group Aug. 8, 2017: Adopted by the Innovation and Technology (EX) Task Force Oct. 24, 2017: Adopted by Executive (EX) Committee and Plenary (NAIC Membership) © 2016 National Association of Insurance Commissioners All Rights Reserved

Model Law Drafting Group Regulators: California, Florida, Illinois, Maine, New York, Rhode Island and Texas Industry Representatives: American Council of Life Insurers (ACLI) America’s Health Insurance Plans (AHIP) American Insurance Association (AIA) American Land Title Association (ALTA) Independent Insurance Agents and Brokers of America (IIABA) National Association of Mutual Insurance Companies (NAMIC) Professional Insurance Agents (PIA) Property Casualty Insurers Association of America (PCI) Reinsurance Association of America (RAA) Consumer Representatives: Center for Economic Justice (CEJ) Peter Kochenburger (University of Connecticut School of Law) © 2016 National Association of Insurance Commissioners All Rights Reserved

Insurance Data Security Model Law Sections 2: Purpose & Intent Establishes standards for data security and standards for the investigation of and notification to the Commissioner of a Cybersecurity Event Does not create a private cause of action nor curtail an already-existing private right of action Drafting Note: If Licensee is in compliance with the NY Regulation, it is in compliance with this Act. © 2016 National Association of Insurance Commissioners All Rights Reserved

Insurance Data Security Model Law Section 3: Definitions Cybersecurity Event Event resulting in unauthorized access to, disruption or misuse of, an Information System or info. stored on such Information System Doesn’t include unauthorized acquisition of encrypted info. or event where Nonpublic Info. has not been used or released. Information System Electronic info. resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, etc. © 2016 National Association of Insurance Commissioners All Rights Reserved

Insurance Data Security Model Law Section 3: Definitions, cont. Section 3, cont. Licensee Person or entity licensed or required to be licensed by the Dept. of Insurance Does not include a purchasing group or RRG chartered and licensed in another state or a Licensee that is acting as an assuming insurer domiciled in another state Nonpublic Information (NPI) Business info.: material adverse impact Consumer info.: any identifying info in combination with SSN; DL no.; acct. no.; password; or biometric records Health care info. [Definition identical to NY Reg.] © 2016 National Association of Insurance Commissioners All Rights Reserved

Insurance Data Security Model Law Section 3: Definitions, cont. Section 3, cont. Third-Party Service Provider (TPSP) Person or entity not defined as Licensee that contracts with a Licensee to maintain, process, store or otherwise is permitted access to Nonpublic Information

Insurance Data Security Model Law Section 4: Information Security Program Section 4, cont. Implementation Develop, implement and maintain Info. Security Program based on Licensee’s Risk Assessment Objectives Protect Info. System and Nonpublic Info. Risk Assessment Designate employees or vendor in charge of Info. Security Program Identify internal/external threats, incl. TPSPs Assess likelihood and potential damage of threats Assess sufficiency of policies, procedures, safeguards to manage threats Implement safeguards to manage threats identified in ongoing assessment; assess effectiveness annually © 2016 National Association of Insurance Commissioners All Rights Reserved

Insurance Data Security Model Law Section 4: Information Security Program Section 4, cont. Risk Management Design Info. Security Program Determine which measures to implement: Access controls Identify/manage business data Restrict physical access Use encryption or other means Secure application (internal & external) Modify Info. System with Info. Security Program Multi-factor authentication Regular testing/monitoring to detect attacks Audit trails to detect and respond to events Protect NPI from destruction from hazards Securely dispose of NPI Include cyber risks in Enterprise Risk Management Stay informed of emerging threats Train employees © 2016 National Association of Insurance Commissioners All Rights Reserved

Insurance Data Security Model Law Section 4: Information Security Program Section 4, cont. Oversight by Board Require management to develop, implement and maintain Info. Security Program Require management to report in writing annually on: (1) status/compliance with Info. Security Program; and (2) material matters related to Info. Security Program Oversight of Third-Party Service Providers Exercise due diligence in selecting TPSPs Require TPSPs to implement appropriate measures to secure the Info. Systems and NPI held by TPSPs

Insurance Data Security Model Law Section 4: Information Security Program Section 4, cont. Program Adjustments Monitor, evaluate, adjust Info. Security Program consistent with changes in technology and risk. Incident Response Plan Establish an incident response plan for Cybersecurity Event. Annual Certification Annually certify compliance with Section 4. Document and identify remedial efforts.

Insurance Data Security Model Law Section 5: Investigation Conduct investigation if Cybersecurity Event has or may have occurred During investigation, determine: Whether Cybersecurity Event occurred Assess nature and scope of Cybersecurity Event Identify NPI involved Perform measures to restore the security of the Info. Systems If Cybersecurity Event with TPSP, complete steps or ensure TPSP does so Maintain records of Cybersecurity Events for 5 years; produce to Commissioner upon demand © 2016 National Association of Insurance Commissioners All Rights Reserved

Insurance Data Security Model Law New Section 6: Notification Notify Commissioner Notify Commissioner of Cybersecurity Event within 72 hours when: This state is state of domicile/home state; or NPI of 250+ consumers involved and Notice required by law Cybersecurity Event has reasonable likelihood of materially harming consumer in this state or material part of Licensee’s operations Detailed Information Provide as much info. known about Cybersecurity Event as soon as possible with continuing obligation to update. Consumer Notice Notify consumers pursuant to state data breach notification law. Provide copy of notice to Commissioner. © 2016 National Association of Insurance Commissioners All Rights Reserved

Insurance Data Security Model Law New Section 6: Notification Section 6, cont. Notice of TPSP Event If Cybersecurity Event with TPSP, use same protocol unless TPSP agrees to do so Notice of Reinsurer Event For assuming insurers with no consumer relationship, notify affected ceding insurers and Commissioner within 72 hour. For assuming insurers with consumer relationship, notify consumers pursuant to state data breach notification law and follow requirements under Sec. 6 of Act. For assuming insurers when Cybersecurity Event with TPSP, notify ceding insurers and Commissioner within 72 hours of receiving notice from TPSP. For ceding insurers with consumer relationship, notify consumers pursuant to state data breach notification law and follow requirements under Sec. 6 of Act. © 2016 National Association of Insurance Commissioners All Rights Reserved

Insurance Data Security Model Law New Section 6: Notification Section 6, cont. Notice of Producer Event If Cybersecurity Event is with an insurer (or its TPSP) and consumer accessed services through an independent producer, insurer notifies producers of record of all consumers as soon as practicable. Excused if insurer does not have current producer of record info. for a consumer. © 2016 National Association of Insurance Commissioners All Rights Reserved

Insurance Data Security Model Law Section 7: Power of Commissioner Commissioner has power to examine and investigate Licensee to determine violation of Act. Power is in addition to power under state investigation and examination laws and conducted pursuant to such laws. © 2016 National Association of Insurance Commissioners All Rights Reserved

Insurance Data Security Model Law Section 8: Confidentiality Documents that Licensee provides to Dept. of Insurance under specific provisions of Act or obtained in investigation or examination are confidential and privileged. Not subject to FOIA, subpoena, not discoverable or admissible in private civil action. Commissioner or those under Commissioner not permitted to testify in private civil action concerning confidential documents. Commissioner may share documents with other regulatory agencies, NAIC, and law enforcement if recipient agrees to maintain confidential status. Commissioner may receive documents from other regulatory agencies, NAIC, and law enforcement and maintain confidential status. Commissioner may share documents with vendor if vendor agrees to maintain confidential status. © 2016 National Association of Insurance Commissioners All Rights Reserved

Insurance Data Security Model Law Section 8: Confidentiality Section 8, cont. Commissioner may enter agreements governing sharing and use of information consistent with Act. No waiver of privilege or claim of confidentiality shall occur due to disclosure to Commissioner as authorized. Nothing prohibits Commissioner from releasing final, adjudicated actions open to public inspection.

Insurance Data Security Model Law Section 9: Exceptions Small Licensees: Exempt from Sec. 4 if fewer than 10 employees HIPAA compliant: Exempt from Sec. 4 if compliant with HIPAA and certifies compliance Agents: Exempt from Sec. 4 if an employee or agent of a Licensee who is also a Licensee If status changes, must comply with Act within 180 days © 2016 National Association of Insurance Commissioners All Rights Reserved

Insurance Data Security Model Law Section 10: Penalties Penalties for violations pursuant to general insurance penalty law. © 2016 National Association of Insurance Commissioners All Rights Reserved

Insurance Data Security Model Law Section 11: Rules & Regulations Section 11 [OPTIONAL] Commissioner may promulgate regulations as necessary pursuant to authority.               © 2016 National Association of Insurance Commissioners All Rights Reserved

Insurance Data Security Model Law Section 13: Effective Date Effective date selected by state. Licensees have 1 year from effective date to implement Section 4 of Act. Licensees have 2 years from effective date to implement Section 4F of Act (TPSP Oversight). © 2016 National Association of Insurance Commissioners All Rights Reserved

Comparison: NAIC Model and 23 NYCRR 500 Provision NY DFS Reg. NAIC Model Cybersecurity / Information Security Program X CISO or other individual/entity responsible for ISP Data Retention Policy Risk Assessment Security Measures / Controls: Mandated As Appropriate Regular system testing Audit Trails Restrict access privileges Application Security Multi-Factor Authentication Staff Training Encryption of NPI Oversight by Board of Directors Third-Party Vendor Oversight Incident Response Plan Annual Certification to Supt. / Commr. Notify Supt. / Commr. (72 hrs.) Exceptions for smaller entities

Insurance Data Security Model Law State Activity Rhode Island Insurance Data Security Act H 7789 S 2497 South Carolina Enacted May 2019 © 2016 National Association of Insurance Commissioners All Rights Reserved

Insurance Data Security Model Law Implementation Innovation and Technology (EX) Task Force: NAIC exploring a uniform reporting system for cybersecurity event notifications.

Insurance Data Security Model Law Questions? © 2016 National Association of Insurance Commissioners All Rights Reserved