Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cybersecurity for the Insurance Sector:

Published byBuck Shaw Modified over 6 years ago

Similar presentations

Presentation on theme: "Cybersecurity for the Insurance Sector:"— Presentation transcript:

1 Cybersecurity for the Insurance Sector:
Understanding the NAIC's Insurance Data Security Model Law Elizabeth Kelleher Dwyer, Esq. Superintendent of Insurance Department of Business Regulation April 19, 2018 © 2016 National Association of Insurance Commissioners All Rights Reserved

2 Importance of Cybersecurity
Business and Consumer Data Protection Cybercrime is rising 2017 Data Breaches: Equifax Verizon Uber RNC Contractor Deloitte Dun & Bradstreet © 2016 National Association of Insurance Commissioners All Rights Reserved

3 Insurance Data Security Model Law
Aug. 7, 2017: Adopted by the Cybersecurity (EX) Working Group Aug. 8, 2017: Adopted by the Innovation and Technology (EX) Task Force Oct. 24, 2017: Adopted by Executive (EX) Committee and Plenary (NAIC Membership) © 2016 National Association of Insurance Commissioners All Rights Reserved

4 Model Law Drafting Group
Regulators: California, Florida, Illinois, Maine, New York, Rhode Island and Texas Industry Representatives: American Council of Life Insurers (ACLI) America’s Health Insurance Plans (AHIP) American Insurance Association (AIA) American Land Title Association (ALTA) Independent Insurance Agents and Brokers of America (IIABA) National Association of Mutual Insurance Companies (NAMIC) Professional Insurance Agents (PIA) Property Casualty Insurers Association of America (PCI) Reinsurance Association of America (RAA) Consumer Representatives: Center for Economic Justice (CEJ) Peter Kochenburger (University of Connecticut School of Law) © 2016 National Association of Insurance Commissioners All Rights Reserved

5 Insurance Data Security Model Law Sections 2: Purpose & Intent
Establishes standards for data security and standards for the investigation of and notification to the Commissioner of a Cybersecurity Event Does not create a private cause of action nor curtail an already-existing private right of action Drafting Note: If Licensee is in compliance with the NY Regulation, it is in compliance with this Act. © 2016 National Association of Insurance Commissioners All Rights Reserved

6 Insurance Data Security Model Law Section 3: Definitions
Cybersecurity Event Event resulting in unauthorized access to, disruption or misuse of, an Information System or info. stored on such Information System Doesn’t include unauthorized acquisition of encrypted info. or event where Nonpublic Info. has not been used or released. Information System Electronic info. resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, etc. © 2016 National Association of Insurance Commissioners All Rights Reserved

7 Insurance Data Security Model Law Section 3: Definitions, cont.
Section 3, cont. Licensee Person or entity licensed or required to be licensed by the Dept. of Insurance Does not include a purchasing group or RRG chartered and licensed in another state or a Licensee that is acting as an assuming insurer domiciled in another state Nonpublic Information (NPI) Business info.: material adverse impact Consumer info.: any identifying info in combination with SSN; DL no.; acct. no.; password; or biometric records Health care info. [Definition identical to NY Reg.] © 2016 National Association of Insurance Commissioners All Rights Reserved

8 Insurance Data Security Model Law Section 3: Definitions, cont.
Section 3, cont. Third-Party Service Provider (TPSP) Person or entity not defined as Licensee that contracts with a Licensee to maintain, process, store or otherwise is permitted access to Nonpublic Information

9 Insurance Data Security Model Law Section 4: Information Security Program
Section 4, cont. Implementation Develop, implement and maintain Info. Security Program based on Licensee’s Risk Assessment Objectives Protect Info. System and Nonpublic Info. Risk Assessment Designate employees or vendor in charge of Info. Security Program Identify internal/external threats, incl. TPSPs Assess likelihood and potential damage of threats Assess sufficiency of policies, procedures, safeguards to manage threats Implement safeguards to manage threats identified in ongoing assessment; assess effectiveness annually © 2016 National Association of Insurance Commissioners All Rights Reserved

10 Insurance Data Security Model Law Section 4: Information Security Program
Section 4, cont. Risk Management Design Info. Security Program Determine which measures to implement: Access controls Identify/manage business data Restrict physical access Use encryption or other means Secure application (internal & external) Modify Info. System with Info. Security Program Multi-factor authentication Regular testing/monitoring to detect attacks Audit trails to detect and respond to events Protect NPI from destruction from hazards Securely dispose of NPI Include cyber risks in Enterprise Risk Management Stay informed of emerging threats Train employees © 2016 National Association of Insurance Commissioners All Rights Reserved

11 Insurance Data Security Model Law Section 4: Information Security Program
Section 4, cont. Oversight by Board Require management to develop, implement and maintain Info. Security Program Require management to report in writing annually on: (1) status/compliance with Info. Security Program; and (2) material matters related to Info. Security Program Oversight of Third-Party Service Providers Exercise due diligence in selecting TPSPs Require TPSPs to implement appropriate measures to secure the Info. Systems and NPI held by TPSPs

12 Insurance Data Security Model Law Section 4: Information Security Program
Section 4, cont. Program Adjustments Monitor, evaluate, adjust Info. Security Program consistent with changes in technology and risk. Incident Response Plan Establish an incident response plan for Cybersecurity Event. Annual Certification Annually certify compliance with Section 4. Document and identify remedial efforts.

13 Insurance Data Security Model Law Section 5: Investigation
Conduct investigation if Cybersecurity Event has or may have occurred During investigation, determine: Whether Cybersecurity Event occurred Assess nature and scope of Cybersecurity Event Identify NPI involved Perform measures to restore the security of the Info. Systems If Cybersecurity Event with TPSP, complete steps or ensure TPSP does so Maintain records of Cybersecurity Events for 5 years; produce to Commissioner upon demand © 2016 National Association of Insurance Commissioners All Rights Reserved

14 Insurance Data Security Model Law New Section 6: Notification
Notify Commissioner Notify Commissioner of Cybersecurity Event within 72 hours when: This state is state of domicile/home state; or NPI of 250+ consumers involved and Notice required by law Cybersecurity Event has reasonable likelihood of materially harming consumer in this state or material part of Licensee’s operations Detailed Information Provide as much info. known about Cybersecurity Event as soon as possible with continuing obligation to update. Consumer Notice Notify consumers pursuant to state data breach notification law. Provide copy of notice to Commissioner. © 2016 National Association of Insurance Commissioners All Rights Reserved

15 Insurance Data Security Model Law New Section 6: Notification
Section 6, cont. Notice of TPSP Event If Cybersecurity Event with TPSP, use same protocol unless TPSP agrees to do so Notice of Reinsurer Event For assuming insurers with no consumer relationship, notify affected ceding insurers and Commissioner within 72 hour. For assuming insurers with consumer relationship, notify consumers pursuant to state data breach notification law and follow requirements under Sec. 6 of Act. For assuming insurers when Cybersecurity Event with TPSP, notify ceding insurers and Commissioner within 72 hours of receiving notice from TPSP. For ceding insurers with consumer relationship, notify consumers pursuant to state data breach notification law and follow requirements under Sec. 6 of Act. © 2016 National Association of Insurance Commissioners All Rights Reserved

16 Insurance Data Security Model Law New Section 6: Notification
Section 6, cont. Notice of Producer Event If Cybersecurity Event is with an insurer (or its TPSP) and consumer accessed services through an independent producer, insurer notifies producers of record of all consumers as soon as practicable. Excused if insurer does not have current producer of record info. for a consumer. © 2016 National Association of Insurance Commissioners All Rights Reserved

17 Insurance Data Security Model Law Section 7: Power of Commissioner
Commissioner has power to examine and investigate Licensee to determine violation of Act. Power is in addition to power under state investigation and examination laws and conducted pursuant to such laws. © 2016 National Association of Insurance Commissioners All Rights Reserved

18 Insurance Data Security Model Law Section 8: Confidentiality
Documents that Licensee provides to Dept. of Insurance under specific provisions of Act or obtained in investigation or examination are confidential and privileged. Not subject to FOIA, subpoena, not discoverable or admissible in private civil action. Commissioner or those under Commissioner not permitted to testify in private civil action concerning confidential documents. Commissioner may share documents with other regulatory agencies, NAIC, and law enforcement if recipient agrees to maintain confidential status. Commissioner may receive documents from other regulatory agencies, NAIC, and law enforcement and maintain confidential status. Commissioner may share documents with vendor if vendor agrees to maintain confidential status. © 2016 National Association of Insurance Commissioners All Rights Reserved

19 Insurance Data Security Model Law Section 8: Confidentiality
Section 8, cont. Commissioner may enter agreements governing sharing and use of information consistent with Act. No waiver of privilege or claim of confidentiality shall occur due to disclosure to Commissioner as authorized. Nothing prohibits Commissioner from releasing final, adjudicated actions open to public inspection.

20 Insurance Data Security Model Law Section 9: Exceptions
Small Licensees: Exempt from Sec. 4 if fewer than 10 employees HIPAA compliant: Exempt from Sec. 4 if compliant with HIPAA and certifies compliance Agents: Exempt from Sec. 4 if an employee or agent of a Licensee who is also a Licensee If status changes, must comply with Act within 180 days © 2016 National Association of Insurance Commissioners All Rights Reserved

21 Insurance Data Security Model Law Section 10: Penalties
Penalties for violations pursuant to general insurance penalty law. © 2016 National Association of Insurance Commissioners All Rights Reserved

22 Insurance Data Security Model Law Section 11: Rules & Regulations
Section 11 [OPTIONAL] Commissioner may promulgate regulations as necessary pursuant to authority.               © 2016 National Association of Insurance Commissioners All Rights Reserved

23 Insurance Data Security Model Law Section 13: Effective Date
Effective date selected by state. Licensees have 1 year from effective date to implement Section 4 of Act. Licensees have 2 years from effective date to implement Section 4F of Act (TPSP Oversight). © 2016 National Association of Insurance Commissioners All Rights Reserved

24 Comparison: NAIC Model and 23 NYCRR 500
Provision NY DFS Reg. NAIC Model Cybersecurity / Information Security Program X CISO or other individual/entity responsible for ISP Data Retention Policy Risk Assessment Security Measures / Controls: Mandated As Appropriate Regular system testing Audit Trails Restrict access privileges Application Security Multi-Factor Authentication Staff Training Encryption of NPI Oversight by Board of Directors Third-Party Vendor Oversight Incident Response Plan Annual Certification to Supt. / Commr. Notify Supt. / Commr. (72 hrs.) Exceptions for smaller entities

25 Insurance Data Security Model Law State Activity
Rhode Island Insurance Data Security Act H 7789 S 2497 South Carolina Enacted May 2019 © 2016 National Association of Insurance Commissioners All Rights Reserved

26 Insurance Data Security Model Law Implementation
Innovation and Technology (EX) Task Force: NAIC exploring a uniform reporting system for cybersecurity event notifications.

27 Insurance Data Security Model Law
Questions? © 2016 National Association of Insurance Commissioners All Rights Reserved

Download ppt "Cybersecurity for the Insurance Sector:"

Similar presentations

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Confidentiality and HIPAA

Confidentiality and HIPAA
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) 252-9321; Victoria Nemerson.

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
2014 HIPAA Refresher Omnibus Rule & HIPAA Security.

2014 HIPAA Refresher Omnibus Rule & HIPAA Security.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.

Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
Www.oaic.gov.au Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.

Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
Version 6.0 Approved by HIPAA Implementation Team April 14, 2003 1 HIPAA Learning Module The following is an educational Powerpoint presentation on the.

Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.

Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
STATUTORY STATEMENTS OF ACTUARIAL OPINION – Changes for Today and Tomorrow Tomorrow’s Model Law 2003 CLRS Chicago, IL.

STATUTORY STATEMENTS OF ACTUARIAL OPINION – Changes for Today and Tomorrow Tomorrow’s Model Law 2003 CLRS Chicago, IL.
CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.

CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.

Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.

Similar presentations

Ads by Google