As remote work environments have quickly become normalized in 2020, heightened cybersecurity concerns are taking center stage. Though a universal issue, Texas regulators will soon be confronting the issue of formalizing a cybersecurity standard for its insurance domiciles. Why not get ready in advance for what will inevitably be a hot timing item on your doorstep.
The National Association of Insurance Commissioners (NAIC) warns:
“Technological advancements make life easier. But, they can come at a cost. Every day it seems like another data breach story hits the news. As individuals and families use more technology, there is a lot at stake when it comes to protecting themselves online.
We increasingly rely on the Internet to work, bank, shop and socialize. Our health and financial information is stored online and devices are connected to control everything from home security systems to thermostats and TVs. While convenient, these connections open the door for possible malicious activity.
Small companies are targets for hackers as they possess sensitive information but typically have less security than larger companies. Cybersecurity insurance provides coverage for compromised security or privacy breaches at work. Business cybersecurity policies tend to be highly customized and therefore, costly.”
Several years ago, the NAIC created a “Roadmap for Cybersecurity Consumer Protections.” Subsequently responding to a series of high-profile data breaches, the NAIC adopted the NAIC Data Security Model Law in October 2017, based on 12 guiding principles. The purpose of the model law was to establish standards for data security and standards for the investigation of and notification to the insurance commissioner of each state in case of cybersecurity event.
Key requirements of the model law include:
- The design, development, implementation, and maintenance, of a comprehensive written Information Security Program (ISP) based on risk assessment and risk management with oversight by the Board of Directors.
- Designation of one or more employees, an affiliate, or an outside agent who is responsible for the ISP.
- Due diligence in selection of any third-party service providers and require their protection of the information systems and policyholder information.
- Promptly investigate and provide notification of any cybersecurity events. The licensee must assess the nature and scope of the event, identify the non-public information exposed, and restore the security of the compromised system.
- Written annual certification of compliance with the regulation to the domiciliary insurance department.
How many states have adopted the model law?
The U.S. Treasury Department endorsed the Model Law and recommended its prompt and uniform adoption by all states. Through June 2020, eleven states have adopted some form of the Act, and six others currently have an action under consideration.
- New York enacted its own regulation on cybersecurity.
- California adopted regulations to protect consumers’ personal information. The act went into effect January 1, 2020, and is now enforceable July 15, 2020, after a six-month grace period.
- We anticipate Texas will adopt the Model Law during its 87th Legislative Session in early 2021.If you have questions about the impact this might have on your insurance company, JLK Rosenberger can help. Call us at 972-331-5909, or click here to contact us. We look forward to speaking with you soon.
Don’t wait to take action
Now would be a great time to begin developing your insurance company’s plan. Once a breach occurs, the required regulatory follow-up can be onerous and shattering to reputational risk. JLK Rosenberger can help you in several capacities, such as an initial overview engagement of your planned process to implement the NAIC guidelines prior to finalizing. Preferably, a more in-depth assessment may warrant current controls versus what additional controls may need enhancement or consideration as they relate to external security control matters. This is an opportune time to have an external reassessment of your overall internal control documentation structure, which should incorporate the NAIC model law guidelines that will mesh with your future statutory or GAAP audits.