A growing number of states are enacting cybersecurity legislation for the insurance industry, pushing insurers to review their security protocols.
South Carolina, Ohio and Michigan have enacted data security laws for insurers over the past year. Mississippi’s governor approved a measure April 3, and Connecticut, New Hampshire and two other states have bills moving in their legislatures.
The states largely are using a 2017 model law by the National Association of Insurance Commissioners, which draws from the New York Department of Financial Services’ cybersecurity regulation for the financial services industry.
“There’s no doubt that cybersecurity is the biggest risk facing the financial services industry,” said Jeffrey P. Taft, a partner in Mayer Brown LLP’s financial services regulatory and enforcement group. “The enactment of these laws, whether it’s the NYDFS cyber rule, or the NAIC model rule, is just evidence of how much the regulators understand that and how they want the regulated entities to understand that risk.”
The states’ push for legislation specific to the insurance industry follows a series of high-profile data breaches and cyberattacks in recent years.
More states are expected to adopt similar, but likely not uniform, versions of the model law in the next few years, data security and insurance professionals said. Licensees should note the varying requirements in the existing laws and in those enacted in the future to ensure they’re compliant, they said.
“States will look at this as a pro-consumer protection,” said Alan Berliner, a former assistant director and chief legal counsel for the Ohio Department of Insurance.
When state laws, such as New York’s, impact insurance companies doing business there, “other states will say ‘if our insurance companies need to comply with the law, we ought to have our own laws,’” Berliner, a partner and insurance counsel at Thompson Hine LLP, said.
The model and state versions generally require covered entities to have written information security programs, complete risk assessments, and maintain incidence response plans, among other provisions. Insurers that already comply with the New York cybersecurity regulation will have an easier road to comply with other state laws because of the similar requirements, attorneys said.
The breach notification requirements and exemption provisions are among the most significant deviations in the state laws so far, said Andreas Kaltsounis, a privacy and data security partner at BakerHostetler.
South Carolina, the first state to adopt the NAIC model, imposed the 72-hour notice requirement in the model. Michigan’s law, however, allows 10 business days to report events, Kaltsounis said.
The state versions also have different exemption criteria based on “number of employees, company revenue, or company assets,” Kaltsounis said.
Ohio’s law allows licensees that have certain cybersecurity programs to use an affirmative defense against tort claims that allege the licensee failed to implement reasonable cybersecurity controls.
Despite the variations, insurers operating on a national scale will gear up for the most stringent requirements, adopting the “lowest common denominator approach,” Taft said.
Covered entities may have to modify vendor contracts to comply with third-party service provider provisions, Taft said.
“For a lot of companies, that’s a particular pain point, because it requires them to get some third party to agree to do certain things as part of their contractual relationship,” he said. Entities also will have to look at their vendor management systems to make sure they maintain high standards, he said.
Insurers, like other entities that hold sensitive consumer information, could be affected by unauthorized remote access to their network or email systems, Kaltsounis said.
“To combat this, insurers should implement multi-factor authentication for remote access to resources—this control is highlighted by the NYDFS regulation and the NAIC model law,” he said.
Insurers also should remember that having information security programs and protocols in place doesn’t in itself ensure the processes work, data security professionals said. Covered entities must test their incidence response, employee training, and other policies on an ongoing basis to ensure the protocols are effective.
“Most people are getting good about having policies and procedures. Where they fall down is implementing policies and customizing them,” Taft said.