Maine has adopted a recommended NAIC data security law for insurance companies titled LD 1995 SP 697. We’re seeing a growing trend where almost 20% of states have adopted some version of the NAIC data security model law. Read more below.
Insurance industry regulators (NAIC) address cybersecurity risks
Cybersecurity and insurance providers share one very similar and discerning viewpoint. Our business decisions and services we provide to customers are always based on risk. We help clients understand how threats, vulnerabilities, and their impact may disrupt personal and business continuity. The National Association of Insurance Commissioners (NAIC), a regulating body, has recognized the cybersecurity risks to their industry and has started taking action.
The NAIC website states that “Cybersecurity is perhaps the most important topic for the insurance sector today.”
The “Insurance Data Security Law” is born
NAIC’s solution to their cybersecurity challenges is the creation of the Insurance Data Security Law. The law is modeled and based on previous cybersecurity legislation passed by the State of New York; 23 NYCRR 500. The law mandates that insurance providers create and maintain an information security program to protect their organization and the data of their clients.
The Model Law has been submitted to all 50 states and is anticipated to pass. It will be overseen by the State Insurance Commissioner’s office and must be followed by any individual and/or entity licensed in that State.
Maine Adopts NAIC Model Law (LD 1995 SP 697)
As expected, more states have adopted recommendations for data security laws. This time, the state of Maine has passed and adopted LD 1995 SP 697 or the “the Maine Insurance Data Security Act”. As discussed above, the law follows very similar patterns for what may be required of insurance providers. There are four main objectives required entities should work towards:
- Protect non-public information and the information system processing and storing this data.
- Protect against threats which may alter the integrity of non-public information.
- Protect against non-authorized access and limit the likelihood of harm to any consumer
- Create policies for maintaining and the destruction of non-public information
Certainly nothing ground breaking from a requirements standpoint. As we continue to review these laws, we notice significant overlap and repetition of some very basic cybersecurity concepts and exercises. For specifics on required concepts and exercises, see the list below in the next section.
Addressing risk: Legislation and Self-Regulation
The NAIC model law is certainly a step in the right direction. Regulation and laws will help businesses reduce their attack surface and manage risk. With the NAIC Model Law being anticipated to pass in each state, in addition to individual state laws on data security, how does a business know where to begin? We recommend businesses review State requirements and begin developing a plan to address each item.
While each law is unique in its own way, we’re seeing a common theme across the board involving these key concepts:
- Risk Assessment and Management
- Written Policies & Procedures
- Incident Response Plan Development and Review
- Security Awareness Training
- Multi-Factor Authentication
- Backup procedures
- Encryption – At Rest and In Transit
- Continuous monitoring
- Implement and regularly assess safeguards
- Responding to Incidents
The details of each law start to vary in the Breach Notification requirements, primarily where they discuss the timeline for reporting a breach and how/who must be notified. This can all be addressed in a well written Incident Response Plan. To make sure your plan is effective and thorough, it’s best to work with an experienced cybersecurity professional.
While the above may be soon mandated by law, it’s important to remember that checking boxes do not guarantee a cyber-attack or breach will not happen. The requirements will help reduce the risk for agencies in compliance but should be taken further to continually monitor systems and data for a breach.
When do businesses need to start taking action?
Some states have already passed laws, while others like this NAIC Model Law are still under review. In the meantime, hackers aren’t waiting for legislation to catch up – if anything, attacks are becoming more and more rampant year over year.
With your business still at risk, there’s no reason to wait to start being more secure. Cybersecurity services are more affordable than most people realize and taking some simple steps to implement services like Security Awareness Training may be enough to thwart your next phishing email/ransomware attack.
Therefore, it’s a serious gamble to wait for government regulations to catch up to the real-world threats that risk your business’ reputation, operations, and overall success.
Download our Understanding Data Security Laws PDF
Because we’ve been working with clients to achieve data security compliance, we thought it would be best to transfer our knowledge and experience to a simplified data sheet. You can access our “Understanding Data Security Requirements” document for additional details.
Have questions about the NAIC Model Law?
Does your business have questions about the NAIC Model Law? Rigid Bits has deep connections in the Insurance industry and can help your business understand your risks and options for reducing those risks. We’ve developed specific packages to help your business meet regulatory requirements as well as solutions to providing true business security.
One of the best ways to find out where you stand is to conduct a discovery call. Feel free to reach out to schedule your discovery call and gain a better understanding of your immediate risks and plan for protecting your business.