Till now our experience with insurance agencies has been fairly reactive and driven by IT. In the background we've been keeping an eye on the National Association of Insurance Commissioners (the NAIC) regulations and how they would impact Small and Medium Sized Businesses (SMB). In April the Cybersecurity (EX) Task Force (the Task Force) first presented the Insurance Data Security Model Law (the Model Law) it generated more than 40 comment letters from trade associations, market participants and regulators. insurance industry association . It appears that the, "something has happened, now can you help us fix, resolve, remediate it" approach to Data / Information or Cyber Security is about to change drastically.
On August 17, the NAIC released for comment a revised draft Insurance Data Security Model Law . Their intention is to “establish exclusive standards . . . for data security and investigation and notification of a data breach” for “any person or entity licensed, authorized to operate, or registered” pursuant to an enacting state’s insurance laws. Becuase we're nice we decided to scratch beneath the surface, did some of the hard work for you and have called out are some of the key points which may help in scope entities with out a CISO, particularly small and mid sized firms. We don't recommend you wait until the regulation kicks in!
We're an SMB does this matter to me?.. Yes, if you are a:
- Broker Adjuster
I only care about my actual customers, right?
The Model Law will apply whenever a licensee has personal information, regardless of whether the licensee is in a contractual relationship with the individual to which the personal information belongs. The covered individuals may include previous applicants, policyholders, insureds, beneficiaries, claimants, certificate holders and “others whose personal information is in a licensee’s possession, custody or control.
Can i get my IT team to manage this?The draft Model Law continues to provide that a licensee’s information security program shall be appropriate to the size and complexity of the licensee. Which means that “[t]he licensee shall document, on an ongoing basis, compliance with its information security program,”. If this is something that you think you're IT team can manage then absolutely! You can get them to check out our free resources!
Individualized risk management framework
The draft Model Law no longer requires a licensee to use the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity (NIST Framework) as a guide when designing its information security program. "Great", we hear you say! But consider that some organizations will use NIST, others ISO or PCI. While the Model Law now requires each licensee to design its information security program based on generally accepted cybersecurity principles a single unified framework which considers all applicable regaulations and standards should be implemented.
What about Encryption?
The the Model Law is now to “encrypt all personal information while being transmitted on a public internet network or wirelessly and all personal information stored on a laptop computer or other portable computing or storage device or media”. Its not acceptable to say you do it, it must be in a licensee’s information security program. Before you scramble to call your IT guy, vendor etc. make sure you know where the in scope data is and be able to track it through it's lifecycle.
Who performs the oversight?
Organizations have historically deemed security to be a technology problem and left it in IT's hands. The Target breach showed us the impact to non-technical executives following the breach. The draft Model Law now requires a written annual report from the licensee’s executive management on its security program and compliance with the Model Law. While the Model Law does not specify to whom the report must be provided we can assume these will be investors, the regulators, interested 3rd parties, insurance companies?Previously the Model Law required a licensee’s board of directors to approve the licensee’s written information security program and to oversee the development, implementation, and maintenance of the licensee’s information security program. The question remains, who will do this now? The scope of the task will be beyond most non-technical executives, having the CIO or CTO perform the role may be a conflict of interest and hiring a dedicated internal Chief Information Security Officer (CISO) may be overkill, and expensive.
What about my 3rd Parties?
Previously there we a number of stipulations, these have been replaced with a general section that requires licensees to “contract only with third-party service providers that are capable of maintaining appropriate safeguards for personal information” and holds a licensee responsible for any failure by a third-party service provider to protect personal information provided by a licensee to the third-party service provider. Again, before raiding the contracts file make sure you know what is required from the program, and therefore the Information Security Policy!
What happens if I am breached?
There have been a number of changes made to the definitions, which we would suggest Insurance company CISO's & counsel review. In the current draft Model Law, a licensee must provide notification of a breach if the licensee determines that an unauthorized acquisition of personal information listed in all of the remaining portions of the definition of “personal information” involved in a data breach has occurred. It mandates licensees to notify the commissioner no later than three business days, rather than five calendar days, after determining that a breach had occurred and requires as much of the information “as possible” in the initial notice and imposes as a continuing obligation to update and supplement the initial and subsequent notices. If you have Cyber Insurance make sure it has the coverage you need!
We know from a recent Fire eye/ Mandiant report that the internal discovery of a breach takes almost 60 days, if they are monitoring at all. Smaller organizations should, if they aren't already assess their capability to be notified of a breach whether it was on premise, in the cloud or some hybrid of the two.
What do i need to do if my company is breached?
We've all recieved the, "At xyz corp we take the security of your information seriously, but in this instance blah blah blah" letters. During a breach scenario crisis management / PR firms will guide the breached organization through the all to familiar process. For licencees the "stock" letter may not be mandated but only incorporated a credit freeze for all impacted consumers with the caveate that the commissioner has the authority to order identity theft protection and “take other action deemed necessary to protect consumers.” We often review cyber insurance application forms and our biggest observation is the number of records an organization believes it has. Note: With the Model law the in scope consumers are current or previous consumers whether contractual or not. With Ponemon estimating the cost of a breach at $158 per record having an inaccurate number of records could turn out to be quite expensive.
Nothing has happened (yet), I'll wait it out..The Model law removed specific penalties for violations and reference is now made to the enacting state’s general penalty statute. Details of the various states penalites should be reviewed by business owners and considered during the implementation of the information security program. Licencees should know to consider the in scope states, not just the state in which it resides or operates.
While there are certainly some key concerns which remain unresolved, we think that business leaders at insurance companies should begin to get their ducks in a row. Being a small firm ourself this doesn't mean spending lots of money on technology or solutions. It begins with a conversation and a simple diagnostic. An insurance CFO once told me that, "he didn't like surprises!" How about using our Free Self Assessment Tool to understand where your organization is and go from there?