INSURANCE IS STILL STRUGGLING TO ESTABLISH INDUSTRY-WIDE CYBERSECURITY STANDARDS

Earlier this summer, I shared with you the top cybersecurity use cases insurers must address as well as steps the National Association of Insurance Commissioners (NAIC) were taking to standardize data security standards throughout the United States.  

Insurers are facing a difficult business environment. With low interest rates wreaking havoc on centuries-old business models, many are looking for ways to reinvent themselves. A key way they can accomplish this is through the massive amount of data at their fingertips – including medical files for underwriting; financial account information; real-time information about a consumer’s physical state of being; telematics of how and where consumers are driving; and “fullz” (date of birth, social security number, and bank account information) 

While this data could help insurers evolve, it also provides a prime opportunity for hackers to sell this information on the darknet. The problem the insurance industry has is there is no single cybersecurity standard by which they must abide. They must satisfy state-specific laws as well as nationwide privacy and regulatory compliance policies such as HIPAA.  

The NAIC recently revised its original draft model law for cybersecurity, which was open for public comment until September 16. Its purpose and intent was to establish industry-wide insurer standards for data security, investigation, and breach notification. 

There were five important changes to the latest version of the model law, including: 

  1. Recognition that encryption is a key part of any cybersecurity strategy: There is a “liability carve-out” for insurers who have employed adequate encryption of data. If hackers penetrate their systems and take data, it would not constitute a “data breach” under the terms of the model law.  
  2. Clarity on what “harm or inconvenience” to consumers constitutes: In order to avoid vague class-action suits, the model law defines harm or inconvenience to include identity theft as well as fraudulent transactions on financial accounts rendered unusable, unreadable, or indecipherable 
  3. Flexibility for regulators to assess insurers’ specific cybersecurity needs: Not all insurers are created equal. Some are much larger than others, and many specialize in a specific service (e.g. health, life, property and casualty). The revised model provides regulators with flexibility in examining insurers and their cybersecurity programs depending on the size, complexity, scope, and sensitivity of the personal information they store.  
  4. Greater emphasis on what must happen after a data breachThe revised model scrapped an old section that detailed duties of insurers before a data breach occurred, which included duties to notify policyholders of the types of information collected and stored. The latest draft places much greater emphasis on the duties and requirements in notifying vendors, regulators, and consumers after a data breach occurs 
  5. Increased power to regulators enforcing cybersecurity provisions: The original model law detailed specific penalties, judicial review, and individual remedies. In an attempt to not handcuff regulators from penalizing insurers who fail to meet a reasonable cybersecurity standard, the new model disavows any private right of action and made enforcement actions permissive and within the discretion of the commissioner of the NAIC.  

Amidst all these changes, the one section of the original model law concerning insurers most did not change. The first draft stated it did not supersede other state notification laws already in place for a data breach. The revised model law still maintains notification requirements from states supersede the NAIC model law. The result? Insurers have two sets of 50 different standards they need to address.  

It is great news that the NAIC is placing greater emphasis and effort on cybersecurity for the insurance industry. However, there are still many issues with insurers having to build a right-sized policy satisfying the specific laws of each state in which they operate as well as all nationwide privacy and compliance laws.  

We can help. Be it life and annuity, health, or property and casualty insurers, US Cyber Vault’s team of cybersecurity experts will work with you to craft and execute the assessment, design, and enhancement of your compliance program and regulatory compliance needs. Contact us today for a free proof of concept 

Written by Rob LaMear, CEO, US Cyber Vault

Once a month we share where we will be speaking in the world as well as expert opinions on cyber security, data loss prevention, and information security that we like from the larger community.  Receive our next issue by signing up here.