ILSA’s General Manager, Russ Foster, and I recently appeared on the Spot On Insurance’s webinar series, Compliance Conversations, to discuss cybersecurity regulation for the insurance industry.
During that episode, we shared a number of helpful resources. We also wanted to make those resources available for those of you who couldn’t join us for the live webinar.
Cybersecurity Regulation Today
As we shared in the webinar, cybersecurity – other than our own — first drew our attention in 2016. That’s when New York began to finalize its landmark regulation for the insurance industry. Of course, 23 NYCRR 500 certainly wasn’t the first cybersecurity law to impact the insurance industry. But it did take regulation to a new level by requiring certification of compliance from “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.”
As the deadline for initial exemption requests approached, our team spent a lot of time answering questions. Did someone qualify for an exemption? How did they file for an exemption and later, certify their compliance? What exactly did New York require in a cybersecurity program. We certainly learned a lot in those hectic days!
New York’s law took effect in March 2017. By October of that year, the NAIC published its own Model Law for cybersecurity. I wasn’t alone in proclaiming 2018, the Year of Cybersecurity Regulation.
It’s Not Just for New York Anymore
To date, eight states have adopted the NAIC Model Regulation. Following New York’s example, most of them are gradually implementing their regulations over several years.
The good news for licensees (other than domestic insurers) is that these states, unlike New York, do not require individual producers and agencies to file for exemptions or to certify compliance annually.
This does not mean, however, that you can put cybersecurity on the back burner. Data breaches still need to be reported in a timely manner — the exact time frame varies from state to state. Plans must be reviewed and updated to reflect current threats on a regular basis. Additionally, employees must receive regular training to promote cyber awareness and reinforce best practices. Executive management also must document actions taken to ensure cybersecurity and be prepared to produce these records for state review at any time.
I mention domestic insurers because most of these states do require them to file a Certification of Compliance annually. The consensus due date appears to be February 15.
Help for Compliance
To assist licensees in meeting these new requirements, many states have created Cybersecurity Resource Centers on their websites. These sites offer, for example, links to forms, information about upcoming deadlines, and regularly updated FAQs. And based on our experience with New York, you can expect the information included on these sites to increase over time. After all, regulators need to become comfortable with new processes themselves and learn which tasks prompt questions from licensees.
To visit these sites, click on the state name below. Some states, especially those whose implementation dates are yet to arrive have not set up Resource Centers yet. So for these states, I’ve linked to the text of their cybersecurity regulation.
Looking for additional help? Firstly, be sure to visit ILSA’s Cybersecurity Page to learn more about this important topic. (For example, there’s a video that explains the difference between cybersecurity and data privacy regulation.)
You can also read the following articles:
- How to Develop a Cybersecurity Program
- Not Me! Exemptions & New York’s Cybersecurity Regulation
- Data Security: Protecting Your Systems from Internal Threats
- Protecting Your Systems from Internal Threats, Part 2
- What Does a Cyberattack (Really) Cost
- 10 Tips for Securing Your Small Agency
Finally, ILSA collaborates with Renaissance Systems, Inc. (RSI) to offer a full range of cybersecurity solutions.