As indicated above, the Model Law applies to “licensees,” which include any individual or entity (other than nongovernment agencies) operating, or required to operate, under a license, registration, or other authorization under the insurance laws of a state. Excluded from that definition are purchasing groups and risk retention groups chartered and licensed in another state as well as assuming insurers domiciled in another jurisdiction. The Model Law establishes a framework for licensees to protect the security of nonpublic information and information systems through the development of information security programs based on the insurer’s risk assessment. The information security program must be designed to mitigate identified risk and must include administrative, technical, and physical safeguards for the protection of nonpublic information and information systems.
The Model Law also requires that the board of directors or a board committee is responsible for the development, implementation, and maintenance of the information security program. Moreover, the board or committee must prepare a written report, at least annually, summarizing the overall status of the information security program, the insurer’s compliance with the Model Law, and other material matters, including cybersecurity events, violations of the information security program, and recommendations for changes. This requirement is significant because it creates affirmative obligations for the board and makes the board responsible for cybersecurity from a governance perspective.
As with other NAIC model laws, the Model Law will have a significant impact on the manner in which states regulate matters related to its subject matter, regardless of whether states fully implement all of its requirements. Although most states have yet to adopt the Model Law, many experts believe it eventually will become the law in the majority of United States jurisdictions. Insurance company boards should not wait until the Model Law is adopted in their backyards, but should instead immediately begin overseeing the development of information security programs by their organizations and ensure that they comply with the Model Act’s requirements now.
The South Carolina Data Security Act
South Carolina became the first state to adopt the Model Law in May of 2018. The South Carolina Data Security Act (the South Carolina Act) became effective January 1, 2019 and is nearly identical to the Model Law. Like the Model Law, the South Carolina Act requires that licensed insurers implement a comprehensive written information security program based on self-conducted, mandatory risk assessment. Insurers licensed in South Carolina must submit an annual statement to the Director certifying they are in compliance with the Act and also establish incident response plans and comply with certain reporting and response requirements in the event of a cybersecurity event. Importantly, the South Carolina Act establishes minimum requirements for a licensee’s board of directors regarding the board’s oversight of the licensee’s information security program.
As part of the risk management process required by the South Carolina Act, insurers must evaluate whether to implement certain security measures, including implementing authentication protocols and access controls on the company’s information systems, restricting access of nonpublic information, encryption of information, and conducting regular testing of its cybersecurity systems to identify actual and attempted attacks or intrusions.
Like the Model Act, the South Carolina Act differs to some extent from the New York Cybersecurity Regulations. However, unlike the Model Act, the South Carolina Cyber Act did not include the NAIC drafter’s note related to compliance with the New York Cybersecurity Regulation. Indeed, it is unclear whether South Carolina will consider companies that are compliant with the New York Cyber Regulation to be compliant with the South Carolina Cyber Act. Thus, even companies that are already in compliance with the New York Cybersecurity Regulation must closely monitor developments related to the South Carolina Act if they are currently doing business in South Carolina, or wish to do business there in the future.
Rather than being compelled to act through regulatory action or litigation, boards should be proactive and create company-wide cybersecurity protocols that regularly test the company’s cybersecurity systems, train its employees in cyber risk management, establish a data breach response and reporting plan, and manage relationships with third-party service providers. Implementing important corporate governance mechanisms aimed at securing the company’s data management and IT systems will help the board mitigate cyber risk and potential liability. Importantly, maintaining oversight over a robust cybersecurity program can help achieve a culture of compliance in light of new and evolving regulatory requirements.
Cybersecurity will continue to be a major issue affecting all companies, but it is a particular concern for companies like insurers that collect and store massive amounts of sensitive policyholder data. Insurance company directors may be exposed to legal liability if they fail to implement and oversee cybersecurity protocols in their respective organizations. Policyholders and shareholders who have been injured as a result of breaches will seek to hold the board responsible for the breaches. Regulators will continue to take action against companies that do not adequately protect their consumer data. Regulators will also continue to create regulations imposing cybersecurity requirements on directors and their companies. Effective corporate governance is the key to ensuring compliance with those regulations, satisfying the board’s duty of care, and avoiding the severe consequences of a data breach.
This article first appeared in the Winter 2019 issue of The Demotech Difference, a publication of Demotech, Inc., www.demotech.com.