Skip to content

Insurance Data Security Model Law

By Matt Zollinger, CPA

The purpose and intent of this Act is to establish standards for data security and standards for the investigation of and notification to the Commissioner of a Cybersecurity event.

The Act is applicable to insurance companies licensed, authorized, and registered with the insurance laws of the applicable State, but does not include purchasing group or risk retention group chartered and licensed in a state other than the applicable State or a Licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction.

Additional exceptions apply:

  • Licensee has fewer than 10 employees, including independent contractors 
  • Licensee subject to Health Insurance Portability and Accountability Act (HIPAA) that has established and maintains an information security program and is in compliance with the requirements and submits a written statement certifying its compliance
  • If the Licensee is covered under another Licensee’s Information Security Program

The following requirements apply to Licensee’s not included in the above exceptions.

Requirements
Depending on the size and complexity of the Licensee, the Licensee shall develop, implement, and maintain a comprehensive written Information Security Program based on the Risk Assessment and that contains administrative, technical, and physical safeguards for the protection of Nonpublic Information and Licensee’s information System. The Information Security Program needs to contain the following:

Risk Assessment – perform a continual risk assessment and identify foreseeable internal and external threats, likelihood and potential damage of these threats, assess policies, procedures, and information systems and implement safeguard to manage identified threats. The Assessment should occur annually.

Risk Management – Design the Information Security Program to mitigate identified risks, including Third-Party Service Providers (TPA) and the sensitivity of information used or in possession, custody, or control of the Licensee. Include cybersecurity risks in the enterprise risk management process. Stay informed regarding new threats or vulnerabilities, and provide personnel with cybersecurity awareness training.

Oversight by Board of Directors – The Board of Directors or appropriate committee is required to develop, implement, and maintain the information security program, and to report annually in writing the overall status and material matters relating to the Information Security Program.
Oversight of Third-Party Service Provider Arrangements – Due diligence is required when selecting TPA’s and the TPA is required to implement appropriate technical and physical measured to protect and secure the Information Systems and information held by the TPA.

Program Adjustments – The Information Security Program is required to continually be monitored, evaluated, and adjusted for changing technology, business operations, and maintained sensitive information.

Incident Response Plan – A written incident response plan is required to be established and maintained

Annual Certification to Commissioner – Annually, each insurer is required to provide to the Commissioner a written statement certifying compliance. This is required by February 15th each year.

Investigate Cybersecurity Events
If the licensee learns of a cybersecurity event they are required to conduct a prompt investigation and at a minimum determine:

  • If a cybersecurity event has occurred
  • Assess the nature and scope of the event
  • Identify information that may have been involved
  • Perform or oversee reasonable measured to restore the security of the Information Security Systems compromised by the event to prevent further unauthorized acquisition release or use of information in possession, custody or control.

Records must be maintained concerning all cybersecurity events for a period of at least 5 years.

Notification of Cybersecurity Events
The Commissioner shall be notified promptly but no later than 72 hours from a determination that a cybersecurity event has occurred. Notification to the consumer shall comply with State laws.

Recent Adoption of Insurance Data Security Model Law
South Carolina became the first state to adopt the NAIC Insurance Data Security Model Law on May 3, 2018. The law, South Carolina Insurance Data Security Act, will go into effect on Jan. 1, 2019 with compliance requirements fully enacted by July 1, 2020.

For more information about the Data Security Model Law or how it may or may not impact your organization please reach out to Andrew Wan or Karsten Hatch, Audit Partners at Larson & Company.