In past blogs on this site or at CSOonline’s Cyber Insurance Forum, the topics of enhanced regulatory requirements for the insurance sector have been highlighted. On October 24th, 2017 the National Association of Insurance Commissioners announced the passing of their Model Law that all licensee’s will be subject to. This new law essentially aligns with the State of New York’s Financial Services Cybersecurity Law to ensure each entity establishes a minimum level of cyber risk mitigation practices to protect non-public data.
So first off, what exactly is a licensee? According to the NAIC, “Licensee” means any Person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of this State but shall not include a purchasing group or a risk retention group chartered and licensed in a state other than this State or a Licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction.
As of 2015, there were about 1.7 million individuals that meet this definition. While each state commissioner will still have to determine adoption timelines, it is important to note that while every state may not adopt, the likelihood the majority of them will follow suit is quite high. After New York launched its requirements, the State of Colorado quickly followed and California already had things in the works. So what does this actually mean for the industry?
Up until a few years ago, if I met with my local State Farm agent “John Smith” and completed the necessary paperwork for an auto policy, I would presume it was at the State Farm Headquarters. WRONG! In point of fact, the majority of agents have unique employment agreements and these “agents” work from home, strip mall site, etc. The point being that what we as consumers may imagine are in play for safeguarding our personally identifiable information is likely more consistent with the average home user…..enough said. Now, that is not to say that when you complete an online policy for the big five carriers that you need to worry as they generally have fair levels of cyber defense solutions in place.
The model law requires the implementation of a formal written program in addition to having adequate technical and operational best practices to protect non-public information such as social security numbers, financial data, home addresses etc. While speaking with the Independent Insurance Agents of Virginia, I was curious how many records the average small agent shop has. I was thinking hundreds? Actually it is more like a thousand. So then it becomes a question of does John Smith have a cyber plan in place to identify, detect, and respond to a cyber incident? What about full disc encryption or multi-factor authentication?
HEMISPHERE has designed a solution to specifically meet these new requirements that enables these business owners to meet these requirements in the most cost effective manner possible. For more details on our newest service offering, please click here.
For more information, please contact us at (703) 881-7785 to discuss how these new requirements will impact your operations.