The past five years have seen a massive acceleration in the amounts of data being generated, processed and stored in virtually every industry, including insurance. As with most industries, insurance data increasingly resides in flexible networks, utilizing, for example, virtual machine storage, which allows for increased accessibility by support staff and consumers. While doubtlessly providing benefits for insurance companies and producers on an operational level, such flexibility comes at a price, as such practices also expose data to increased security threats. It should therefore come as no surprise that there has been a growing trend of increasingly sophisticated cyberattacks which have, in many ways, outpaced current data security technology. In recent years, major financial institutions and retailers have all been the unfortunate victims of such cyberattacks – and the insurance sector has been by no means immune from this trend, with large scale attacks against large health insurers being perhaps the most visible data breaches in the insurance sector.
The consequences of data breaches are particularly pronounced in the insurance industry, where insurers and insurance producers are custodians of highly sensitive information, including personal financial and health information obtained as part of their services to consumers. It is no exaggeration to conclude that developing a coherent cybersecurity strategy is one of the most important challenges facing insurance industry participants today.
In the United States, the business of insurance is regulated primarily at the state level, which means that industry participants who operate on a nationwide basis need to comply with the regulatory requirements of each of the 50 states and the District of Columbia. Among state insurance regulators, the New York Department of Financial Services has been notable for issuing a wide-ranging cybersecurity regulation which impose strict data security requirements on participants in the New York insurance market.
On the national level, concerns about cybersecurity have received significant attention. In February 2014, the Department of Commerce's National Institute of Science and Technology (NIST) issued a framework to guide cybersecurity improvements for critical infrastructure. The framework sets out standards, guidelines and practices to structure effective ways of managing cyber risks.
Subsequent to the NIST initiative, the National Association of Insurance Commissioners (NAIC) acted in a similar vein in April 2015, adopting twelve principles for effective cybersecurity, to provide a foundational tool for state insurance regulators to develop their own guidance for protection of their respective insurance sector's data security and infrastructure.
In October 2017, the NAIC went a step further and adopted an Insurance Data Security Model Law. The model law is a major initiative by the NAIC to respond to public concerns of the inadequacy of current cybersecurity regulation and legislation to combat the various risks presented by cyberattack. The NAIC model law establishes a legal framework for requiring insurers and insurance producers to operate complete cybersecurity programs, including planned cybersecurity testing and upper management involvement in the information security program, as well as incident response plans and specific breach notification procedures. Although it is only a model law (and, consequently, not enforceable unless and until it is approved and adopted by individual states), the NAIC has an aggressive goal of encouraging legislatures or regulatory bodies to adopt the model law, with as few changes as possible, in a majority of states within three years. Additionally, once a particular state adopts the model law, insurers in such state will only have one year to comply with most of the model law's requirements. The NAIC model law, while similar in many respects to the New York cybersecurity regulation, also includes additional guidelines, including with respect to board involvement in a company's information security program and detailed event reporting requirements. On May 3, 2018, South Carolina became the first state to enact the NAIC model law and legislation to enact the model law was introduced earlier this year in Rhode Island but has not yet passed. We expect to see similar bills to enact the model law introduced in additional states in 2019.
The NAIC's Insurance Data Security Model Law has been well received at the federal level, with the Department of the Treasury, in its October 2017 Report on Asset Management and Insurance, openly endorsing the model law and recommending that Congress consider adopting federal legislation that would preempt state law if the model law is not adopted within 5 years. Accordingly, one can expect that the topic of cybersecurity will remain a crucial topic for the insurance sector in the years to come.
1 Larry Hamilton leads Mayer Brown's US insurance regulatory practice within the Insurance Industry group. He advises insurance companies, insurance agencies and investment companies on a broad range of regulatory matters, including those associated with formation, licensing, portfolio investments, reinsurance, e-commerce, cybersecurity and outsourcing. He is also a member of Mayer Brown's Cybersecurity & Data Privacy practice. Sanjiv Tata is an associate in Mayer Brown's New York office and a member of the Corporate & Securities practice, specializing in insurance regulatory work. Sanjiv advises insurance companies, insurance intermediaries and investment companies with respect to a broad range of insurance regulatory and corporate matters, including formation and licensing of insurance companies, mergers and acquisitions of insurance companies, reinsurance transactions, and enforcement, corporate governance, cybersecurity, enterprise risk and general compliance matters.
Visit us at mayerbrown.com
Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.
© Copyright 2018. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.