A revised Data Security Model Law has passed a National Association of Insurance Commissioners (NAIC) cyber-security panel prior to further review and approval at the NAIC Task Force and Executive Committee levels. The model law will require all applicable entities licensed under state insurance laws to implement an information security program. The following revisions have been made in this most recent revision:
- The entities covered under the model act now include foreign assuming insurers domiciled and licensed in a foreign state.
- The adequacy of an information security program will no longer be based upon the size and complexity of a covered entity’s activities, nor on the sensitivity of the nonpublic information at issue.
- Covered entities must require all third-party service providers to implement appropriate measures securing the information accessible to, or held by, the aforementioned service providers.
- Insurers domiciled in an adopting state are now required to submit annual statements certifying compliance with the act. This is opposed to the previous version, which only required statements upon the commissioner’s request.
The triggers for notifying the commissioner of a cybersecurity event or breach have been broadened.Westmont Associates, Inc. tracks developments affecting the insurance industry, in addition to our other services. If you have any questions, please contact us.