NAIC Model Law for cybersecurity gives insurers room to interpret

Register now

Against a backdrop where cybersecurity is becoming top-level priority for insurance companies entering 2018, the National Association of Insurance Commissioners adopted a model law that lays out a defined set of terms and requirements for the insurance industry on Oct. 24.

The model law provides a recommended framework for states at a time when high-profile data breaches, like that of Equifax and Anthem, threaten consumer confidence. It’s largely based on similar rules implemented by the New York Department of Financial Services earlier this year. However, it’s not a carbon copy, lawyers from Mayer Brown said on a web conference Thursday.

“The model law is similar in many respects to the one issued earlier this year by the New York DFS,” says Lawrence Hamilton, partner for the law firm and leader of its insurance regulatory practice. “However, the model law pertains solely to insurance licensees as opposed to the New York law, which also covers other financial institutions.”

One of the key differences includes understanding who qualifies as an insurance licensee – the model law includes more agents and brokers than the New York
regulations. Other areas of divergence include the definition of “non-public information,” with the NAIC’s version including certain business information in addition to customer information. In addition, the model law doesn’t require disclosure of unsuccessful hacking attempts. However, the lawyers noted that the model law is still subject to editing by states that choose to pass it.

Jeff Taft, a Mayer Brown partner who focuses on cyber issues, said on the call that with states looking to get more involved with data security issues, insurers are wise to start preparing now. The model law isn’t as prescriptive as the New York regulation, he noted, but that’s a double-edged sword. On one side, it’s good that insurers will have some flexibility in how they choose to comply.

“But, this is likely to raise interpretive questions as states observe the model law,” he says. “We saw in NY that people were [at first] complaining that the law was too prescriptive, but as New York toned down the prescription, people were kind of clamoring at times” for more guidance.

For reprint and licensing requests for this article, click here.
Cyber security Cyber attacks Fintech regulations Law and regulation