BI’s Article search uses Boolean search capabilities. If you are not familiar with these principles, here are some quick tips.

To search specifically for more than one word, put the search term in quotation marks. For example, “workers compensation”. This will limit your search to that combination of words.

To search for a combination of terms, use quotations and the & symbol. For example, “hurricane” & “loss”.

Login Register Subscribe

NAIC cyber security model law hews to New York state's standard


The National Association of Insurance Commissioners is moving closer to adopting an Insurance Data Security Model Law that closely follows New York’s cyber security regulation, which took effect in March.

The model law, the sixth version of which was adopted by the Cybersecurity Working Group and Innovation and

Technology task force at the NAIC’s summer meeting in Philadelphia in August, establishes industry standards for data security that will apply to a broad range of parties, including insurers, agents and brokers.

Organizations will be required to have a written information security program for protecting sensitive data, including incident response and data recovery plans to demonstrate their preparedness for cyber events. Companies will have to certify compliance annually to their state insurance commissioners and notify commissioners of data breaches within 72 hours of a cyber security event.

The American Insurance Association was pleased the adopted model law is risk-based and consistent with New York’s cyber security law, said Angela Gleason, AIA’s senior counsel in Washington.

“A lot of companies are already implementing New York, and to have to do something that is different is just not good for consumers or licensees,” she said.

The biggest change was the removal of consumer notification elements featured in previous versions, Ms. Gleason said.

Ceding insurers with a direct contractual relationship with affected consumers shall fulfill the consumer notification requirements imposed under a state’s breach notification law, according to the adopted version.

The model law will advance to the NAIC’s Executive Committee and Plenary during its Fall 2017 National Meeting in December, with adoption likely despite the objections of states such as Utah.

NAIC adoption would be followed by consideration by state legislatures, which would “look remiss if they didn’t address” the cyber threat, said Jean Connolly, Cleveland-based managing director of PricewaterhouseCooper L.L.P.’s national professional services group. “I just think this one has more forward momentum than lots of other model laws that some might say are just more regulation.” 



Read Next

  • Internet of things creates web of hacker risks

    While the internet of things was intended to make life easier by connecting everyday objects to the internet, enabling them to send and receive data, experts warn that it is also giving new opportunities to hackers.