TUCSON, Ariz. — Captive stakeholders are concerned about cybersecurity requirements featured in the National Association of Insurance Commissioners’ model law being adopted in several states, regulators say.

In 2017, the NAIC adopted the Insurance Data Security Model Law that created rules for insurers, agents and other licensed entities covering data security, investigation and notification of breach, including maintaining an information security program based on ongoing risk assessments?, overseeing third-party service providers, investigating data breaches and notifying regulators of a cybersecurity event.

“I think for our commercial companies, everyone’s expectation is that it’s certainly the right thing to do or reasonable,” Dana Sheppard, acting deputy commissioner for market compliance and associate commissioner of the District of Columbia Department of Insurance, Securities and Banking in Washington, said at the Captive Insurance Companies Association conference in Tucson, Arizona, on Tuesday. “However, what I’ve heard informally from our captive people, they’re pretty much opposed to having the cybersecurity law apply to captives.”

“Many captives have personally identifiable information like workers comp and other types of information that you wouldn’t want to get out to the public,” he continued. “I’m interested in hearing why people would not want some sort of data security requirements for captives.”

When Vermont regulators discuss cybersecurity with captive owners, many will point to the fact that they are already certified as compliant with other cyber regulations or laws such as the Health Insurance Portability and Accountability Act, said David Provost, deputy commissioner for captive insurance with the Vermont Department of Financial Regulation in Montpelier.

“I’d be fine with including in the law that there be an alternate choice,” he said. But the model law “goes a lot further when you start having to worry about your service providers. That’s where a lot of people have difficulty. ‘We get what we’re doing, but how do we assess what our service providers are doing?’”

“Well, if your service provider has confidential information, you should make sure they have the means to protect it as well,” Mr. Sheppard said. “It’s impossible to prevent all sorts of hacking, but you should take reasonable measures.”

New York adopted a cyber security regulation, portions of which applied to captives, said Nancy Gray, regional managing director of the Americas at Aon Captive Insurance Management in Burlington, Vermont.

“It wasn’t problematic for large corporations,” she said. “They already have a lot of the requirements in place at their corporate level, especially for the large captive managers. We at Aon have our own policies around cybersecurity, so adopting and following such a law doesn’t become a problem. I think it becomes maybe a little bit more onerous for smaller captive managers or smaller captive corporations or owners.”

But the counterpoint to that is that most breaches occur through smaller vendors, Mr. Provost said, noting that the Target cyber breach emanated from the hacking of an HVAC vendor.

Risk retention group concerns

In other regulatory hot topics, the stability of risk retention groups was discussed in the context of the unfolding situation with Spirit Commercial Auto Risk Retention Group Inc. of Las Vegas. On Feb. 27, 2019, the 8th Judicial District Court of Nevada in Clark County entered a permanent injunction and order putting the RRG into receivership because Spirit was insolvent.

“We don’t want insolvencies, especially with RRGs,” Mr. Provost said. “Every RRG insolvency is another black eye on industry, according to the traditional regulators. We really try to work with companies to identify issues early on and fix them if we can. If we can’t, the regulators’ job is to pull the plug at some point.”

The NAIC has been “pretty quiet” on the RRG front, but these types of situations open the door for the organization to revive its working group or task force, and “before you know it, they’re looking at changing the way RRGs operate and they’ve even looked into non-RRG captives in the not-too-distant past,” Mr. Sheppard said. “Anything is fair game for the NAIC if we don’t do a good job.”

Cannabis and captives

In 2018, the NAIC established a cannabis insurance working group, led by former California Insurance Commissioner Dave Jones, to understand the coverage gaps for the legalized cannabis industry and develop and share best practices to address those gaps, and to produce a white paper outlining the issues and making recommendations for the potential development of regulatory guidance this year.

“I don’t think it will have a lot of substance,” Mr. Sheppard said, noting that the big issue is the reluctance of the banking sector to engage with cannabis businesses given its illegality at the federal level, which the white paper won’t be able to address. “I don’t see the NAIC making any really significant contribution to this issue.”

Vermont and the District of Columbia have yet to license captives to cover cannabis risks, but both regulators expressed a willingness to do so.

While Mr. Sheppard said cannabis is “perfect” for a captive solution, D.C. regulators are “a little hesitant,” he said, because the district falls under federal government oversight.

Aon is working with a few clients to seek coverage options for cannabis risks, which the brokerage had been prohibited from doing previously, but if it does proceed with a cannabis captive solution, it will probably be offshore, Ms. Gray said.

And if marijuana is ever legalized at the federal level, captives would only have a short window before the traditional market steps in, Mr. Provost said.

Premium tax woes

Meanwhile, Washington state’s pursuit of out-of-state captives for unpaid premium taxes has caused an uproar in the captive community and raised concerns that other states will follow Washington’s lead, experts say.

Washington Insurance Commissioner Mike Kreidler announced on Dec. 10 that captive insurers that have unlawfully insured any risk in the state in the past 15 years would be able to pay a substantially reduced fine and premium tax penalty for self-reporting the activity, following a settlement with Microsoft Corp. over unpaid premium taxes for its out-of-state captive.

But the situation in Washington is unique because the state does not have a corporate income or self-procurement tax, Mr. Provost said.

“I don’t know if it’s going to bleed over into other states,” but states are constantly searching for new sources of revenue, he noted.

Washington’s move “is a big deal” because the regulators are going after captives, and companies not headquartered in the state with risk exposures in Washington “could potentially have to pay a tax there,” Ms. Gray said. “If (other states) see Washington is successful with regard to the collection of this tax, they might try to do it as well.”