NAIC data security model law a mixed bag for insurersReprints
The National Association of Insurance Commissioners’ Insurance Data Security Model Law will promote more rigorous cyber risk management practices in the U.S. insurance market but also add to insurers’ compliance costs and penalty risks, according to Fitch Ratings Inc.
The model law, adopted last week by NAIC’s Cybersecurity Working Group and Innovation and Technology task force, creates data security standards for insurers, including overseeing third-party service providers, investigating data breaches and providing requirements for notifying consumers and regulators. The model will advance to the NAIC’s Executive Committee and Plenary during the NAIC Fall 2017 National Meeting in December.
“The model law is credit neutral for the U.S. insurance sector,” the New York-based ratings agency said in a statement Wednesday. “It is largely complementary to other federal and state regulations for cyber security, including the New York Department of Financial Services cyber security regulations from March 1, 2017, which apply to more than 3,000 financial service firms doing business in New York state. Application of the model law will require state-by-state approval, which will take considerable time, and some individual states may adopt their own approaches to regulating insurers’ cyber security.”
The insurers rated by Fitch have largely enhanced their data protection and network security practices in response to the cyber threat but face challenges in keeping pace with technological change and the resourcefulness of computer hackers, according to the ratings agency.
The NAIC’s framework establishes industry standards for data security that will apply to a broad range of parties, including insurance companies, agents, and brokers. Organizations will be required to have a written information security program for protecting sensitive data, including incident response and data recovery plans to demonstrate their preparedness for cyber events.
Companies will have to certify compliance annually to their state insurance commissioner and give notification of data breaches within 72 hours. The model law will also motivate insurers to incorporate cybersecurity into their overall enterprise risk management and corporate governance practices, according to Fitch. Key provisions include minimum practices of board and senior management reporting and oversight of information security practices, and monitoring of third-party service provider arrangements and the outcome of cybersecurity events.
Fitch predicted the greatest impact of the model law’s requirements would be on smaller insurers and distributors, which may need to allocate significant new resources and bear significant costs to meet the requirements of the model law.
Demand for cyber liability insurance could expand for covered entities, according to Fitch.
“Cyber insurance has been a profitable business line for a number of specialist underwriters,” the agency said. “However, as an emerging peril with limited historical loss data for pricing purposes, untested and varying policy language and terms and challenges in quantifying risk aggregations and catastrophe loss potential, it presents considerable uncertainty for insurers.”