Are You Ready to Take on the NAIC’s New Rules?
By Sam Abadir, Lockpath
For security and compliance professionals, the announcement of new regulatory standards can be a stark reminder that the to-do list is long and the day is short. But organizations that employ careful preparation and concerted, coordinated efforts through mature governance, risk management, and compliance (GRC) processes face new rules and standards with confidence and ease. To that point, did you feel composed or panicked when you heard about the new cybersecurity rules for the insurance industry?
After many iterations and comment periods, the National Association of Insurance Commissioners (NAIC) announced the adoption of the Insurance Data Security Model Law in October 2017. The model law, which encompasses rules for licensed entities about data security and data breach investigations and notifications, establishes more rigorous guidelines for the insurance industry. It shares many similarities with the New York State Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies, currently considered to be the highest bar, and a best practice, so the NAIC’s model law likely to be adopted by many states as the governing standard. In fact, the NAIC largely used the NYDFS law as the basis for the creation of its new model law. The NAIC even indicated in a drafting note that compliance with the NYDFS law should mean compliance with the NAIC Model Law. So, companies that are already compliant with the New York law are sitting pretty if they have mature processes in place that allow them to perform a gap analysis to identify any small differences in the laws that would affect their compliance.
The NAIC’s adopted rules specify that information security programs should be based on “an ongoing risk assessment, overseeing third-party service providers, investigating data breaches, and notifying regulators of a cybersecurity event.” In particular, take a close look at “Section 4. Information Security Program,” which makes up the bulk of the law. This section details implementing a program and requirements for assessments, reporting, audits, policies, and procedures. It sounds straightforward on the surface, but grows in complexity the more you read. Licensed entities need to not only identify internal and external threats, but also assess the potential damage and take proactive, concrete steps to manage the threats.
Another noteworthy challenge can be found in “Section 6. Notification of a Cybersecurity Event,” which outlines the model law’s breach notification rule. The notification window is 72 hours from the determination of a cyber event. In other words, if a policyholder is harmed and you just learned about it, the clock is already ticking.
Why We Are Here
The insurance industry has unique challenges around internal risk, third parties, and intricately collaborative processes. Many entities and individuals are involved in a single claim—brokers, dealers, agents, actuaries, adjustors, and claims processors. This creates more room for error, more potential gaps in security coverage, and more difficulty managing contributors. Comprehensive procedures supported by GRC and integrated risk management technology solutions will help weave a tighter web.
The NAIC’s Model Law applies to licenses and their efforts to protect nonpublic information. The law calls for more accountability when it comes to protecting data, as each insurer must submit an annual statement by February 15 certifying compliance with Section 4: Information Security Program, or identifying areas that need improvement, as well as remediation plans.
With this model law, the NAIC is following a larger trend of laws that seek to better protect consumer data. New York, Connecticut, Colorado, Vermont, and, of course, the European Union with GDPR, have all been on the forefront of this trend. The NAIC is the latest to join the trend.
Achieving compliance with the NAIC’s law through mature GRC processes will likely make insurers’ lives easier in the future, as more cybersecurity compliance requirements are sure to arise.
Define Business Processes
When faced with a new set of regulations, and in turn, the need for a new or revised set of information security and GRC-related processes, it helps to take a step back and assess the business context. Where does nonpublic information reside in your organization? In which systems? Data and technology assets should be inventoried; you can’t protect the information if you don’t know where it is. Map your business processes: identify interactions, deliverables, and parties involved. Define roles and responsibilities, as well as mechanisms to ensure they are adhered to.
Integrated risk management and GRC platforms go a long way towards enabling greater visibility and interdepartmental efforts. Security programs are always stronger when stakeholders from across the enterprise are held accountable and accurate data is available to all relevant parties. Nearly every enterprise effort, from marketing to billing, carries security implications. Make sure you understand how each will impact data security obligations.
Focus on Third Parties
As is the case with many of the major cyber security and data privacy rules (e.g., HIPAA, NYDFS, GDPR), NAIC’s model law gives special attention to required oversight of third-party providers. Licensed entities are responsible for ensuring that third parties implement administrative, technical, and physical measures to protect and secure information systems and nonpublic information they hold or have access to.
Meeting these requirements requires licensed entities to conduct assessments to ensure third parties are following security, privacy, and notification guidelines. In “Section 4. C. Risk Assessment”, it stipulates identifying threats by means of an ongoing assessment and an annual review of systems, controls, processes, and procedures.
Developing a comprehensive and streamlined system for vendor risk management is an increasingly critical component of both security and compliance programs, especially for large enterprises and those with complex partnership and outsourcing structures.
Incident Response
The NAIC’s model law also specifies requirements for incident investigations and mandates that breaches are reported to the commissioner within 72 hours. In this notification, insurers will have to provide as much information as possible, including the date of the breach, how the information was exposed, the types of information exposed, the period during which the system was compromised, planned remediation efforts, a copy of the company’s privacy policy, and more. Additionally, licensees must notify consumers of the breach as their state’s data breach notification law requires.
It will be nearly impossible to meet these demands if your security information is outdated, incomplete, or difficult to pull together. Expedient incident response can have a significant effect on outcomes. If you can quickly coordinate clear, accurate communications to regulators, third parties, and customers about a breach or cyber attack, you can contain reputational damage, protect end-users, and prove negligence was not a factor.
A Proactive Security Culture Pays Dividends
Virtually every company will be hit by a breach or cyber attack at some point. Those organizations that have done their due diligence — meeting standards, hardening their systems and applications, training employees, closely managing vendors, keeping tabs on cyber risks — will be better prepared to prevent or at least minimize the damage of a cyberattack. In this way, those that have prioritized, integrated, and systematized GRC processes across the enterprise can gain a competitive edge.
All parts of your business will benefit from the powerful combination of integrated risk management technology and a corporate culture that values data security. Not only will your organization be prepared to contain breach damage and adapt quickly to new regulations — key strengths like resilience, agility, and IT maturity will take root. Through a deliberate, centralized approach to security and risk management, your organization can reduce compliance costs, return focus to strategic planning, maintain trust in key relationships, and be ready to act quickly when opportunity knocks.
Be Prepared, Stay Prepared
While some of the specific requirements of the NAIC’s new model law might cause alarm, most insurance businesses already have well-defined processes and controls. The need to keep sensitive customer data secure and private isn’t new, and high profile data breaches (e.g., Equifax, Anthem, Aetna) keep a spotlight on the consequences of failing to do so.
Licensed entities are most likely to be challenged by the outer ends of the integrated risk management spectrum: the granular details of controls, policies, and procedures on one end, and the development of a sustainable security culture on the other. Both can be enhanced and reinforced through an enterprise-wide, technology-driven approach to GRC efforts.
By implementing a centralized integrated risk management platform, insurance organizations can move away from fragmented manual processes (spreadsheets and email) and towards higher degrees of automation and analytics.
The difficulty of meeting NAIC’s requirements depends on the maturity of the organization’s security and compliance program. Companies that are already using an integrated risk management platform will easily be able to identify the gaps in compliance and efficiently make needed changes to achieve compliance. Those who do not have mature programs in place will have a longer path ahead, from reviewing the requirements and identifying compliance gaps to the challenging goal of creating a culture of security.
No matter where they are on this journey, all companies will benefit from responding to this wake-up call by working to achieve higher levels of efficiency, visibility, and control.
Sam Abadir is the Vice President of
Industry Solutions at Lockpath,
a provider of compliance and
risk management software.
