April 23, 2019
How to Prepare for State Cyber Laws
by Matt Cullina
As more states adopt cybersecurity laws for insurers, carriers can begin to practice what they preach and get their own cybersecurity right.
Reputational risk is the biggest strategic threat facing the business world. When it comes to uncontrollable events that can affect a company’s reputation and revenue, nothing looms larger or carries a more devastating wallop than a cyber event.
It only takes a misstep on social media, an employee’s accidental email or a data breach that exposes sensitive customer information to tarnish a brand’s good name. Just ask companies like Yahoo, Equifax and Sony, which experienced high-profile breaches that severely harmed their reputations. For small to medium-size businesses, the consequences of data loss can be just as profound: More SMBs are getting hit with cyberattacks, and these events are increasingly costly and disruptive to their normal operations, according to the Ponemon Institute.
In response, a growing number of states are adopting cybersecurity laws to better guide insurers through cybersecurity insurance regulations. South Carolina, Ohio and Michigan were among the first to enact such data security laws. Those states emulated a 2017 model law by the National Association of Insurance Commissioners (NAIC) that provided framework for carriers, agents, brokers and their business partners around data security, investigation and breach notification. States that are following suit include Mississippi, Connecticut and New Hampshire.
See also: Quest for Reliable Cyber Security
Insurers, take note: This is just the first wave. Expect other states and regions to adopt versions of this legislation. It follows a similar trend that occurred when states began writing their own laws mandating notification of affected consumers after a data breach. California enacted the first such law in 2002. In 2018, Alabama and South Dakota became the last of the 50 states and the District of Columbia to implement breach notification requirements.
The state rollout of cybersecurity regulations for the insurance industry benefits consumers by offering more protection, to be sure. But it also spells opportunity for carriers that act now, driving them to double their level of compliance by:
- Sharpening their cybersecurity expertise with best practices to share with customers, and
- Practicing what they preach by becoming model citizens, examining the cybersecurity in their own business and getting cybersecurity right.
Though each state will build its own cybersecurity rules for insurers, they are drawing from the NAIC’s Insurance Data Security Model Law, which was inspired by the New York State Department of Financial Services’ Cybersecurity Regulation for the financial services industry. The model law outlines specific cybersecurity practices for insurers in areas including: risk assessment and management; board involvement; oversight of third-party service providers; information security program evaluation; incident response, reporting, investigation and notification; and annual certification.
This means insurers with a national reach will need to track emerging state laws. They’ll likely adhere to the most stringent requirements to cut through the layers and complexity—and that’s good news for consumers. For example, Michigan may give a business 10 days to report a cyber event, but South Carolina requires 72-hour notice, and Ohio requires a notice of three business days. National carriers will likely adopt the 72-hour notice to also be in compliance in Michigan and Ohio.
What carriers can do now
- Establish a cybersecurity oversight team. Gather representatives from your IT, operations and other departments to review cybersecurity protocols and make recommendations for improvement.
- Conduct an internal risk assessment. The new guidelines are auditable, meaning that cyber is now part of an insurer’s normal complains. Effectively, insurers are now being regulated by, well, themselves. Conducting a risk assessment will help.
- Evaluate third-party service providers. This is a pain point for many companies because it requires that all their vendors and partners contractually agree to follow certain cybersecurity practices as part of their working relationship.
See also: Best Practices in Cyber Security
Meaningful cybersecurity legislation at the federal level is unlikely at the moment given the complexity in Congress despite a U.S. Department of Treasury endorsement of the model law in its 2017 report, “A Financial System That Creates Economic Opportunities.”