In October 2017, the National Association of Insurance Commissioners (NAIC) adopted the Insurance Data Security Model Bill, also known as the NAIC “Model Law.”
NAIC’s Model Law seeks to establish a guiding framework that provides actionable expectations to regulated entities so they can develop and establish the operation of a comprehensive cybersecurity program. Among many other things, the Model Law requires 1.) planned cybersecurity testing, 2.) board-level involvement with a company’s information security program and 3.) incident response plans for specific breach notification procedures.
Although the Model Law cannot be enforced at a national level and no state or territory can be compelled into adopting it – the Model Law only becomes binding when it is approved and adopted in each regulated jurisdiction – NAIC is strongly encouraging states to enact the Model Law and has set a goal of having it passed by the majority of states within three years.
South Carolina’s legislature became the first to adopt their version the NAIC Model Law on May 1, 2018 and they issued the call for the adoption of reasonably similar legislation across the nation.
As the first state to adopt cybersecurity legislation specifically for insurers and including the requirement to protect customer information, South Carolina has aligned themselves with the State of New York Department of Financial Services (DFS) after it passed a new set of financial regulations, known as 23 NYCRR 500.
New York’s DFS seemed to serve as an inspiration for the drafting of the NAIC Model Law for the insurance community and for other industry leaders seeking to protect citizens from cyber threats. The South Carolina Legislature’s tone, like that of NY DFS, expects more of regulated entities than ever before and the law is clearly more informed in its writing than many other industries’ attempt at cybersecurity reform.
Although to a lesser extent as NY DFS, South Carolina’s adoption of NAIC’s Model Law will have nationwide consequences as other states rush to follow suit. The NY DFS had national impact and initiated the cybersecurity-focused regulatory process for the entirety of the U.S. financial sector since many financial institutions have a presence or operations in NY State. It is expected that South Carolina’s Model Law will trigger the same trend for the insurance industry.
Although both laws do begin to address the myriad of compliance and regulatory actions necessary to provide robust cybersecurity programs, NAIC’s Model Law does not appear to go far enough in its demand of the establishment of foundational controls required to protect patient’s privacy, nor does it offer hefty enough cybersecurity defenses.
When South Carolina’s Governor Henry McMaster signed the law on May 3, 2018, the race towards the Jan. 1, 2019 deadline – when all regulated entities inside or doing business with the State of South Carolina will be required to achieve compliance with all statutes in the law – kicked off. Ray Farmer, South Carolina’s director of Insurance, and his department have accepted the challenge in developing an examination approach and regulatory process that not only must support the new law but serve as a pioneer for all the other 55 NAIC regulators and their departments, as well as a host of foreign government regulators who lack the resources to develop their own methodology.
South Carolina’s new law focuses on cybersecurity and provides guidance for addressing security concerns starting above even a regulated entity’s corporate executives. Under the law, a company’s board of directors has been made directly accountable for the oversight of the cybersecurity program and all its activities and results. Executive leadership and senior management are made solely responsible for all program governance activities and compliance reporting.
These responsibilities include yearly attestation as to the regulated entity’s cybersecurity programs maintenance, compliance status and any “material matters related to the Information Security program.” These would consist of events such as non-compliant testing results and any identified violations.
Similar to the 2002 U.S. Federal Sarbanes-Oxley Act, South Carolina’s law insists on implicitly identifying who holds final accountability for each regulated entity’s cybersecurity posture. The Board of Directors and executive leadership may delegate these responsibilities, but there is no mistaking whom the law holds accountable. This pragmatic approach to accountability is long overdue and offers real benefit in the form of increased awareness to the corporate citizenry.
The law should also promote a cultural change regarding how a new cybersecurity narrative is required to flow down through leadership into the corporation and affecting how employees regard cybersecurity and general information security practices in their day-to-day work efforts. To further a hopeful cybersecurity cultural revolution, the law mandates that all employees of regulated entities take cybersecurity awareness training and provides the stronger expectations that this training must be regularly updated to reflect the risks identified during the expected and ongoing risk analysis efforts.
This law’s language represents more highly-focused aspirations than other cyber laws or regulations before it. For most regulated entities, the biggest cybersecurity cultural challenge will be cultivating an environment of openness amongst employees who may fear repercussions if they were to identify cybersecurity gaps. Under the new law, employees are encouraged to report suspicious behavior, supposed phishing attempts, or other anomalous activity without fear of reprimand.
Also, relatively new to the language of cybersecurity laws, is the mandate requiring regulated entities to stay actively informed of emerging cybersecurity threats and vulnerabilities. The gathering, analysis and consideration of critical intelligence is a fundamental tenant of a healthy cybersecurity program and by including it in the law, it should have a marked impact on the quality of programs.
The penultimate expectation of the new law is its focus on the requirement for regular comprehensive assessment of cyber risk commensurate with the mission of the organization. The cybersecurity risk assessments are intended to identify all cyber risks that may have an impact on that regulated entity or its ability to conduct business.
For a company to conduct an agnostic and fulsome cybersecurity assessment on itself is difficult for most corporations to achieve. These assessments may even be harder for regulators who do not have the trained resources who fully understand the cyber risk identification and mitigation measures. To realize the highest benefit of a risk assessment, the assessment would be performed by a professional third-party who can assess all the people, processes, procedures, technology and information that will align with any applicable legal or regulatory compliance requirements.
The number of risks facing insurers, medical providers and medical device manufacturers is numerous. There are however, several techniques and methods available to gather the requisite intelligence necessary to identify each of these risks and threats. These techniques can and should include regulatory framework mapping exercises, readiness assessments and risk-posture evaluations, vulnerability and compromise testing, penetration testing, process and procedure reviews as well as tabletop exercises where the concepts derived from analyzing the data are played out and tested using real-world intelligence.
Each of these methods are intended to identify a different form of threat or risk. A robust cybersecurity risk assessment considers a combination of several or many of these techniques to augment the oftentimes insufficient standard intelligence gathering activity of the entity being assessed.
South Carolina’s Department of Insurance requires compliance with the risk assessment clause through 1.) written attestation, 2.) annual submission to the director of Insurance and for 3.) proof of compliance to be maintained for five years. All areas of concern identified in the risk assessment must also be documented and have remediation plans in place.
In these areas of compliance, the use of external partners can be helpful for both regulators and regulated entities. An independent third-party may be able to assess the regulated entities to a level of comprehensiveness that regulators are unable to provide and administer a defensible risk assessment on behalf of regulated entities that lack adequate resources.
Additionally, South Carolina’s law requires that if an event is believed to have occurred, the parties responsible for cybersecurity must investigate promptly. The investigation minimums outlined in the law include: determination of event occurrence, assessment of the nature and scope of the event, identification of nonpublic information related to the event and the carrying out of reasonable measures to restore security to affected systems. The South Carolina Director of Insurance must be notified within 72 hours of the discovery of the event if a combination of criteria is also true. All records regarding events must be kept for five years from the date of the event occurrence.
If third-party vendors are responsible for the cybersecurity of an organization, the same responsibilities are mandated unto them and the investigation will be overseen by the executives accountable for cybersecurity in the organization.
There are stringent requirements undertaken during an investigation by the South Carolina Director of Insurance into an organization that has had a cybersecurity event. Documentation must be completed in an electronic form and kept updated as the investigation progresses. The report of investigation must contain 13 basic requirements, including the date, description and method of discovery of the event.
South Carolina has achieved a stunning victory in the unending battle for cybersecurity and data privacy for the insurance and healthcare industry. By passing this law, South Carolina has managed to set the pace for other states and put themselves in the crosshairs of criticism. The journey from here for both South Carolina and the states that dare to follow directly in their footsteps is a bit uncharted.
However, with the excellent guidance from the NAIC Model Law, case studies from NY DFS and assistance from cybersecurity experts, we should be soon expecting better corporate cybersecurity hygiene driven by real cultural changes in how people view cybersecurity.
Was this article valuable?
Here are more articles you may enjoy.