In October 2017, the NAIC adopted an Insurance Data Security Model Law that builds on existing data privacy and consumer breach notification obligations. The Model Law requires every insurance licensee in a state (unless they qualify for an exemption) to maintain a written cybersecurity policy and implement a risk-based cybersecurity program. The Model Law also requires a licensee to satisfy specific requirements related to:
- Risk assessment and management;
- Oversight of third-party service providers;
- Incident reporting, investigation and notification;
- Annual certification, and;
- Exceptions (if eligible).
In the United States, the business of insurance is regulated primarily at the state level. That means that the Model Law will not actually apply to a licensee unless and until it is enacted into law by a jurisdiction where that licensee is licensed.