Cybersecurity Resources

ILSA’s General Manager, Russ Foster, and I recently appeared on the Spot On Insurance’s webinar series, Compliance Conversations, to discuss cybersecurity regulation for the insurance industry.

During that episode, we shared a number of helpful resources.  We also wanted to make those resources available for those of you who couldn’t join us for the live webinar.

Click here to watch the webinar recording on YouTube.

Cybersecurity Regulation Today

As we shared in the webinar, cybersecurity – other than our own — first drew our attention in 2016. That’s when New York began to finalize its landmark regulation for the insurance industry.  Of course, 23 NYCRR 500 certainly wasn’t the first cybersecurity law to impact the insurance industry. But it did take regulation to a new level by requiring certification of compliance from “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.”

As the deadline for initial exemption requests approached, our team spent a lot of time answering questions. Did someone qualify for an exemption? How did they file for an exemption and later, certify their compliance? What exactly did New York require in a cybersecurity program.  We certainly learned a lot in those hectic days!

New York’s law took effect in March 2017.  By October of that year, the NAIC published its own Model Law for cybersecurity.  I wasn’t alone in proclaiming 2018, the Year of Cybersecurity Regulation.

It’s Not Just for New York Anymore

To date, eight states have adopted the NAIC Model Regulation.  Following New York’s example, most of them are gradually implementing their regulations over several years.

A table showing implementation dates for various state cybersecurity regulations.

The good news for licensees (other than domestic insurers) is that these states, unlike New York, do not require individual producers and agencies to file for exemptions or to certify compliance annually.

This does not mean, however, that you can put cybersecurity on the back burner.  Data breaches still need to be reported in a timely manner — the exact time frame varies from state to state.  Plans must be reviewed and updated to reflect current threats on a regular basis.  Additionally, employees must receive regular training to promote cyber awareness and reinforce best practices.  Executive management also must document actions taken to ensure cybersecurity and be prepared to produce these records for state review at any time.

I mention domestic insurers because most of these states do require them to file a Certification of Compliance annually.  The consensus due date appears to be February 15.

Help for Compliance

To assist licensees in meeting these new requirements, many states have created Cybersecurity Resource Centers on their websites.  These sites offer, for example, links to forms, information about upcoming deadlines, and regularly updated FAQs.  And based on our experience with New York, you can expect the information included on these sites to increase over time.  After all, regulators need to become comfortable with new processes themselves and learn which tasks prompt questions from licensees.

To visit these sites, click on the state name below.  Some states, especially those whose implementation dates are yet to arrive have not set up Resource Centers yet.  So for these states, I’ve linked to the text of their cybersecurity regulation.

More Help

Looking for additional help?  Firstly, be sure to visit ILSA’s Cybersecurity Page to learn more about this important topic.  (For example, there’s a video that explains the difference between cybersecurity and data privacy regulation.)

You can also read the following articles:

Finally, ILSA collaborates with Renaissance Systems, Inc. (RSI) to offer a full range of cybersecurity solutions.

Get the good stuff

Get regular hits of insurance inspiration delivered to your inbox.

Meet the Nation

They are the trail-blazers and the member supporters who selflessly share all they have learned with our community. Say hey to the fam and check out their contributions to Agency Nation!
Share This