Standardized data security controls for insurers are gaining ground

0
50
<p class = "canvas-atom canvas-text Mb (1.0em) Mb (0) – sm Mt (0.8em) – sm" type = "text" content = "
Ohio State Capitol, Columbus, Ohio. (Photo: Shutterstock.com)

At the end of December, Ohio became the second state to adopt the National Insurance Association's (NAIC) Insurance Data Model Law, joining South Carolina to impose cyber security requirements on insurance companies. cybersecurity. The lawyers said the law included widely accepted good practices in cybersecurity, which, if implemented across the country, could be an easier model for lawyers to follow, unlike a patchwork of regulations.

The laws of South Carolina and Ohio closely reflect the laws of the National Association of Insurance Commissors. Model Law on the Security of Insurance Data, which was finalized by the association in 2017. The best practices in cybersecurity recommended by the NAIC include the oversight by the board of directors, the ongoing risk assessment, l & # 39; multifactor authentication and encryption. South Carolina put its law into effect April 2018, and the Ohio regulations are expected to come into full force in a year.

Hunton Andrews Kurth Michael Levine, a partner, said about the Ohio and South Carolina legislation: "This is an extra layer of protection for the information provided to insurance companies and that requires them to adhere to the statue."

The legal model of the NAIC is a response to a 2017 year State of New York Act Mandated financial companies implement multifactor authentication, compliance certification, and other security controls.

Mayer Brown Lawrence Hamilton, president of the US Insurance Regulatory Practice, said the New York law and the adoption of the NAIC model law by South Carolina and Ohio offered a uniform cyber standard essential for insurers.

However, Hamilton pointed out that the Ohio law provided for an unusual defense against lawsuits brought in Ohio, alleging that the lack of reasonable control of cybersecurity by the insurance company had resulted in a violation of the law. Datas. An insurance company would have an affirmative defense against such an accusation if it "satisfied" the provisions of the new law. A similar shelter is offered in an Ohio data breach notification law.

This new law comes a few days after a group of hackers called "The Dark Overlord" claimed that they had pirate insurers Hiscox, Lloyds of London and Silverstein Properties.

The Ohio legislation also includes a new, modified definition of a cybersecurity event as an incident that causes unauthorized access or misuse of information "that may cause material harm to a consumer residing in that State". or an essential part of the normal activities of the licensee ". . "

"Ohio is redefining the cybersecurity event to include this phrase," Hamilton explained. "They recognize that you want to focus on cybersecurity events that actually pose a threat or threat to consumers."

Jeffrey Taft, also a Mayer Brown partner, noted, however, that changes to the NAIC Model Law could make it difficult for insurance companies to use this standard.

"States will make changes to the Model Law, make it less uniform and require compliance with specific provisions," said Taft. "It is difficult to comply with each jurisdiction, and you generally end up with the most conservative jurisdiction."

Nevertheless, while regulatory uniformity across the country may be preferred, counsel stated that the NAIC's insistence on informing regulators in 72 hours may not be practical.

"Seventy-two hours will require businesses to get used to it," said Marcus Christian, a partner with Mayer Brown. "Sometimes it takes more than 72 hours. Companies facing this type of crisis, it is not the first thing that comes to their minds: "let's talk to the regulators".

Nevertheless, explained Christian, a uniform law facilitates business complexity and builds customer confidence. It is considered a positive measure."data-reactid =" 18 ">
Ohio State Capitol, Columbus, Ohio. (Photo: Shutterstock.com)

At the end of December, Ohio became the second state to adopt the National Insurance Association's (NAIC) Insurance Data Model Law, joining South Carolina to impose cyber security requirements on insurance companies. cybersecurity. The lawyers said the law included widely accepted good practices in cybersecurity, which, if implemented across the country, could be an easier model for lawyers to follow, unlike a patchwork of regulations.

The laws of South Carolina and Ohio closely reflect the laws of the National Association of Insurance Commissors. Model Law on the Security of Insurance Data, which was finalized by the association in 2017. The best practices in cybersecurity recommended by the NAIC include the oversight by the board of directors, the ongoing risk assessment, l & # 39; multifactor authentication and encryption. South Carolina put its law into effect April 2018And Ohio's regulations are expected to come into full force in a year.

Hunton Andrews Kurth Michael Levine, a partner, said about the Ohio and South Carolina legislation: "This is an extra layer of protection for the information provided to insurance companies and that requires them to adhere to the statue."

The legal model of the NAIC is a response to a 2017 year State of New York Act Mandated financial companies implement multifactor authentication, compliance certification, and other security controls.

Mayer Brown Lawrence Hamilton, president of the US Insurance Regulatory Practice, said the New York law and the adoption of the NAIC model law by South Carolina and Ohio offered a uniform cyber standard essential for insurers.

However, Hamilton pointed out that the Ohio law provided for an unusual defense against lawsuits brought in Ohio, alleging that the lack of reasonable control of cybersecurity by the insurance company had resulted in a violation of the law. Datas. An insurance company would have an affirmative defense against such an accusation if it "satisfied" the provisions of the new law. A similar shelter is offered in an Ohio data breach notification law.

This new law comes a few days after a group of hackers called "The Dark Overlord" claimed that they had pirate insurers Hiscox, Lloyds of London and Silverstein Properties.

The Ohio legislation also includes a new, modified definition of a cybersecurity event as an incident that causes unauthorized access or misuse of information "that may cause material harm to a consumer residing in that State". or an essential part of the normal activities of the licensee ". . "

"Ohio is redefining the cybersecurity event to include this phrase," Hamilton explained. "They recognize that you want to focus on cybersecurity events that actually pose a threat or threat to consumers."

Jeffrey Taft, also a Mayer Brown partner, noted, however, that changes to the NAIC Model Law could make it difficult for insurance companies to use this standard.

"States will make changes to the Model Law, make it less uniform and require compliance with specific provisions," said Taft. "It is difficult to comply with each jurisdiction, and you generally end up with the most conservative jurisdiction."

Nevertheless, while regulatory uniformity across the country may be preferred, counsel stated that the NAIC's insistence on informing regulators in 72 hours may not be practical.

"Seventy-two hours will require businesses to get used to it," said Marcus Christian, a partner with Mayer Brown. "Sometimes it takes more than 72 hours. Companies facing this type of crisis, it is not the first thing that comes to their minds: "let's talk to the regulators".

Nevertheless, explained Christian, a uniform law facilitates business complexity and builds customer confidence. It is considered a positive measure.