Cybersecurity Task Force recap – NAIC Summer 2016 National Meeting

Authored by: Russell Sommers

The agenda of the NAIC cybersecurity task force included a cybersecurity legislative update and two presentations on data analysis projects currently underway, but the majority of conversation centered around the recently released update to the Insurance Data Security Model Law.

Cyber legislative update

The cyber legislative update noted the creation of a 12-person task force charged with reporting back to the President of the United States (POTUS) on cyber and their intent to focus on cyber insurance (it was noted that this project is underway and observations are expected late this year).

Data analytics

Data projects summarized a tremendous amount of information, but also acknowledged scope limitations due to the inability to disaggregate cyber insurance components of packaged policies. Premium amounts and loss ratios varied significantly among carriers, while policy types trended toward claims made policies — noting 82 percent of cyber liability policies were claims made, as opposed to 18 percent occurrence. The working group noted the impact of this on accessibility for currently difficult to identify and potentially long tailed events.

Insurance Data Security Model Law

Conversation by interested parties around version two of the Insurance Data Security Model Law was highly spirited. Commissioner Hamm (ND) noted before queueing interested parties that the comment period remains open until 9/16/16. Interested parties commented with a litany of observations, including that the current draft model law:

  • Is missing a reference(s) to the existing 47 individual state breach notification laws;
  • Contains no suggested template, format or minimum required information for breach notification;
  • References "harm" and “inconvenience” relating to breach notification, but fails to adequately define either;
  • References “personal information” which is loosely defined in the document. The law does define personally identifiable information, but is missing definitions of other types of personal information, namely: protected health information and material non-public information;
  • Hasn’t considered conflicts with HIPAA privacy guidance by which insurers already have to comply, a gap analysis should be conducted to reduce any conflicts;
  • Does not address protocols for breaches at 3rd party, 4th party service organization;
  • Uses the ambiguous language "state of the art"; and
  • Does not include data classification requirements or a suggested data classification framework.

Considering the volume of modifications from version one to version two in conjunction with the volume of interested party comments, it appears the current working version is perceived as a good start but there seems to be some work to do before this becomes final.

For more information on this topic, or to learn how Baker Tilly specialists can help, contact our team.