Important Information on the NAIC Insurance Data Security Model Law
Cybersecurity threats are very real and very serious. The consequences of
data security breaches can be costly and devastating for both consumers and
insurers. Many industries are adopting new standards to protect personal and
identifying information, including new insurance data regulations.
The National Association of Insurance Commissioners (NAIC) adopted the
“Insurance Data Security Model Law” in November 2017. The law requires
insurance organizations to employ comprehensive cybersecurity programs, and
while the new regulations are only part of a model law, they are quickly being
adopted by individual states.
The goal of the Insurance Data Security Model Law is to provide guidelines
for insurers to protect their customer information. This keeps customer data
safe and helps insurance companies stay out of hot water with security
breaches. The law includes training requirements, response plans, testing and
more.
What does the Model Law require?
- Every insurance company will develop, implement and maintain a written
Information Security Program based on the company’s unique risks, to include
safeguards for the protection of nonpublic information and the company’s
information system. The Information Security Program must be updated to
reflect new technology, threats, business situations, etc.
- Designate an individual or outside vendor to act on behalf of the insurer
with regard to its security program. Third party service providers must also
comply with data security regulations in order to continue doing business
with insurers.
- Assess the likelihood and potential damage of threats, as well as the
sufficiency of policies and procedures to manage these threats (including
employee training)
- Provide company personnel with cybersecurity awareness training
that is updated as necessary to reflect cyber risks identified by the
company.
The NAIC model law comes on the heels of the New York Department of
Financial Services Cybersecurity Regulations. The model law has been adopted by
New York, South Carolina and Rhode Island, with more states expected to adopt
the law soon.
With stricter Cybersecurity regulations, it is critical for insurers to
increase their cybersecurity training efforts and provide each employee with
the information they need for success. WebCE® can help organizations
meet their cybersecurity training requirements with our upcoming
Cybersecurity course. We can also create a custom course with your
content. For a preview of our Cybersecurity course, contact corporate sales at
[email protected].
Contact Us
Additional Resources:
Understanding the NAIC Insurance Data Security Model Law
NAIC –
Cybersecurity