For example, a financial expert in a state that has not adopted the model law, is potentially subject to the model law if they are also licensed in another state that has adopted the model law. Thus, it will be important to track what states enact the model law and also how uniformly the model law is enacted state to state.

Standards

The intent of the model law is to establish standards for data security, the investigation of cybersecurity events and notification of the commissioner of cybersecurity events. In order to understand how the model law attempts to meet those objectives it is necessary to understand how the model law has defined the different elements that are involved in cybersecurity.

A cybersecurity event is defined as “an event resulting in unauthorized access to, disruption or misuses of, an information system or information stored on such information system.” Information system is defined broadly as “a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information …” and expressly includes “specialized systems such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental control systems.”

Information security program means “the administrative, technical and physical safeguards that a licensee uses to access, collect, distribute, process, protect, store, use, transmit, dispose of or otherwise handle nonpublic information.”

Written Security Program Required

The model law requires licensees to implement a comprehensive written information security program based on the licensees' risk assessment. As part of the information security program the licensee must designate an individual (who can come from a third party) to be responsible for the information security program.

The risk assessment must:

• Identify reasonably foreseeable internal and external threats to nonpublic information including any information systems or nonpublic information that are controlled or accessible by third-party service providers;

• Assess the likelihood and severity of damage by these potential threats;

• Assess the sufficiency of existing policies, procedures and technology in place to protect against such threats; and

• Implement information safeguards to manage the identified threats and at least annually assess their effectiveness.

The model law puts special emphasis in assessing the licensees' policies, procedures, information systems and safeguards with respect to:

• Employee training and management;

• Information systems including information classification, governance, processing, storage, transmission and disposal; and

• Detecting, preventing and responding to attacks, intrusions,or other system failures.

Required Investigation and Notification

The model law also contains detailed provisions regarding the investigation of and notification regarding cybersecurity events. Licensees must investigate whenever there is or may have been a cybersecurity event. The investigation can be performed by an outside vendor on behalf of the licensee.

There are separate notification requirements for the commissioner, consumers and reinsurers. The commissioner also has the authority to investigate licensees' compliance with the model law and to take action to enforce the model law.

Importantly, the model law provides for confidentiality of information provided pursuant to a licensee's annual certification under Section 4(I) and much of the information that must be reported to the commissioner following a cybersecurity event under Section 6 and investigations under Section 7.

The model law expressly provides that these documents are not subject to freedom of information act or similar laws, subpoenas or discovery in civil actions and are inadmissible in civil actions.

In addition, licensees subject to HIPPA that have established and maintain information security programs pursuant to HIPPA are deemed to be in compliance with Section 4. In Section 10 the model law contemplates penalties for noncompliance in accordance with the enacting state's general penalty statute. Section 11, which is noted as optional, allows for the implementation of additional rules and regulations necessary to carry out the provisions of the model law.

N.Y. Cybersecurity Rules

The model law is similar, but not identical, in structure and scope to New York's recent cybersecurity rules applicable to banks, insurance companies and other financial services companies, 23 NYCRR 500 (N.Y. cyber rules). The model law contains a drafting note indicating it is the drafters' intent that if a licensee is in compliance with the N.Y. cyber rules then the licensee is in compliance with the model law.

Like the N.Y. cyber rules the model law is based on a risk assessment or risk management approach to cybersecurity. This approach is widely regarded as a best practice in terms of approach to cybersecurity. What is still very much in question is the ability of regulations of this type to actually improve cybersecurity. As both the model law and N.Y. cyber rules tacitly acknowledge, there is no perfect answer or approach to cybersecurity.

Security measures necessary and appropriate for large companies will often not fit smaller companies and vice versa. Examples include the frequency and sophistication of penetration and other testing methods and the scope and intensity of employee training. Further, it is widely accepted by security experts that everybody is vulnerable no matter how rigorous their cybersecurity is. Can regulations effectively improve cybersecurity in this type of risk environment? We shall see.

Open Questions

Another critical hurdle facing the model law that will greatly impact how effective it is in improving cybersecurity, is how widely and uniformly it is adopted by states. These are issues that often plague model laws regardless of subject and there are numerous examples of limited adoption, lack of uniformity of adoption, or both in existing model laws. Penalties and enforcement are another area that could potentially vary greatly state to state.

The NAIC looks to have come up with a fairly balanced approach to cybersecurity regulation and companies large and small would be wise to follow many of the processes and procedures required by the model law. But there are many open questions surrounding the model law the answers to which will determine its success at improving cybersecurity in the insurance industry and as a model for other industries to follow.