The government keeps making it harder for business leaders to kick the cybersecurity can any further down the road. Another round of new cybersecurity laws affecting the insurance industry, for example, continues the trend of state and federal bodies giving businesses not-so-gentle pushes to get their data policies in order.
So far in 2021, three more states have passed laws that step up cybersecurity requirements in the insurance industry, bringing the total to at least 14 states that have implemented laws based on a model drafted by the National Association of Insurance Commissioners. In the spring of 2021, Iowa passed a new cybersecurity law to go alongside new laws in Maine and North Dakota. Several other states have pending legislation based on NAIC’s model.
New Rules Will Keep Coming
Most of the recently passed laws start taking effect in early 2022, with some aspects delayed until 2023. The U.S. Treasury Department has asked all states to pass laws based on NAIC’s model by 2025. After that, it’s likely that the U.S. Congress would pursue legislation to close any remaining gaps at the state level. In 2021, 44 states introduced or considered more than 250 bills and resolutions dealing with cybersecurity.
Meanwhile, President Biden signed an executive order in May 2021 that steps up the federal government’s cybersecurity game by strengthening standards for government systems, requiring better security measures from software developers and creating an incident review board that will investigate major breaches in an effort to prevent future problems.
And the Defense Department is currently rolling out its new CMMC standard, which requires 300,000 companies at all levels of the DoD supply chain to get third-party certification that their cybersecurity policies are up to par.
Breaches Drive Action
All this government action to harden information security defenses points to a quickly dying “it won’t happen to us” mentality. The last six months have produced headline-grabbing demonstrations of America’s gaping cyber holes as seen in breaches of SolarWinds and Microsoft Exchange Server and the ransomware attack that shut down the Colonial Pipeline.
Perhaps the strongest indication that both government and businesses are getting serious about cybersecurity is the bipartisan support regularly seen for the new laws. Iowa’s new insurance law, for example, passed during its first legislative session with a total vote of 137-0 in the House and Senate before being signed into law by Republican Gov. Kim Reynolds.
Michael Daniel, President/CEO of the Cyber Threat Alliance, told the Washington Post in 2020, “Most of cybersecurity is a nonpartisan issue. It’s one of the few things that’s true of in Washington.”
The challenge with any of these laws, of course, is that they deal with a rapidly shifting tech landscape. That means private organizations must continue to actively drive their own security policies rather than count on compliance with dated regulations to keep them safe.
A National Model for New Laws
NAIC saw the problem growing back in 2016 and decided to push for change in the wake of major insurance-industry breaches that compromised the personal information of millions of consumers. After seeking input from insurance regulators, consumer representatives and the insurance industry, NAIC released its model regulation.
These NAIC-inspired laws typically apply to any organization licensed by the state department of insurance, including insurers and insurance agents. If your state has passed legislation based on the model law, read the details. Several states have modified the template in important ways. For example, in various states the required deadline for notifying the state of a breach is 72 hours, three business days or 10 days.
What’s in the New Insurance Regulations
Note that most of these laws exempt smaller companies from the requirements. Iowa, for example, exempts companies with fewer than 20 employees, less than $5 million in gross annual revenue or less than $10 million in year-end total assets.
Under Iowa’s new law, all other organizations licensed by the insurance commissioner must:
- Conduct regular risk assessments – The assessment must identify “reasonably foreseeable” threats, identify the potential damage from those threats and determine whether sufficient safeguards are in place to prevent the threats. The risk assessment must include a review of employee training and management.
- Develop a comprehensive, written information security program – As part of this requirement, organizations must designate a specific person responsible for managing this program. (Pratum’s vCISO service can help provide the oversight your organization needs to manage your requirements under these laws.) The information security policy must use appropriate access control measures to protect data (such as multifactor authentication), use secure software development methods and regularly monitor systems to reveal intrusions.
- Report and investigate breaches – The law is concerned with any event that results in unauthorized access to nonpublic information about a customer such as social security number, driver’s license number or account numbers. In the Iowa law, organizations must notify the commissioner of a confirmed breach within three business days of confirming the event. In some circumstances, the organization may be required to notify consumers of the breach as well.
- Develop a written incident response plan – The incident response plan must provide details on how the organization will deal with a breach, including information on how it will restore operations and appropriately communicate about the breach both internally and externally.
- Submit annual cybersecurity reports to the insurance commissioner – The report will verify compliance with the law’s provisions. The commissioner can inspect all records related to the cybersecurity policies at their discretion.
- File for exemption under HIPAA or Gramm-Leach-Bliley Act – Organizations that are subject to and in compliance with either of these acts can file for an exemption from the requirements of Iowa’s law. Pay particular attention to this provision in your state’s law, as it is not part of the NAIC model.
Clearly, the regulatory landscape for cybersecurity is changing by the month. For help in understanding how new laws affect your organization—and what requirements are on the near horizon—contact Pratum today.