The National Association of Insurance Commissioners' effort to create a cybersecurity standard has passed a major hurdle as a key committee signed off on a draft model law.
The Insurance Data Security Model Law must still be approved by a vote of the entire NAIC in a plenary session, but if it passes muster, it could become a state accreditation standard.
"It certainly will be considered at some point," said Ray Farmer, who is chair of the working group shepherding the model law.
The model law includes an outline for an incident response plan and measures related to the oversight of third-party vendors, investigation parameters and maintaining records. It would also require annual certification reports to state regulators.
The threshold for a cyber incident is a suspected breach of nonpublic information involving 250 or more consumers, combined with how much an incident impacts the licensee or materially harms consumers. Recently added draft language would allow a licensed insurer that is in compliance New York's cybersecurity requirements for financial services companies to be considered in compliance with the NAIC model.
The multistate effort looks to be overcoming the significant industry dissension it faced for more than a year. Some industry members were concerned about uniformity, overly prescriptive requirements or excessively broad definitions that would make insurers over-reactive to non-critical events.
Farmer said the model law's passage from the working group sends a clear signal to federal regulators that insurance matters are to be handled by the states. Federal banking regulators have already proposed their own potential enhanced cybersecurity risk-management and resilience standards that would apply to large and interconnected entities under their supervision.
Farmer, who is South Carolina's insurance commissioner, during the open committee session said he had recently engaged in "table-top exercises" with federal regulators, including the Federal Reserve Board and the Treasury Department. The confidential exercises envision various breach scenarios, which are then gamed out by cybersecurity teams at different levels of government.