This article originally appeared in Insurance Journal, and is republished here with permission.
In March of 2017, the New York Department of Financial Services (DFS) implemented 23 NYCRR §500 (NY Reg. 500). In doing so, it became the first state regulatory authority to impose regulations that address cybersecurity concerns applicable to insurance-related entities (in New York, covered entities) and their professionals.
Now, two years after implementation, covered entities are required to be fully compliant with every provision of NY Reg. 500, and even had to certify compliance with DFS as recently as February 15, 2019. So, you are a covered entity, and you finally feel like you have a grasp on how to navigate NY Reg. 500’s requirements. Enter the National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law (the Model Law).
The Model Law is a cybersecurity guideline, based in large part on NY Reg. 500, which was slightly modified and adopted into law by three states – South Carolina, Ohio and Michigan (collectively, the Model Law states) – in mid-to-late 2018. Covered entities also licensed in these states – defined as licensees – and potentially other states with similar bills waiting to be passed, must now shift their focus to adding new layers of compliance. So, the question becomes: What additional steps do you need to take as a covered entity to be compliant under the Model Law and Model Law states when considered a licensee therein?
Though there are a number of distinctions between NY Reg. 500 and the NAIC Model Law, luckily for New York covered entities, if you comply in New York, you already comply with the vast majority of the Model Law and the Model Law states’ respective modifications thereof. For instance, the following chart provides a high-level summary of some of the key areas in which NY Reg. 500 imposes more requirements than the Model Law and Model Law states.
Based on the above, it would appear as though when you filed your certification of compliance in New York, you would be all set and ready to essentially do the same in the Model Law states, when ultimately required. Not quite so fast. There are still a number of critical requirements under the Model Law and Model Law states of which a covered entity needs to be aware. This next chart, though not as robust as the first, summarizes such provisions.
So how much of the above needs to be considered the moment each of these bills were signed into law in the Model Law states? The answer is: not much. Most of the key areas in which the Model Law and/or Model Law states require more than NY Reg. 500, or are more explicit than NY Reg. 500, involve the ways in which a licensee responds to a breach, investigates a cybersecurity event, or manages/analyzes specific risks.
While absolutely critical to understand and comply with under the right circumstances, these differences do not require immediate action, including adjusting internal policies, in order to comply. Additionally, even if a covered entity that is also a licensee in one or more of the Model Law states wants to amend its policies to ensure compliance by addressing any of these differences, each Model Law state provides for a transitionary period within which a licensee can do so.
That being the case, for now, covered entities operating as licensees in Model Law states can breathe a sigh of relief. Most of the leg work is already done thanks – or no thanks, depending on how invasive the initial New York compliance ramp-up effort was – to DFS and NY Reg. 500.