Increasing data threats and growing state and federal government cybersecurity models are providing high levels of stress and confusion for insurers. Figuring out the best path forward is at the forefront of any security strategy, as new products and increased consumer data collection are exacerbating the relationship between innovation and regulation.
Novarica partnered with Locke Lord LLP, a full-service global law firm, to examine the legal implications of the regulations being passed that impact insurance carriers’ technology strategies. In the second of the new quarterly series, Locke Lord LLP and Novarica address the similarities and differences between NYDFS Cybersecurity Regulation and NAIC Data Security Model Law, the recent updates to the California Consumer Privacy Act of 2018, and the potential innovation opportunities and limitations surrounding insurance regulatory sandboxes.
Brian Casey, co-leader of the Regulatory and Transactional Insurance Group; Benjamin P. Sykes, a partner in the practice; and Theodore P. Augustinos, co-leader of the privacy and cybersecurity practice, all of Locke Lord LLP, will be joining me to discuss the regulations discussed below on Novarica’s upcoming webinar January 9th at 1pm ET. Pre-register to attend here.
NYDFS Regulation and NAIC Security Model Law
The main point of contention during cybersecurity strategy development is deciding which model to follow. Companies looking to cover all of their bases may opt to follow the stricter models; however, a state-by-state approach can also be considered.
It is best practice for insurance carriers to conduct a NIST (National Institute of Standards and Technology) audit performed by an outside assessor. PCI DSS (Payment Card Industry Data Security Standard) complements the other standards and is related to the capture, transmission, and storage of credit card information. The need for a dedicated chief information security officer, or CISO, is also becoming clear.
California Consumer Privacy Act of 2018 Updates
When the CCPA passed with an effective date of January 1, 2020, it gave residents of California the right to know the data that has been collected about them and why it was collected, request the deletion of personal data, opt out of someone selling their personal data, and be able to access their personal information easily. This law is similar to GDPR but has some important differences. While GDPR mandates the disclosure of the name of the company that receives someone’s data, CCPA only requires the disclosure of the category of company. The default is not to opt out, like GDPR’s default, but CCPA mandates that the ability to opt out of someone selling your data must be provided.
It is best practice to understand, map, and incorporate the usage of data internally and across third parties into the data governance framework. Carriers may want to consider, whether they do business in the EU or not, the possibility that insofar as GDPR may serve as a model for future laws, it is indicative of what may be required of insurers’ data governance functions and overall enterprise security.
Regulatory Sandboxes
The major difference between innovating in insurance versus other industries comes down to regulation. Being able to innovate and experiment may mean finding environments in which it is safe for insurers to “play.” For example, some state commissioners have made it easier for insurers to test sandbox initiatives.
Innovation requires a change in culture and a commitment of resources and executive support. In order to truly commit, some resources will need to make innovation their full-time job. As carriers start to experiment, they should be mindful of the data privacy and security regulations in place for each state: some will be more flexible, while others will place substantial regulatory reporting requirements on carriers.
Data use, insurance products, and regulations will continue to shift and evolve, and CIOs should continue to collaborate with CISOs and develop focused cybersecurity strategies. For a more in-depth look at these three regulations and their impact on insurance technology strategies, read the full report Insurance Technology Strategy and Regulatory Compliance, Vol. 2.
Add new comment