Boston, August 12, 2021 –When insurance companies get hacked, customers and regulators gasp, “Shouldn’t they be more protected?” This premise of a higher bar of protection prompted the insurance industry to create a tailored cybersecurity regulation. However, many states felt this regulation didn’t go far enough and are now enacting legislation to fill the perceived gaps created by the insurance industry’s attempt at self-regulation. Failing to comply with a state insurance data security law is a serious offense.

This Impact Report looks at existing and newly enacted insurance data security laws by state and deciphers what these laws mean to an insurance company’s cybersecurity program as well as accountability for insurance company executives, boards, and CIOs. This report uses desk research, which included online searches of state legislative portals of record searching for enacted state insurance data security laws, plus analysis on the NAIC Insurance Data Security Model Law (MDL-668) in comparison to insurance data security laws adopted by states. This analyst then made comparisons and conclusions to draw attention to points of interest to insurance company CIOs.

This 24-page Impact Report contains one figure and three tables. Clients of Aite-Novarica Group’s Cybersecurity service can download this report, the corresponding charts, and the Executive Impact Deck.

This report mentions Anthem Inc., CrowdStrike, First Unum Life Insurance Company of America, HITRUST, ISO, Mandiant, National Association of Insurance Commissioners (NAIC), National Institute of Standards and Technology (NIST), Paul Revere Life Insurance Company, U.S. Department of Health and Human Services Office for Civil Rights (OCR), and U.S. Treasury.