NAIC Cybersecurity Panel Asked to Consider Using New York Rule After Draft Fails to Gain Consensus

DENVER – After three attempts at developing an insurance data security model act that failed to gain consensus, the chairman of a National Association of Insurance Commissioners panel said he’s listening to all suggestions — including New York’s new cybersecurity rule.

New York insurance Superintendent Maria Vullo, speaking at the NAIC’s Spring National Meeting, asked the cybersecurity working group to accept New York’s rule as the panel prepares for another round of deliberations. Panel Chairman Raymond Farmer, South Carolina’s insurance director, told Best’s News Service, “everything’s on the table.”

New York’s cybersecurity rule took effect March 1. Vullo said the cornerstone of the rule is a periodic risk assessment of information systems, which includes an annual penetration test of a covered entity’s information system based on risk, as well as biannual vulnerability assessments. The rule requires insurance companies and other financial services institutions to establish and maintain cybersecurity programs. Companies will hire a chief information security officer responsible for implementing and overseeing the program and enforcing cybersecurity policies (Best’s News Service, Feb. 17, 2017).

David Provost, deputy commissioner of the Vermont’s captive insurance division, suggested the panel move forward in an area of little disagreement between New York’s plan and the working group’s latest draft regarding having cybersecurity plans in place. Provost urged this part of the panel’s work be advanced quickly in order to deal with differences concerning notification processes and in what constitutes a breach.

Vullo noted differences between the New York rule and the latest working group draft. She said the NAIC draft baseline requirement to institute information-sharing practices in the federal Gramm-Leach-Bliley Act were inadequate. Vullo said the New York rule does not conflict with the federal law.

She said New York’s rule requires notices of significant cybersecurity events within 72 hours of a determination the event is material and reportable. But the NAIC model requires notice of data breaches within three days of determining that a breach may have occurred. “We believe that ‘may’ is too vague to be workable in practice, leading to confusion over what is required to be submitted,” Vullo said. “And also quite frankly, as a regulator, I don’t want to get a lot of junk.”

She said the NAIC model encourages institutions to protect personal information by encryption or other means for wireless data transmitted or on a public network for all nonpublic personal information stored on a laptop or other portable devices. She said New York’s encryption requirements are more specific, while continuing to be risk-based. New York requires a risk-based determination on what should be encrypted and that a chief information security officer review and approve any alternative compensating controls to ensure they are effective if the institution chooses not to use encryption.

Vullo said New York does not require institutions to specifically notify consumers in the event of a breach, but the rule does require institutions to have an incident-response plan that requires institutions to notify consumers as appropriate and notify regulators after a determination of a material event or breach.

“We’ve tried three times and we’re not there just yet, so this is a good regulation to consider,” Farmer said.

Comments on the working group’s latest draft and on the New York regulation are due to a drafting group headed by Rhode Island Insurance Superintendent Beth Dwyer April 17. A new revised draft is expected to be out the following week in advance of a May 9 conference call to discuss it. “Our focus is getting more narrow and more concise,” Farmer said, adding he hopes the committee might be able to take a vote on the next draft.

(By Thomas Harman, Washington Bureau manager, BestWeek:,