VI. Principal Regulatory Developments Affecting Insurance Companies
bind any state to adopt any laws or regulations or to agree in substance with all of the provisions of the Roadmap. The NAIC will begin working on the new Cyber Model and hopes to have it completed by the end of 2016 (although it has acknowledged that this may be a difficult goal). As part of the development of the Cyber Model, the NAIC will also revisit certain existing Model Laws that touch upon cybersecurity issues in order to remove any conflicts with the provisions of the new Cyber Model.
The NAIC also adopted, in summer 2015, the “Principles for Effective Cybersecurity: Insurance Regulatory Guidance” (the “Principles”), which set forth 12 guiding principles for the protection of insurance customers. The Principles, which are based on the federal National Institute of Standards and Technology’s Cybersecurity Framework, state in part that insurance regulators should ensure that personally identifiable consumer information held by insurers, producers and other regulated entities is protected from cybersecurity risks, and that insurers must appropriately safeguard sensitive information and provide notice of data breaches.
Finally, in September 2015 the NAIC IT Examination (E) Working Group adopted guidance intended to modernize IT protocols for financial examiners and enable examiners to determine whether an insurer has significant exposure to cybersecurity risks and to assess an insurer’s level of controls and processes for managing such risks. The new guidance will be included in the 2016 version of the Financial Condition Examination Handbook and will be updated thereafter.
b. U.S. Congressional Developments
In addition to the insurance-related items discussed above, the Appropriations Act included the passage of the “Cybersecurity Act of 2015,” which enables the federal government, state governments and private entities to share information with each other regarding cyber threats voluntarily. The law, which was supported by insurance industry groups, establishes a framework for such information-sharing that includes certain protections to prevent the sharing of individuals’ personal information that is not directly related to a cyber threat. The Cybersecurity Act of 2015 was among many pieces of cybersecurity-related legislation that Congress considered this
Developments and Trends in Insurance Transactions and Regulation 2015 Year in Review
year, demonstrating heightened interest in legislating in this area at the federal level.
c. New York Developments Prior to the NAIC’s announcement that it is working on a Cybersecurity Model, on November 9, 2015, the Acting Superintendent of the NYDFS sent a letter to the members of the federal Financial and Banking Information Infrastructure Committee (the “FBIIC”) to describe the NYDFS’s preliminary views on a potential cybersecurity regulation, and to invite feedback from the FBIIC members (including the NAIC). The FBIIC was chartered by the President’s Working Group on Financial Markets to improve coordination and communication among financial regulators, among other things. The NYDFS letter described policies and procedures that “covered entities” could be required to undertake with respect to information security and data privacy, including taking measures to protect data accessible to third-party service providers, adopting multi-factor authentication procedures, designating a Chief Information Security Officer who would annually report to the NYDFS, conducting annual audits, and immediately notifying the NYDFS of any material cybersecurity incident. The letter stated that such proposals do not represent a complete list of all the components of a potential cybersecurity regulation that the NYDFS is considering.
Earlier in the year, the NYDFS demonstrated its particular interest in cybersecurity issues when it sent a letter to a sizable group of insurers requesting a report on a variety of items relating to their institutional cyber risk. The NYDFS has also been conducting targeted cyber risk assessments of certain financial institutions under its authority.
The extent to which the NAIC and other financial regulators will coordinate with the NYDFS’s efforts, in light of the NAIC’s own planned Cybersecurity Model, remains to be seen.
2. Life Insurance Developments a. Principle-Based Reserving
For over a decade, the NAIC has been working on developing a principle-based approach to life insurers’ reserving methods, in which actuarial judgment and the risks faced by a life insurer would have greater weight on that insurer’s
43