What Is the NAIC Insurance Data Security Model Law and Why Should Insurance Businesses Care?

The internet is great. It allows us to be more connected, share or hone our knowledge, and (perhaps most importantly) watch compilation videos of people slipping on ice. For businesses, the internet has been transformational. Online capabilities opened a whole new world of digitized data storage, increased operational efficiencies, and wider access to consumers. 

However, as businesses around the world continue to transition their data from paper files to digital repositories and to leverage modern technology for faster, more efficient operations, they’re also increasing their risk of a cyber attack. 

The increasing risk of cyber attacks in the insurance industry 

Cyber breaches are rising across multiple industries, alongside a notable shortage of cybersecurity professionals. These factors have shot cybersecurity threats up the list of global business risks, beating out other major threats like climate change and inflation for the top spot.

The insurance industry, which has faced a radical technological revolution in the last decade, has fallen victim to some serious attacks in recent years. The following data breaches involving large insurers are only the tip of the iceberg when it comes to the influx of cyber attacks currently plaguing the industry. 

1. Progressive Insurance 

In August of 2023, Progressive reported a data breach after discovering that employees of a third-party vendor shared their Progressive access with unauthorized individuals. The unauthorized individuals gained access to consumer information including names, addresses, email addresses, phone numbers, and driver’s license numbers, among other confidential data. 

2. MCNA Insurance Company

Florida-based dental health insurer MCNA Insurance Company suffered a cyber breach that resulted in compromised information for nearly 9 million patients. MCNA Insurance Company detected unauthorized access to its systems in early 2023, some of which were infected with malicious code. On top of personal information like names, addresses, and Social Security numbers (SSNs), hackers were also able to access consumer health data including Medicaid and Medicare ID numbers and information regarding dental and orthodontic care.

3. American National Insurance Company

Earlier this year, American National Insurance Company announced that it had been the victim of a cyberattack. At the center of the breach was a file transfer platform known as MOVEit. Turns out, American National Insurance Company wasn’t alone in this breach. A vulnerability in the MOVEit software, owned by third-party IT vendor Progress Software Corporation, compromised the data of over 1,000 organizations and 60 million individuals worldwide. 

With cyber breaches like these on the rise, state insurance regulators are reevaluating their cybersecurity regulations and proclaiming consumer data protection as a top priority. To encourage uniform data security regulation among states, the NAIC began drafting a data security model law in 2016.  

What is the NAIC Insurance Data Security Model Law?

Following input from state regulators, consumer representatives, and other key insurance industry players, the NAIC Insurance Data Security Model Law (MDL-668) was born. The law requires insurers and other entities licensed by a state department of insurance to create and implement an information security program and to appoint a designated employee to manage the program. The law also recommends insurance companies:

• Perform periodic data security risk assessments
• Regularly report on the status of their information security program 
• Investigate any cybersecurity event and notify the state insurance commissioner
• Notify any consumers affected by a cybersecurity act as soon as possible

In the event of a cybersecurity breach, the law grants state insurance commissioners the power to examine licensees to determine compliance with the law. If the commissioner finds any compliance violations, state insurance regulators have the authority to remedy them. 

Who does the NAIC Data Security Model Law apply to?

While the data breaches we hear about in the news often focus on large-scale insurance carriers, the NAIC Data Security Model Law applies to all licensees of each state insurance bureau. This includes all insurance agencies, producers, public adjusters, and brokers along with carriers. 

Because cyber attacks often occur through vulnerabilities in third-party vendor software, the law also applies to insurtech firms and other service providers with access to insurance consumer and producer information.

Of course, since the law hasn’t been passed in all states, its restrictions are only relevant in the states that have adopted it. But that doesn’t mean non-adopters are off the hook when it comes to reporting and responding to cyber crime. The Cyber Incident Reporting for Critical Infrastructure Act of 2022, requires carriers and other businesses in critical infrastructure sectors to report any cyber events to the Cybersecurity and Infrastructure Security Agency, regardless of whether the state the business operates in has adopted the NAIC Data Security Model Law or not. 

The current state of the NAIC Data Security Model Law

As of writing this, 24 states have enacted a version of the law. Adoption is critical for state insurance regulators to ensure they have the tools they need to better protect consumer data.  While adoption was slow at first, the pace quickened in 2017 after the federal government issued a report urging all states to adopt the NAIC Data Security Model Law by the end of 2022. 

For the remaining states, time may be of the essence. In their 2017 report, the U.S. Treasury Department encouraged Congress to pass federal legislation to set forth uniform requirements for insurer data security if adoption and implementation of the law didn’t result in uniform insurance data security regulation by the end of 2022. As we approach the end of 2023, it seems the verdict is still out on whether Congress will step in. 

Third-party vendors play a vital role in preventing cyber attacks

Earlier, we mentioned that cyber attacks often occur through vulnerabilities in third-party vendor software. These days, it’s nearly impossible to find a carrier, agency, or MGA/MGU that doesn’t partner with a handful of third-party vendors. 

Insurtech partnerships like these enable insurance organizations to serve their customers faster and more efficiently. However, because these partnerships typically require some level of data sharing, they open insurance businesses up to higher data security risks.

Partner with vendors that prioritize cyber security

Partnering with vendors that prioritize cybersecurity is a crucial aspect of maintaining data security and regulatory compliance. As a best practice, businesses should periodically assess vendor security measures, ensure compliance with regulations such as NAIC Data Security law, and implement a due diligence process for assessing potential vendors.

At AgentSync, we’re dedicated to providing our customers with modern producer licensing and compliance solutions that never compromise on data security. Our company complies with the NAIC Data Security Model Law, the Gramm-Leach-Biley Act, and the New York Department of Finanical Services Cybersecurity Requirements (NYDFS Part 500) and we bake an extra level of security into each of our workflows. 

In our ongoing efforts to protect what matters most to our customers, AgentSync has implemented the NIST Cybersecurity Framework and annually complete a SOC 2 Type II audit to ensure the availability and security of our customers’ data. 
Contact us for more information about our Security and Compliance programs. If you’re interested in learning more about our security protocols or want to see how AgentSync can help carriers, agencies, and MGA/MGUs modernize their producer management processes, schedule a demo today.