NAIC Insurance Data Security Model Law – States Are Next

Cybersecurity and Privacy   |   Financial Services Regulatory   |   Insurance   |   October 25, 2017

cyber preparedness

On October 24, the National Association of Insurance Commissioners (NAIC) Executive (EX) Committee and Plenary granted final approval to Version 6 (with technical corrections[i]) of the Insurance Data Security Model Law (Model). The Model is now available for consideration and adoption by the states. South Carolina and Vermont were the first to indicate their desire to submit the Model for their respective 2018 legislative calendars. 

The Model, which ultimately seeks to create information security standards for insurers, required intensive efforts over the past 18 months by regulators, insurance industry representatives, and consumer advocates. Altogether, their work has generated six Model versions, numerous teleconferences, much negotiation, and over 640 pages of comments. Slipping in just before the end of National Cybersecurity Awareness Month,[ii] the final version of the Model passed with only one “No” vote.

As discussed in our August 14 client alert,[iii] the Model establishes risk-based "standards for data security and standards for the investigation of and notification to the Commissioner of a Cybersecurity Event applicable to Licensees." The Model defines licensees, with limited exceptions, as "individuals or non-governmental entities required to be authorized, registered, or licensed pursuant to a state's insurance laws." The Model's requirements include:

  • Based on a licensee’s individual risk assessment, the development, implementation, and maintenance of a comprehensive written information security program (ISP), including adjustments for changes in technology.
  • Oversight by the board of directors or appropriate board committee of the ISP and all third-party service providers, and the designation of a responsible person for the ISP. 
  • Development of a written incident response plan.
  • Requirements regarding investigation and notification to the commissioner in the case of a cybersecurity event, which the Model defines as "an event resulting in unauthorized access to, disruption, or misuse of an information system or information stored on such system."
  • Annual certification to the commissioner that the licensee is in compliance with the Model's requirements, and a requirement to retain materials supporting the above certification for five years.

The Model significantly tracks New York's Cybersecurity Regulation (NY Regulation[iv]), and, in a drafting note, makes clear the NAIC’s intent that a licensee that is in compliance with the NY Regulation, is also in compliance with the Model.

The last remaining question is whether the Model will become an accreditation standard. This issue is the responsibility of the Financial Regulation Standards and Accreditation (F) Committee,[v] whose mission is to oversee the administration and enforcement of the NAIC Financial Regulation Standards and Accreditation Program. The industry will be watching its deliberations on this issue.

Carlton Fields Jorden Burt, P.A. will continue to monitor the Insurance Data Security Model Law's progress through the state legislative process and the NAIC’s F Committee.


[i]  The technical corrections are reflected in the Model redline contained in the Agenda and Materials document created for the October 24, 2017 Executive Committee and Plenary meeting.
[ii] October 2017 marks the 5th Annual National Cybersecurity Awareness month, created by Presidential Proclamation on September 30, 2013.
[iii] See our August 14, 2017 alert  "NAIC Cybersecurity Working Group Votes to Approve Insurance Data Security Model Law"

©2023 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.

Subscribe to Publications


The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.