Insurance companies have even greater challenges in today’s regulated markets when it comes to IT support. If your agency is not in compliance with today’s emerging laws and rules or you are questioning if you compliance, please know that KPEK.Net, Inc are fully prepared to assist you with your IT needs. We can prepare an assessment of your companies IT infrastructure that will meet and exceed the rules and laws that are emerging in your industry.
The New FTC Safeguards Rule, NAIC Model Laws, OH Data Breach Laws, and You: What Your Agency Needs to Know About Growing Cybersecurity Compliance Regulations.
The Federal Trade Commission (FTC) recently made amendments to the existing Safeguards Rule, which requires businesses of all sizes to protect client data. These changes, which were set to take effect in December 2022, will now be enforced starting June 9, 2023. These amendments broaden the definition of financial institutions and the requirements for protecting customer information.
The Safeguards Rule was originally created for financial institutions and businesses handling financial data, such as insurance agencies. However, the new amendments expand the definition to include any business that regularly sends money to and from consumers. These organizations are required to develop, implement, and maintain a comprehensive security program to protect their customers’ information.
To comply with the Safeguards Rule, insurance agencies must:
- Designate a qualified individual to oversee their information security program. This person should be trained in information security, receive continuing education in security, and be responsible for ensuring that the organization is correctly executing the written information security plan.
- Develop a written risk assessment. This assessment should include a technical scan and a questionnaire to reveal common security loopholes. It should be reviewed annually, but best practices suggest reviewing it quarterly or monthly if the business handles a lot of sensitive information and the owner has a low tolerance for risk.
- Limit and monitor who can access sensitive customer information. For example, not giving the entire team access to the credit card processing system, but only allowing one employee and one backup person to access the information.
- Encrypt all sensitive information. This includes medical records, credit cards, clients' email addresses, phone numbers, Social Security information, driver's license information and birthdays.
- Train security personnel. Employee awareness training is key to not only complying with the law but also to getting and keeping insurance coverage on cyber liability, crime, and other insurance policies.
- Develop an incident response plan. This plan should be in place for when a security compromise occurs.
- Periodically assess the security practices of service providers. This includes ensuring that vendors are adhering to the Safeguards Rule and security frameworks such as CIS or NIST.
- Implement multifactor authentication or another method of equivalent protection for any individual accessing customer information. Also known as "2FA," this process ensures that anyone logging in to accounts must authenticate the request via another device such as a cell phone or email.
It’s important to note that the Safeguards Rule aligns similarly to existing regulations for financial companies, such as Ohio’s Law and Administrative Rules Chapter 3965 and NAIC’s Model Laws currently implemented in 22 states, which includes Ohio.
The Federal Trade Commission’s (FTC) Safeguards Rule, the Ohio Law and Administrative Rules Title 39 Insurance, and the National Association of Insurance Commissioners’ (NAIC) model laws, all have similarities in their approach to cybersecurity for insurance agencies. These regulations require businesses to implement comprehensive cybersecurity programs to protect sensitive customer information from cyber threats.
Both regulations require businesses to:
- Designate a qualified individual to oversee their information security program.
- Conduct annual risk assessments and a written plan reviewed regularly.
- Limit and monitor who can access sensitive customer information.
- Encrypt all sensitive information.
- Train security personnel.
- Develop an incident response plan.
- Periodically assess the security practices of service providers.
- Implement multifactor authentication or another method with equivalent protection for any individual accessing customer information.
The main difference is that the FTC Safeguards Rule is a federal regulation that applies to businesses across the United States. The Ohio regulation also requires reporting certain types of cybersecurity events to the Superintendent of Insurance within 24-72 hours of becoming aware of the event not present in the FTC Safeguards Rule.
NAIC’s model laws are not mandatory regulations but they are drafted to serve as guidance for states to adopt their own laws. NAIC’s model laws include provisions for risk assessments, incident response plans, and regular cybersecurity training. NAIC’s model laws also require insurance agencies to implement reasonable controls to protect nonpublic personal information.
As of January 2023 the states that have adopted the Insurance Data Security Model Law include Alabama, Connecticut, Delaware, Georgia, Illinois, Indiana, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nevada, New Hampshire, New Jersey, New York, North Dakota, Ohio, Oklahoma, Oregon, Rhode Island, South Carolina, Tennessee, Texas, Vermont, Virginia, and Wyoming.
All three regulations have the same goal of protecting customer information and maintaining the trust of customers, but compliance with the specific regulations may vary based on the location of the business, the types of sensitive information being handled, and the specific laws adopted by the state. It is important for insurance agencies to stay informed about the latest cybersecurity regulations and best practices, and to work with experts in the field to ensure that their security measures are up to date.
It’s also important to note that insurance companies that operate in multiple states will be subject to the specific regulations and requirements of each state in which they operate, so compliance may vary based on the location of the business.
In summary, small businesses and insurance agencies must be aware of and comply with these regulations to protect nonpublic personal information and maintain the trust of customers.
Don’t wait any longer to address your cybersecurity compliance needs. The FTC Safeguards Rule and regulations from the NAIC and OH Laws and Administrative Rules are now being enforced and failure to comply can result in significant financial penalties, damage to reputation, and loss of customer trust. At KPEK.Net, Inc, we understand the urgency of this matter and are here to help. Schedule a phone consultation with us now by requesting a network assessment or calling 440-838-8300. We’ll provide a Free Risk Assessment and discuss your concerns, questions, and specific situation. Don’t be a sitting duck with your agency’s security and your insured’s trust.