December 19, 2018

US States’ patchwork of cybersecurity regulations will increase compliance burden

No federal law that would harmonize requirements expected.

Since March 2017, insurers and insurance intermediaries licensed in New York have become subject to stringent new cybersecurity regulations, which have been rolled out gradually and will go into full effect by March 2019.  In 2017, the National Association of Insurance Commissioners (NAIC) also adopted the Insurance Data Security Law (NAIC Model).  South Carolina became the first state to adopt the NAIC Model in May 2018.  Although the NAIC Model is similar to New York’s cybersecurity regulations, there are certain differences between them, and the states can add further deviations from New York’s cybersecurity regulations as they adopt the NAIC Model into their own laws and regulations.

In 2019, other states will likely follow with the adoption of the NAIC Model or other cybersecurity laws and regulations that will apply to insurance licensees.  At this time, there is no realistic expectation for a federal law that would preempt the states’ cybersecurity regulations for the insurance industry and set harmonized requirements across the country.

As a result, even insurers and insurance intermediaries well-accustomed to navigating the differences among the US states’ insurance laws, regulations and regulatory approaches will face a patchwork of cybersecurity requirements across the US.  Even if the different states’ requirements for cybersecurity end up being broadly similar, such that a licensee that meets the highest standards and requirements could satisfy the requirements across the US states, the different states will likely impose a range of new requirements such as the annual certifications of compliance required by New York, which will mean additional compliance burden.  For global insurance groups juggling the requirements of EU’s GDPR and similar laws being implemented around the world, navigating and complying with the range of cybersecurity requirements for the insurance industry across the US states will add further complexity to cybersecurity compliance efforts.

You can read the rest of our insurance predictions here.