Coming Soon to a State Near You: Cybersecurity Regulation

View post titled Coming Soon to a State Near You: Cybersecurity Regulation

Posted on 05/09/2019 at 12:50 PM by John Lande

Ever since the New York Department of Financial Services (“NYDFS”) enacted its cybersecurity regulation for financial institutions and related organizations, other states have started to enact cybersecurity regulations of their own. South Carolina became the latest state to enact a version of the National Association of Insurance Commissioners (“NAIC”) model cybersecurity law, which is based on the NYDFS regulation.

The model NAIC law applies to organizations that are required to comply with state insurance laws. This would typically include insurance agencies and brokerages that do business in a particular state. Under the model law, these organizations are required to develop an information security program to mitigate the risk of a cybersecurity incident. That program must include:

  • Conducting routine risk assessments to determine the organization’s internal and external vulnerabilities, taking into consideration the likelihood of a particular kind of incident;
  • Assessing and developing policies designed to mitigate a particular vulnerability;
  • Training employees to help them identify particular risks and how to avoid them; and
  • Implementing other safeguards to mitigate identified risks.

This framework is nothing new for organizations that have already recognized that cybersecurity is a significant source of risk. Many regulations and guidance already recommend or require a risk assessment. What might be new for many organizations, however, is the NAIC model law’s recommendation of specific practices to consider implementing, such as:

  • Placing access controls on certain systems and data, and limiting employee access to certain systems and data;
  • Identifying and limiting the number of devices that can access core systems;
  • Restricting physical access to certain systems;
  • Encrypting sensitive nonpublic information;
  • Adopting secure development practices for in-house technology and applications;
  • Updating systems to comply with the information security program;
  • Implementing controls like multi-factor authentication to verify user identities;
  • Regularly test systems to determine whether they actually deter attempted intrusions;
  • Verifying that audit trails are maintained by internal systems;
  • Preparing backups to mitigate risk of loss from natural disasters; and
  • Developing  procedures for the disposal of nonpublic information.

Overall, NAIC’s model law is similar to cybersecurity guidance issued by many other regulators. This blog recently covered some of the common cybersecurity themes that cut across all industries.

Organizations of all kinds should pay close attention to the NAIC model law, and others like it, because the increasing pace of cybersecurity incidents shows no signs of slowing down. Organizations should consider whether compliance with something like the NAIC model law can assist their cybersecurity preparedness, even if the organization is in a different industry. Odds are good that eventually most organizations will have to comply with a cybersecurity regulation of some kind, so it makes sense for organizations to work with knowledgeable professionals to stay ahead of the curve.


Questions, Contact us today.

Contact Us


The material, whether written or oral (including videos) that is posted on the various blogs of Dickinson Bradshaw is not intended, nor should it be construed or relied upon, as legal advice. The opinions expressed in the various blog posting are those of the individual author, they may not reflect the opinions of the firm.  Your use of the Dickinson Bradshaw blog postings does NOT create an attorney-client relationship between you and Dickinson, Bradshaw, Fowler & Hagen, P.C. or any of its attorneys.  If specific legal information is needed, please retain and consult with an attorney of your own selection.

There are no comments yet.
Add Comment

* Indicates a required field