Regulating the Cybersecurity of Insurance Companies in the United States

Abstract

While cybersecurity has been an important issue for all business sectors due to the rapid development of and reliance on technology and the increasing sophistication of unlawful actors, it is particularly significant for insurance companies because of the nature of the industry. The internet makes it possible to collect and store massive amounts of data, and this in turn requires the utmost confidence of consumers in the companies collecting this data. The growing concern for cyber risks has compelled insurance regulators to devise and implement frameworks and rules for insurance companies to follow. In the United States, insurance regulation is controlled by the states. Invariably, the enthusiasm and speed of responses have been mixed. New York has implemented the Cybersecurity Requirements for Financial Services Companies, while South Carolina, Ohio, Michigan, and Mississippi have passed laws based on the Insurance Data Security Model Law published by the National Association of Insurance Commissioners (NAIC), a non-governmental entity created and composed of insurance commissioners of each state and territory. The specific provisions within these regulations differ, which creates inconsistencies throughout the United States. As more states adopt cyberspace policies regulating the insurance industry, the divergence could worsen. This paper examines the NAIC Model Law and regulations in various states, as well as advocates for a uniform standard across the United States based on the New York regulations due to its robust nature.