Addendum: for use with Arizona Life/Health, Property/Casualty, and Personal Lines ExamFX courses, per exam outline update effective 7/1/18.
The following are content additions to supplement your existing text unless otherwise indicated:
B. State Regulation
Cyber Security – new section
Cyberattacks are an alarming and ongoing threat, often resulting in the theft of sensitive consumer financial and health information, repair costs to hardware and software, litigation costs, and damage to a company's reputation. This has led to increasing calls for legislation and regulation for enhanced cybersecurity measures to address the numerous risks posed by a cyberattack.
The NAIC has completed several cybersecurity activities in recent years, including adopting the Insurance Data Security Model Law. The Model Law requires insurers and other entities licensed by state insurance departments to develop, implement, and maintain an information security program, investigate any cybersecurity events, and notify the state insurance commissioner of such events. States are now working to introduce the model in their legislatures.
The NAIC Insurance Data Security Model Law introduced several important terms and definitions:
Cybersecurity event means an event resulting in unauthorized access to, disruption or misuse of, an Information System or information stored on such Information System.
Information security program means the administrative, technical, and physical safeguards that a licensee uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle nonpublic information.
A licensee refers to any person licensed, authorized to operate, or registered, according to a state's insurance laws (excluding a purchasing group or a risk retention group).
Nonpublic Information means any business-related information that is not publicly available information that if misused could jeopardize a covered entity's security and operations, any personally identifiable information (such as social security number or credit card numbers), and any information (other than age and gender) related to health care.
A licensee's Information Security Program must be designed to do the following:
- Protect the security and confidentiality of nonpublic information and the security of the information system;
- Protect against any threats or hazards to the security or integrity of nonpublic information and the information system;
- Protect against unauthorized access to or use of nonpublic information, and minimize the likelihood of harm to any consumer; and
- Define and periodically reevaluate a schedule for retention of nonpublic information and a mechanism for its destruction when no longer needed.
As part of their cybersecurity program, licensees must designate one or more employees who are responsible for the information security program, as well as identify foreseeable internal or external threats that could result in an unauthorized access, transmission, disclosure, misuse, alteration, or destruction of nonpublic information, including information accessible to, or held by, third-party service providers. In addition, they should provide employee training and management, and implement safeguards to manage threats and assess the effectiveness of the safeguards' systems and procedures at least annually.
If a cybersecurity event has occurred, each licensee must notify the Department of Insurance as promptly as possible, but no later than 72 hours from a determination of the event.