The National Association of Insurance Commissioners held its Summer 2017 National Meeting in Philadelphia, Pennsylvania from August 6 to 9, 2017. This Sidley Update summarizes the highlights from this meeting. (more…)
The National Association of Insurance Commissioners (NAIC) has created a new task force to monitor technology, data collection and Cybersecurity developments in the insurance industry. The Innovation and Technology (EX) Task Force (IT Task Force) was formed on March 9, 2017 and reports directly to the NAIC’s Executive Committee. The IT Task Force will appoint and oversee the work of the following NAIC groups: the Big Data Working Group, the Cybersecurity Working Group and the Speed-to-Market Working Group. According to the NAIC’s March 9, 2017 press release, the IT Task Force’s purpose is to help insurance regulators stay informed about technology-related developments, products and services in the insurance industry, including start-up companies, and to ensure they meet consumer expectations and ensure consumer protections. The press release notes that annual investment in insurance technology (InsurTech) has increased to more than $2.5 Billion and continues to grow.
On February 16, 2017, the New York State Department of Financial Services (the “NYDFS”) issued its final regulations setting forth minimum requirements for NYDFS-regulated entities to address cybersecurity risk (“Final Regulations”). The NYDFS issued the Final Regulations after considering feedback and criticism received during two comment periods — one following the NYDFS’s initial publication of the proposed regulation (on September 13, 2016) and a second comment period after the NY DFS published a revised version of the regulation (on December 28, 2016.)
The Final Regulations will be effective as of March 1, 2017, with a transitional period of 180 days from that date for Covered Entities to comply with the Final Regulations, except for certain enumerated provisions for which longer compliance periods are specified. The annual certification of compliance (covering the prior calendar year) will be required beginning on February 15, 2018.
On December 28, 2016, the New York State Department of Financial Services (the “NYDFS”) issued revised proposed regulations setting forth minimum requirements for NYDFS-regulated entities to address cybersecurity risk (“Revised Proposed Regulations”). The NYDFS issued the Revised Proposed Regulations after considering feedback and criticism submitted during a 45-day comment period to address the initial proposal, issued on September 13, 2016. The agency has announced an additional and final 30-day comment period from the date of publication to address new comments not previously raised in the original comment process.
After having received over 150 comments on proposed cybersecurity regulations, the New York Department of Financial Services will delay implementation and initiate a new round of notice and comment on a further revised version of cybersecurity regulations. As we reported previously, NYDFS proposed new cybersecurity regulations for the financial sector in September of this year, and the comment period closed mid-November. NYDFS previously announced that the new rules would be effective January 1, 2017 and that covered entities would have 180 days to comply. Reuters reports that NYDFS will now publish a further revised version of proposed regulations on December 28 for public comment with a new effective date of March 1, 2017.
After almost four years of negotiations, drafting and discussions, the General Data Protection Regulation (GDPR) entered into force earlier this year. Businesses, including insurance companies, now have until May 25, 2018 to meet the new requirements under the GDPR. The GDPR aims to harmonize data protection legislation across the European Economic Area (EEA), making compliance for (re)insurance companies that operate in multiple EEA jurisdictions easier. However, in order to achieve this, the GDPR introduces a number of new requirements that will have a significant, and sometimes onerous, impact on (re)insurance companies. The GDPR is also likely to still be relevant to (re)insurance companies based in the UK despite Brexit, as the GDPR will become law in May 2018, which may be before the UK withdraws from the European Union, and even after withdrawal, the GDPR will continue to apply to UK companies that process data on EEA residents. Some of the key provisions of the GDPR that are of particular relevance for the insurance and reinsurance industry are summarized below.
On May 24-25, 2016, the Cybersecurity (EX) Task Force of the National Association of Insurance Commissioners (NAIC) held a two-day interim meeting in Washington, D.C. to discuss the Task Force’s preliminary draft of a model law outlining data security standards applicable to insurance licensees. The Draft Insurance Data Security Model Law (“the Draft Model Law”), first released for public comment on March 2, 2016, would apply to all licensed insurers, producers and other persons licensed or required to be licensed (or authorized or required to be authorized, or registered or required to be registered) pursuant to state insurance laws (“Insurance Licensees”).
In Travelers Indemnity Company of America v. Portal Healthcare Solutions, LLC, No. 14-1944 (4th Cir. Apr. 11, 2016), the U.S. Court of Appeals for the 4th Circuit affirmed the judgment on the reasoning of the federal district court in Virginia (No. 1:13-cv-00917-GBL-IDD), holding that Travelers had a duty to defend Portal in an underlying class action alleging online publication by Portal of confidential patient medical information pursuant to two commercial general liability (CGL) policies Travelers issued to Portal in 2012 and 2013.
On December 17, 2015, the Executive/Plenary Committees of the National Association of Insurance Commissioners (NAIC) unanimously adopted an amended version of the Cybersecurity “Bill of Rights.” Renamed the “NAIC Roadmap for Cybersecurity Consumer Protections,” the document now states that while the NAIC believes consumers are entitled to the delineated protections, not all are currently provided for under state law.
In a November 9, 2015 letter to members of the Financial and Banking Information Infrastructure Committee (“FBIIC”), the Acting Superintendent of the New York Department of Financial Services (“NY DFS”) outlined key elements of potential new regulations by the NY DFS addressing cybersecurity risk (“Cybersecurity Proposal”) and encouraged FBIIC members to work with the NY DFS in developing a comprehensive cybersecurity framework for all regulated financial institutions. The NY DFS regulates entities and products that are subject to New York insurance, banking and financial services laws. The FBIIC is composed of state and federal agencies that regulate companies and products in the financial services sector, including the U.S. Securities and Exchange Commission (“SEC”), the Office of the Comptroller of the Currency (“OCC”) and the National Association of Insurance Commissioners (“NAIC”). The stated goal of the NY DFS is to stimulate dialogue among federal and state financial regulators to promote collaboration and, ultimately, regulatory convergence.