Most cybersecurity professionals are aware of the New York Department of Financial Service’s requirement imposed on DFS-licensed entities to certify their cybersecurity program’s compliance on an annual basis (by April 15th of each year), but less well known is that numerous other states impose similar requirements on regulated insurance entities and that deadline for many states is coming up on February 15, 2021.
The National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law has been adopted in at least 11 states, with several others (including New York) having implemented either older or similar laws or administrative guidance. The NAIC Insurance Data Security Model Law “requires insurers and other entities licensed by a state department of insurance to develop, implement, and maintain an information security program based on its risk assessment….” See State Legislative Brief, NAIC, June 2020.
It also mandates that insurers and other subject to its provisions submit an annual certification of compliance with the law. Of note, the deadline for such certification in five states – Alabama, Delaware, Mississippi, Ohio, and South Carolina – is February 15, 2021. A sixth state – New Hampshire – follows fast on their heels with a certification deadline of March 1, 2021. Once submitted, parties must maintain the records, schedules, and data supporting their annual certificates for a specified period of time (5 years, for example, in the case of Delaware. See Del. Code Ann. Tit. 18 § 8604(i)(2).)
Please contact the Sidley privacy lawyer with whom you work, or the above, if you have any questions about the requirements or timing of such certifications.