Client Alert- New Model Insurance Cybersecurity Law on the Horizon

Sep 25, 2020
  • FisherBroyles News

The Insurance Data Security Model Law proposed by the National Association of Insurance Commissioners (NAIC) in 2017 has now been fully enacted in eleven (11) states.  New legislative initiatives for cybersecurity directed specifically to the insurance industry sector are currently underway in several other states.   For the states that have enacted the NAIC’s model standard, there are phased in compliance requirements for those companies that fall within the scope of the law.

The NAIC proposes that its model law creates rules for insurers, agents & brokers, and other insurance professionals with regard to data and information security as well as standards relating to the investigation and notification of cyber security events.  The NAIC model law requires insurers and brokers to:

  • Implement an information security program;
  • Implement security measures based on a risk assessment of internal and external threats;
  • Investigate the scope and extent of cybersecurity incidents; and
  • Notify state insurance commissioners of the confirmed cybersecurity event, which is any incident resulting in unauthorized access to, disruption or misuse of, an information system or information stored on the system.

Under the NAIC law, state insurance commissioners are given regulatory oversight power to confirm compliance with the law and to require remediation of data security deficiencies.  The model law allows small business exemptions and does not create a private cause of action.

Even if your state has not yet adopted the NAIC model law[1], insurance professionals should in any event devise and implement information security programs and perform regular risk assessments of internal and external threats.  We advise all clients to carefully analyze the scope and extent of cyber security events and regularly act as “breach counsel” to companies facing cyber security and privacy occurrences to assist in this analysis.  The NAIC cyber security standards are best practices for all insurance industry professionals.


For additional information, please contact any of the following: Stuart Anolik at [email protected], Gal N. Kaufman at [email protected], Michael S Khoury at [email protected], Stuart Panensky [email protected] with any questions or more specific situations.


[1] The states that have adopted the model law in some form are Alabama, Connecticut, Delaware, Indiana, Louisiana, Michigan, Mississippi, New Hampshire, Ohio, South Carolina and Virginia.

About FisherBroyles, LLP

Founded in 2002, FisherBroyles, LLP is the first and world’s largest distributed law firm partnership. The Next Generation Law Firm® has grown to hundreds of partners in 23 offices globally. The FisherBroyles’ efficient and cost-effective Law Firm 2.0® model leverages talent and technology instead of unnecessary overhead that does not add value to our clients, all without sacrificing BigLaw quality. Visit our website at to learn more about our firm’s unique approach and how we can best meet your legal needs.

These materials have been prepared for informational purposes only, are not legal advice, and under rules applicable to the professional conduct of attorneys in various jurisdictions may be considered advertising materials. This information is not intended to create an attorney-client or similar relationship. Whether you need legal services and which lawyer you select are important decisions that should not be based on these materials alone.

© 2020 FisherBroyles LLP