Another Cybersecurity Wake Up Call: Connecticut Insurance Department Issues Guidance on Cyber Law Set to go Into Effect



By Judith A. Selby and Heather D. McArn, Partners at Hinshaw

Covered entities received two cybersecurity wake up calls from insurance regulators in July. As we have reported, the New York State Department of Financial Services (DFS) issued its long-awaited first cyber enforcement action pursuant to its groundbreaking and first-in-nation cybersecurity regulation. In addition, the Connecticut Insurance Department issued a Bulletin to all licensees, providing guidance for compliance with the Connecticut Insurance Data Security Law (the Act), which goes into effect on October 1, 2020. The Act was modeled after the National Association of Insurance Commissioners Model Cybersecurity Law, which itself was modeled after the DFS cybersecurity regulation.

In the July bulletin, the Insurance Department highlighted a number of important sections of the Act, including the following requirements:

Information Security Program
Licensees must develop, implement, and maintain a comprehensive written information security program (ISP) that complies with the Act by October 1, 2020. The ISP must be based on a risk assessment and contain safeguards for the protection of both nonpublic information and the licensee's information systems.

Third-Party Service Providers
Covered licensees must exercise due diligence in selecting service providers and must, by October 1, 2021, require each service provider to implement appropriate administrative, technical, and physical measures to protect and secure the information systems and nonpublic information that is accessible to and held by the service provider.

Annual Certification by Domestic Insurers
Annually, beginning February 15, 2021, non-exempt Connecticut domestic insurers must certify compliance with the Act.

Cybersecurity Event Investigations
Licensees or an outside service provider must conduct a prompt investigation in accordance with the Act after learning of a “cybersecurity event,” which is defined as “an event resulting in any unauthorized access to, or disruption or misuse of, an information system or the nonpublic information stored thereon, except if: (A) The event involves the unauthorized acquisition of encrypted nonpublic information if the encryption process for such information or encryption key to such information is not acquired, released or used without authorization; or (B) the event involves access of nonpublic information by an unauthorized person and the licensee determines that such information has not been used or released and has been returned or destroyed.”

Notification of a Cybersecurity Event
Licensees must provide notice of cybersecurity events to the Insurance Commissioner as promptly as possible, but in no event later than three business days after the date of the event when either (1) Connecticut is, in the case of an insurer, the state of domicile, in the case of a producer, the home state of the producer; or (2) the licensee reasonably believes that the event involves nonpublic information of 250 or more consumers residing in Connecticut and state or federal laws require notification to a government entity, or there is a reasonable likelihood of material harm to Connecticut consumers or the licensee’s normal operations.

Notification to Consumers
Licensees must comply with Connecticut's data breach notification law and also provide a copy of any required notice to the Insurance Commissioner.

Notice Regarding Cybersecurity Events of Reinsurers
Licensees acting as an assuming insurer must notify affected ceding insurers and its domiciliary regulator of a cybersecurity event involving nonpublic information that is used by such assuming insurer or in its possession, custody or control when it is acting as an assuming insurer with no direct contractual relationship with affected consumers not later than 72 hours after the assuming insurer discovered that the cybersecurity event has occurred.

Notice by Insurers to Producers of Record
If the cybersecurity event involves nonpublic information that is in the possession, custody or control of an licensee acting as an insurer or a third-party service provider for an insurer, the Act requires the insurer to notify the producer of record for any affected consumer residing in this state who accessed services through an independent insurance producer of the occurrence of such event not later than the time at which notice is provided to such consumer, provided the insurer has the current producer of record information for such individual consumer.

In light of the recent DFS enforcement action and the upcoming effective date of the Connecticut Act, insurers and other covered entities are urged to assess their compliance with these cyber mandates and implement policies and procedures to achieve and maintain ongoing compliance.

Share this Post:
Posted by Judith Selby
Judy is a Partner at Hinshaw in New York City. For more than 25 years, Judy Selby has served as a trusted advisor to insurers across a wide variety of industries. Focused primarily on insurance coverage matters, Judy represents clients in all phases of large scale, complex first and third party insurance issues. She has extensive experience handling insurance coverage trials in the U.S. and international arbitrations in London. Judy also helps clients navigate insurance due diligence in connection with mergers and acquisitions, as well as run off and adverse development cover transactions. In recent years, Judy has also expanded her practice to accommodate emerging technology risk, by focusing on matters involving cyber and data privacy. Operating at the intersection of cybersecurity and insurance coverage, she has counseled clients on cyber policy adoption, and also provided compliance advice regarding privacy and cybersecurity laws and regulations. 
Posted by Heather McArn
Heather is a Partner in the New York City office of Hinshaw. Heather McArn advises financial services businesses on regulatory compliance, the integration of financial technology with business operations, and on data governance, cyber security, and incident-response best practices. She prepares clients for regulatory exams, and advises them on responding to regulator inquiries and investigations, as well as the creation and implementation of policies and procedures to meet evolving requirements. Heather has extensive experience handling corporate restructuring and insolvency matters. Over the course of her career, she has represented debtors, creditors, financial institutions, trustees, and examiners in connection with large chapter 11 restructurings, transactions, and compliance investigations, including Lehman Brothers, General Motors, and MF Global.



Related articles

Aon launches Alternative Distribution platform in London

Aon plc (NYSE: AON), a leading global professional services firm providing a broad range of risk, retirement and health solutions, today announced the launch of Alternative Distribution – a London...

Combined Insurance Launches New Online Accident Product

Leading supplemental insurance carrier expands consumer access to affordable accident coverage CHICAGO, Oct. 19, 2020 /PRNewswire/ -- Combined Insurance, a Chubb company, announced today the...

Zurich offers new risk management app to help improve safety, quality and insights at construction job sites

Schaumburg, Ill., Oct. 19, 2020 – Zurich North America Insurance is offering a new construction app through Zurich Services Corporation designed to help its construction customers manage their risks and...

Cyber-related ransomware and business interruption top concerns of risk managers

Tenth year of Zurich’s Advisen Cyber Survey reveals a more sophisticated cyber insurance buyer:  percentage of respondents with cyber coverage increased from 34 to 80 percent since 2011 Schaumburg,...

AIR Worldwide Estimates Insured Losses for Hurricane Delta Will be Between USD 1 Billion and USD 3 Billion

BOSTON, Oct. 14, 2020 — Catastrophe risk modeling firm AIR Worldwide estimates that industry insured losses to onshore property resulting from Hurricane Delta’s winds and storm surge will range from USD...

Katherine Keefe Joins Marsh to Lead US Cyber Incident Management

Marsh, the world’s leading insurance broker and risk advisor, today announced the appointment of Katherine Keefe, a globally recognized leader in cyber incident response, as US Cyber Incident Management...