Another Cybersecurity Wake Up Call: Connecticut Insurance Department Issues Guidance on Cyber Law Set to go Into Effect



By Judith A. Selby and Heather D. McArn, Partners at Hinshaw

Covered entities received two cybersecurity wake up calls from insurance regulators in July. As we have reported, the New York State Department of Financial Services (DFS) issued its long-awaited first cyber enforcement action pursuant to its groundbreaking and first-in-nation cybersecurity regulation. In addition, the Connecticut Insurance Department issued a Bulletin to all licensees, providing guidance for compliance with the Connecticut Insurance Data Security Law (the Act), which goes into effect on October 1, 2020. The Act was modeled after the National Association of Insurance Commissioners Model Cybersecurity Law, which itself was modeled after the DFS cybersecurity regulation.

In the July bulletin, the Insurance Department highlighted a number of important sections of the Act, including the following requirements:

Information Security Program
Licensees must develop, implement, and maintain a comprehensive written information security program (ISP) that complies with the Act by October 1, 2020. The ISP must be based on a risk assessment and contain safeguards for the protection of both nonpublic information and the licensee's information systems.

Third-Party Service Providers
Covered licensees must exercise due diligence in selecting service providers and must, by October 1, 2021, require each service provider to implement appropriate administrative, technical, and physical measures to protect and secure the information systems and nonpublic information that is accessible to and held by the service provider.

Annual Certification by Domestic Insurers
Annually, beginning February 15, 2021, non-exempt Connecticut domestic insurers must certify compliance with the Act.

Cybersecurity Event Investigations
Licensees or an outside service provider must conduct a prompt investigation in accordance with the Act after learning of a “cybersecurity event,” which is defined as “an event resulting in any unauthorized access to, or disruption or misuse of, an information system or the nonpublic information stored thereon, except if: (A) The event involves the unauthorized acquisition of encrypted nonpublic information if the encryption process for such information or encryption key to such information is not acquired, released or used without authorization; or (B) the event involves access of nonpublic information by an unauthorized person and the licensee determines that such information has not been used or released and has been returned or destroyed.”

Notification of a Cybersecurity Event
Licensees must provide notice of cybersecurity events to the Insurance Commissioner as promptly as possible, but in no event later than three business days after the date of the event when either (1) Connecticut is, in the case of an insurer, the state of domicile, in the case of a producer, the home state of the producer; or (2) the licensee reasonably believes that the event involves nonpublic information of 250 or more consumers residing in Connecticut and state or federal laws require notification to a government entity, or there is a reasonable likelihood of material harm to Connecticut consumers or the licensee’s normal operations.

Notification to Consumers
Licensees must comply with Connecticut's data breach notification law and also provide a copy of any required notice to the Insurance Commissioner.

Notice Regarding Cybersecurity Events of Reinsurers
Licensees acting as an assuming insurer must notify affected ceding insurers and its domiciliary regulator of a cybersecurity event involving nonpublic information that is used by such assuming insurer or in its possession, custody or control when it is acting as an assuming insurer with no direct contractual relationship with affected consumers not later than 72 hours after the assuming insurer discovered that the cybersecurity event has occurred.

Notice by Insurers to Producers of Record
If the cybersecurity event involves nonpublic information that is in the possession, custody or control of an licensee acting as an insurer or a third-party service provider for an insurer, the Act requires the insurer to notify the producer of record for any affected consumer residing in this state who accessed services through an independent insurance producer of the occurrence of such event not later than the time at which notice is provided to such consumer, provided the insurer has the current producer of record information for such individual consumer.

In light of the recent DFS enforcement action and the upcoming effective date of the Connecticut Act, insurers and other covered entities are urged to assess their compliance with these cyber mandates and implement policies and procedures to achieve and maintain ongoing compliance.

Share this Post:
Posted by Heather McArn
Heather is a Partner in the New York City office of Hinshaw. Heather McArn advises financial services businesses on regulatory compliance, the integration of financial technology with business operations, and on data governance, cyber security, and incident-response best practices. She prepares clients for regulatory exams, and advises them on responding to regulator inquiries and investigations, as well as the creation and implementation of policies and procedures to meet evolving requirements. Heather has extensive experience handling corporate restructuring and insolvency matters. Over the course of her career, she has represented debtors, creditors, financial institutions, trustees, and examiners in connection with large chapter 11 restructurings, transactions, and compliance investigations, including Lehman Brothers, General Motors, and MF Global.
Posted by Judith A. Selby

Judy is a Partner at Kennedys in New York City. For more than 25 years, Judy Selby has served as a trusted advisor to insurers across a wide variety of industries. Focused primarily on insurance coverage matters, Judy represents clients in all phases of large scale, complex first and third party insurance issues. She has extensive experience handling insurance coverage trials in the U.S. and international arbitrations in London. Judy also helps clients navigate insurance due diligence in connection with mergers and acquisitions, as well as run off and adverse development cover transactions. In recent years, Judy has also expanded her practice to accommodate emerging technology risk, by focusing on matters involving cyber and data privacy. Operating at the intersection of cybersecurity and insurance coverage, she has counseled clients on cyber policy adoption, and also provided compliance advice regarding privacy and cybersecurity laws and regulations. 


ad ad

Related articles

Patrick Rastiello joins Ardonagh Specialty to lead North America Reinsurance expansion

Ardonagh Specialty has appointed Patrick Rastiello as CEO* of its North American reinsurance operations.   Patrick will be responsible for building Ardonagh Specialty’s US reinsurance...

Global Markets Overview: February 2024

In this Global Markets Overview, we explore our global outlook and share what we think it means for 2024. As...


Risk Management Trailblazer Presented with RIMS Highest Honor for Lifetime Achievement in Risk Management  NEW YORK (February 13, 2024) – At the RIMS New Zealand and Pacific Island...

Insurer’s Lease More Than Doubles Its Chicago Office Space

Sompo International Plans Move to 46-Story Tower at 155 N. Wacker A global specialty insurance provider is more than doubling the size of its Chicago office in a move a few blocks north, bucking the trend...

Haynes and Boone, LLP is pleased to announce that Peter A. Halprin has joined the firm as a Partner

Haynes and Boone, LLP is pleased to welcome Insurance Recovery Partner Peter A. Halprin to the firm’s New York City office. A Chambers USA-ranked attorney, Peter joins from Pasich LLP, where...

LIO Specialty Launches Revolutionary Online Portal for Life Science Insurance Solutions

Leading the Excess and Surplus Lines Market with Innovative Coverage for Cannabis and Nutraceutical Industries  West Conshohocken, PA– LIO Specialty Insurance Company proudly announces the launch...