Americas

Another Cybersecurity Wake Up Call: Connecticut Insurance Department Issues Guidance on Cyber Law Set to go Into Effect

Image

 

By Judith A. Selby and Heather D. McArn, Partners at Hinshaw

Covered entities received two cybersecurity wake up calls from insurance regulators in July. As we have reported, the New York State Department of Financial Services (DFS) issued its long-awaited first cyber enforcement action pursuant to its groundbreaking and first-in-nation cybersecurity regulation. In addition, the Connecticut Insurance Department issued a Bulletin to all licensees, providing guidance for compliance with the Connecticut Insurance Data Security Law (the Act), which goes into effect on October 1, 2020. The Act was modeled after the National Association of Insurance Commissioners Model Cybersecurity Law, which itself was modeled after the DFS cybersecurity regulation.

In the July bulletin, the Insurance Department highlighted a number of important sections of the Act, including the following requirements:

Information Security Program
Licensees must develop, implement, and maintain a comprehensive written information security program (ISP) that complies with the Act by October 1, 2020. The ISP must be based on a risk assessment and contain safeguards for the protection of both nonpublic information and the licensee's information systems.

Third-Party Service Providers
Covered licensees must exercise due diligence in selecting service providers and must, by October 1, 2021, require each service provider to implement appropriate administrative, technical, and physical measures to protect and secure the information systems and nonpublic information that is accessible to and held by the service provider.

Annual Certification by Domestic Insurers
Annually, beginning February 15, 2021, non-exempt Connecticut domestic insurers must certify compliance with the Act.

Cybersecurity Event Investigations
Licensees or an outside service provider must conduct a prompt investigation in accordance with the Act after learning of a “cybersecurity event,” which is defined as “an event resulting in any unauthorized access to, or disruption or misuse of, an information system or the nonpublic information stored thereon, except if: (A) The event involves the unauthorized acquisition of encrypted nonpublic information if the encryption process for such information or encryption key to such information is not acquired, released or used without authorization; or (B) the event involves access of nonpublic information by an unauthorized person and the licensee determines that such information has not been used or released and has been returned or destroyed.”

Notification of a Cybersecurity Event
Licensees must provide notice of cybersecurity events to the Insurance Commissioner as promptly as possible, but in no event later than three business days after the date of the event when either (1) Connecticut is, in the case of an insurer, the state of domicile, in the case of a producer, the home state of the producer; or (2) the licensee reasonably believes that the event involves nonpublic information of 250 or more consumers residing in Connecticut and state or federal laws require notification to a government entity, or there is a reasonable likelihood of material harm to Connecticut consumers or the licensee’s normal operations.

Notification to Consumers
Licensees must comply with Connecticut's data breach notification law and also provide a copy of any required notice to the Insurance Commissioner.

Notice Regarding Cybersecurity Events of Reinsurers
Licensees acting as an assuming insurer must notify affected ceding insurers and its domiciliary regulator of a cybersecurity event involving nonpublic information that is used by such assuming insurer or in its possession, custody or control when it is acting as an assuming insurer with no direct contractual relationship with affected consumers not later than 72 hours after the assuming insurer discovered that the cybersecurity event has occurred.

Notice by Insurers to Producers of Record
If the cybersecurity event involves nonpublic information that is in the possession, custody or control of an licensee acting as an insurer or a third-party service provider for an insurer, the Act requires the insurer to notify the producer of record for any affected consumer residing in this state who accessed services through an independent insurance producer of the occurrence of such event not later than the time at which notice is provided to such consumer, provided the insurer has the current producer of record information for such individual consumer.

In light of the recent DFS enforcement action and the upcoming effective date of the Connecticut Act, insurers and other covered entities are urged to assess their compliance with these cyber mandates and implement policies and procedures to achieve and maintain ongoing compliance.

Trending
Share this Post:
Posted by Judith Selby
Judy is a Partner at Hinshaw in New York City. For more than 25 years, Judy Selby has served as a trusted advisor to insurers across a wide variety of industries. Focused primarily on insurance coverage matters, Judy represents clients in all phases of large scale, complex first and third party insurance issues. She has extensive experience handling insurance coverage trials in the U.S. and international arbitrations in London. Judy also helps clients navigate insurance due diligence in connection with mergers and acquisitions, as well as run off and adverse development cover transactions. In recent years, Judy has also expanded her practice to accommodate emerging technology risk, by focusing on matters involving cyber and data privacy. Operating at the intersection of cybersecurity and insurance coverage, she has counseled clients on cyber policy adoption, and also provided compliance advice regarding privacy and cybersecurity laws and regulations. 
Posted by Heather McArn
Heather is a Partner in the New York City office of Hinshaw. Heather McArn advises financial services businesses on regulatory compliance, the integration of financial technology with business operations, and on data governance, cyber security, and incident-response best practices. She prepares clients for regulatory exams, and advises them on responding to regulator inquiries and investigations, as well as the creation and implementation of policies and procedures to meet evolving requirements. Heather has extensive experience handling corporate restructuring and insolvency matters. Over the course of her career, she has represented debtors, creditors, financial institutions, trustees, and examiners in connection with large chapter 11 restructurings, transactions, and compliance investigations, including Lehman Brothers, General Motors, and MF Global.

Advertisement

Ad

Related articles

AkinovA becomes the First New Regulated Insurance Marketplace for 150 Years

LONDON, 20 January 2021 - AkinovA (Bermuda) Ltd, the wholly-owned Bermuda trading subsidiary of AkinovA Limited, has been granted the first “Insurance Marketplace Provider” licence by the Bermuda...

The World Needs to Wake Up to Long-Term Risks

In 2020, the world saw the catastrophic effects of ignoring long-term risks such as pandemics, now an immediate risk according to the Global Risks Report 2021 released today The COVID-19 pandemic...

Aon CEO Greg Case Recognized as Top Ally on INvolve OUTstanding LGBT+ Ally Executives List

Case named number one on annual list that celebrates businesspeople who are driving inclusion in the workplace CHICAGO, Jan. 19, 2021 /PRNewswire/ -- Aon plc (NYSE: AON), a leading global...

RT Specialty Announces New Binding Authority Leadership Team

JANUARY 12, 2021 | CHICAGO, IL – RT Specialty is pleased to announce the new leadership team for its national binding authority operations, RT Binding Authority. Leading RT Binding Authority is President...

Chubb Appoints Jeremiah Konz Chief Reinsurance Officer

ZURICH, Jan. 12, 2021 /PRNewswire/ -- Chubb today announced that Jeremiah Konz has been appointed Chief Reinsurance Officer.  Currently, Mr. Konz is Executive Vice President, Reinsurance...

Chubb Names Michael Kessler Global Head of Company's Cyber Risk Insurance Business

ZURICH, Jan. 12, 2021 /PRNewswire/ -- Chubb today announced that Michael Kessler has been appointed Division President of the company's global cyber risk insurance business. ...