Another Cybersecurity Wake Up Call: Connecticut Insurance Department Issues Guidance on Cyber Law Set to go Into Effect



By Judith A. Selby and Heather D. McArn, Partners at Hinshaw

Covered entities received two cybersecurity wake up calls from insurance regulators in July. As we have reported, the New York State Department of Financial Services (DFS) issued its long-awaited first cyber enforcement action pursuant to its groundbreaking and first-in-nation cybersecurity regulation. In addition, the Connecticut Insurance Department issued a Bulletin to all licensees, providing guidance for compliance with the Connecticut Insurance Data Security Law (the Act), which goes into effect on October 1, 2020. The Act was modeled after the National Association of Insurance Commissioners Model Cybersecurity Law, which itself was modeled after the DFS cybersecurity regulation.

In the July bulletin, the Insurance Department highlighted a number of important sections of the Act, including the following requirements:

Information Security Program
Licensees must develop, implement, and maintain a comprehensive written information security program (ISP) that complies with the Act by October 1, 2020. The ISP must be based on a risk assessment and contain safeguards for the protection of both nonpublic information and the licensee's information systems.

Third-Party Service Providers
Covered licensees must exercise due diligence in selecting service providers and must, by October 1, 2021, require each service provider to implement appropriate administrative, technical, and physical measures to protect and secure the information systems and nonpublic information that is accessible to and held by the service provider.

Annual Certification by Domestic Insurers
Annually, beginning February 15, 2021, non-exempt Connecticut domestic insurers must certify compliance with the Act.

Cybersecurity Event Investigations
Licensees or an outside service provider must conduct a prompt investigation in accordance with the Act after learning of a “cybersecurity event,” which is defined as “an event resulting in any unauthorized access to, or disruption or misuse of, an information system or the nonpublic information stored thereon, except if: (A) The event involves the unauthorized acquisition of encrypted nonpublic information if the encryption process for such information or encryption key to such information is not acquired, released or used without authorization; or (B) the event involves access of nonpublic information by an unauthorized person and the licensee determines that such information has not been used or released and has been returned or destroyed.”

Notification of a Cybersecurity Event
Licensees must provide notice of cybersecurity events to the Insurance Commissioner as promptly as possible, but in no event later than three business days after the date of the event when either (1) Connecticut is, in the case of an insurer, the state of domicile, in the case of a producer, the home state of the producer; or (2) the licensee reasonably believes that the event involves nonpublic information of 250 or more consumers residing in Connecticut and state or federal laws require notification to a government entity, or there is a reasonable likelihood of material harm to Connecticut consumers or the licensee’s normal operations.

Notification to Consumers
Licensees must comply with Connecticut's data breach notification law and also provide a copy of any required notice to the Insurance Commissioner.

Notice Regarding Cybersecurity Events of Reinsurers
Licensees acting as an assuming insurer must notify affected ceding insurers and its domiciliary regulator of a cybersecurity event involving nonpublic information that is used by such assuming insurer or in its possession, custody or control when it is acting as an assuming insurer with no direct contractual relationship with affected consumers not later than 72 hours after the assuming insurer discovered that the cybersecurity event has occurred.

Notice by Insurers to Producers of Record
If the cybersecurity event involves nonpublic information that is in the possession, custody or control of an licensee acting as an insurer or a third-party service provider for an insurer, the Act requires the insurer to notify the producer of record for any affected consumer residing in this state who accessed services through an independent insurance producer of the occurrence of such event not later than the time at which notice is provided to such consumer, provided the insurer has the current producer of record information for such individual consumer.

In light of the recent DFS enforcement action and the upcoming effective date of the Connecticut Act, insurers and other covered entities are urged to assess their compliance with these cyber mandates and implement policies and procedures to achieve and maintain ongoing compliance.

Share this Post:
Posted by Heather McArn
Heather is a Partner in the New York City office of Hinshaw. Heather McArn advises financial services businesses on regulatory compliance, the integration of financial technology with business operations, and on data governance, cyber security, and incident-response best practices. She prepares clients for regulatory exams, and advises them on responding to regulator inquiries and investigations, as well as the creation and implementation of policies and procedures to meet evolving requirements. Heather has extensive experience handling corporate restructuring and insolvency matters. Over the course of her career, she has represented debtors, creditors, financial institutions, trustees, and examiners in connection with large chapter 11 restructurings, transactions, and compliance investigations, including Lehman Brothers, General Motors, and MF Global.
Posted by Judith A. Selby

Judy is a Partner at Kennedys in New York City. For more than 25 years, Judy Selby has served as a trusted advisor to insurers across a wide variety of industries. Focused primarily on insurance coverage matters, Judy represents clients in all phases of large scale, complex first and third party insurance issues. She has extensive experience handling insurance coverage trials in the U.S. and international arbitrations in London. Judy also helps clients navigate insurance due diligence in connection with mergers and acquisitions, as well as run off and adverse development cover transactions. In recent years, Judy has also expanded her practice to accommodate emerging technology risk, by focusing on matters involving cyber and data privacy. Operating at the intersection of cybersecurity and insurance coverage, she has counseled clients on cyber policy adoption, and also provided compliance advice regarding privacy and cybersecurity laws and regulations. 


ad ad

Related articles

Aleksander Soriano Promoted to Account Manager at RT Specialty

Hamilton, New Jersey (September 22, 2021) – Aleksander Soriano has been promoted to account manager within the Environmental and Construction Professional (ECP) Practice of RT Specialty. Since...

Sasria registers over 95% of claims, as more pay-outs are made

Photo credit: Shutterstock/Gareth_Bargate JOHANNESBURG – Tuesday, 24 August 2021: Following last month’s unfortunate unrests in Gauteng and KwaZulu-Natal, the Sasria SOC Ltd (Sasria) has registered...

Risk Management lessons from Surfside for Commercial Real Estate Owners

The following is sourced from Arthur J. Gallagher and written by Caley LaRue, Senior Vice President. Office: Chicago, IL (312) 803-6294 What lessons can we learn and apply to...

Arthur J. Gallagher & Co. Acquires Files Agribusiness, LLC

ROLLING MEADOWS, Ill., Sept. 21, 2021 /PRNewswire/ -- Arthur J. Gallagher & Co. today announced the acquisition of Bastrop, La.-based Files Agribusiness, LLC. Terms of the transaction were...

New Campaign Takes on Breed Restrictions Used to Deny Housing Insurance

August 23, 2021 - Animal Farm Foundation (AFF) announced the launch of the Dogs, People, and Housing Insurance Project to end exclusionary dog breed restrictions in the housing insurance industry. These...

Survey of Middle Market Companies Reveals Increasing Importance of Risk Management

Seventy-nine percent of middle market companies indicate that risk management is "extremely" or "very" important to their businesses WHITEHOUSE STATION, N.J., Sept. 21, 2021 /PRNewswire/ --...