Fitch Ratings expects the National Association of Insurance Commissioner’s (NAIC) recently approved Insurance Data Security Model Law to drive more rigorous cyber risk management in the U.S. insurance sector, but does warn of the potential for increased compliance costs.
The NAIC has sought to establish industry standards for data security that will apply to insurers, brokers, and agents. Under the new framework, companies will have to have a written information security program that protects sensitive data, which also includes incident response and data recovery plans.
Fitch says that the new model law is credit-neutral for the U.S. insurance industry, and explains that generally, insurers it rates have now enhanced their data protection and network security practices, in light of the growing threat of cyber attacks around the world.
Insurance and reinsurance companies hold a lot of sensitive customer data, which is likely attractive to hackers, and the new NAIC framework aims to mitigate the potential impact and improve the U.S. insurance sector’s cyber risk management practices and cyber risk awareness.
“Companies will have to certify compliance annually to their state insurance commissioner and give notification of data breaches within 72 hours. The model law will also motivate insurers to incorporate cybersecurity into their overall enterprise risk management and corporate governance practices.
“Key provisions include minimum practices of board and senior management reporting and oversight of information security practices, and monitoring of third party service provider
arrangements and the outcome of cybersecurity events,” explains Fitch.
According to Fitch, smaller insurers might struggle to meet the requirements of the new model law, and may need to allocate significant new resources which is likely to result in higher compliance costs in order to meet the requirements.
In light of this, demand for cyber liability cover might increase for firms subject to the new model law, explains Fitch.
“Cyber insurance has been a profitable business line for a number of specialist underwriters. However, as an emerging peril with limited historical loss data for pricing purposes, untested and varying policy language and terms and challenges in quantifying risk aggregations and catastrophe loss potential, it presents considerable uncertainty for insurers,” concludes Fitch.
