WIN Magazine - Fall 2017 - 27

model law requires licensees to develop
an information-security program based
upon a security assessment, and investigate and notify regulators of cybersecurity events the licensee sustains. A
drafting note in the law states that if
a licensee complies with the NYDFS's
cyber regulations, then the licensee is
deemed to comply with the requirements of the model law.
However, the model law also contains
some noteworthy differences from the
NYDFS cyber regulations regarding
the establishment of an information
security program and requirements for
investigating and providing notice of a
cybersecurity event.

©ISTOCK.COM/MICROSTOCKHUB

ESTABLISHING AN
INFORMATION
SECURITY PROGRAM

combination with certain data elements, can be used to identify the
consumer; and
* any information that is created by or
derived from a health-care provider or
consumer that qualifies as protected
health information (PHI) under the
Health Insurance Portability and
Accountability Act (HIPAA).
In fact, a quick glance at the law
reveals that its drafters were influenced
significantly by the NYDFS cyber regulations. Like the cyber regulations, the

Like the NYDFS cyber regulations, the
model law requires insurers to develop an
information-security program designed
to protect NPI and the licensee's information systems. The licensee's information-security program must be based
upon a risk assessment that identifies
reasonably foreseeable internal or external threats (including the security of NPI
and information systems accessible to or
held by third-party service providers);
the likelihood and potential damage of
these threats; and the sufficiency of policies, procedures, information systems
and other safeguards to manage these
threats. Assessments and evaluations
of cybersecurity risk must be included
in the licensee's enterprise risk management process, and the licensee must
remain informed of emerging threats
and vulnerabilities. Licensees also are
required to develop an incident response
plan to address a cybersecurity event.
Consistent with the NYDFS cyber regulations, the model law expressly imposes
responsibility upon the licensee's board
of directors to oversee the licensee's management of cybersecurity risk. The board
of directors must direct senior management to develop, implement and maintain the information-security program

and receive an annual report on the status of the entity's information-security
program, including further assessments
and third-party service-provider arrangements. Gone are the days when cybersecurity was an IT or CIO problem. By
expressly imposing responsibility upon
the licensee's board of directors, the
model law increases the directors' and
officers' exposure should a cybersecurity incident occur. Like the NYDFS cyber
regulations, the model law also requires
the licensee to certify in writing to the
state commissioner every Feb. 15 that
its information-security program complies with the law's requirements. Like
under the cyber regulations, if there are
areas, systems or processes that need
improvement or are noncompliant, the
licensee must address the issue and identify remedial efforts that are planned or
underway to remedy such issues.
Despite similarities between the model
law and the NYDFS cyber regulations
for establishing an information-security
program, there also are some material
differences. The model law allows the
information-security program to be
"commensurate with the size and the
complexity of the Licensee, the nature
and scope of the Licensee's activities
(including the use of third-party vendors), and the sensitivity of the NPI in
the Licensee's possession, custody, or
control[.]" This qualifier is more akin to
information-security requirements under
HIPAA than the NYDFS cyber regulations.
The model law also requires the licensees to implement a risk management
program to mitigate identified risks, but
the program may be custom-tailored to
the size and complexity of the licensee.
The model law identifies several security
measures that the licensee may implement if it determines the measures are
appropriate, including using effective
controls for individual access to NPI,
implementing audit trails within the
program to detect cybersecurity events,
and instituting measures to protect
against the loss, destruction or damage
to NPI due to environmental hazards.
F A L L 2017 | 27


http://www.ISTOCK.COM/MICROSTOCKHUB

Table of Contents for the Digital Edition of WIN Magazine - Fall 2017

Do Hurricanes Have a Silver Lining?
Underwriting Marijuana
The Cyber Insurance Conundrum
Writing Data Security Into Law
Gauging Risk, Reaping Reward
Simply Seamless
Moving to the Cloud: 3 Migration Strategy Models and the 6 R’s.
In the WIN-NER’s Circle
WIN Magazine - Fall 2017 - Intro
WIN Magazine - Fall 2017 - bellyband1
WIN Magazine - Fall 2017 - bellyband2
WIN Magazine - Fall 2017 - cover1
WIN Magazine - Fall 2017 - cover2
WIN Magazine - Fall 2017 - 3
WIN Magazine - Fall 2017 - 4
WIN Magazine - Fall 2017 - 5
WIN Magazine - Fall 2017 - 6
WIN Magazine - Fall 2017 - 7
WIN Magazine - Fall 2017 - 8
WIN Magazine - Fall 2017 - 9
WIN Magazine - Fall 2017 - 10
WIN Magazine - Fall 2017 - 11
WIN Magazine - Fall 2017 - Do Hurricanes Have a Silver Lining?
WIN Magazine - Fall 2017 - 13
WIN Magazine - Fall 2017 - 14
WIN Magazine - Fall 2017 - 15
WIN Magazine - Fall 2017 - 16
WIN Magazine - Fall 2017 - Underwriting Marijuana
WIN Magazine - Fall 2017 - 18
WIN Magazine - Fall 2017 - 19
WIN Magazine - Fall 2017 - 20
WIN Magazine - Fall 2017 - 21
WIN Magazine - Fall 2017 - 22
WIN Magazine - Fall 2017 - 23
WIN Magazine - Fall 2017 - The Cyber Insurance Conundrum
WIN Magazine - Fall 2017 - 25
WIN Magazine - Fall 2017 - Writing Data Security Into Law
WIN Magazine - Fall 2017 - 27
WIN Magazine - Fall 2017 - 28
WIN Magazine - Fall 2017 - 29
WIN Magazine - Fall 2017 - 30
WIN Magazine - Fall 2017 - Gauging Risk, Reaping Reward
WIN Magazine - Fall 2017 - 32
WIN Magazine - Fall 2017 - 33
WIN Magazine - Fall 2017 - 34
WIN Magazine - Fall 2017 - 35
WIN Magazine - Fall 2017 - Simply Seamless
WIN Magazine - Fall 2017 - 37
WIN Magazine - Fall 2017 - Moving to the Cloud: 3 Migration Strategy Models and the 6 R’s.
WIN Magazine - Fall 2017 - 39
WIN Magazine - Fall 2017 - In the WIN-NER’s Circle
WIN Magazine - Fall 2017 - 41
WIN Magazine - Fall 2017 - 42
WIN Magazine - Fall 2017 - cover3
WIN Magazine - Fall 2017 - cover4
WIN Magazine - Fall 2017 - outsert1
WIN Magazine - Fall 2017 - outsert2
WIN Magazine - Fall 2017 - outsert3
WIN Magazine - Fall 2017 - outsert4
http://www.nxtbook.com/naylor/AMGQ/AMGQ0118
http://www.nxtbook.com/naylor/AMGQ/AMGQ0417
http://www.nxtbook.com/naylor/AMGQ/AMGQ0317
http://www.nxtbook.com/naylor/AMGQ/AMGQ0217
http://www.nxtbook.com/naylor/AMGQ/AMGQ0117
http://www.nxtbook.com/naylor/AMGQ/AMGQ0416
http://www.nxtbook.com/naylor/AMGQ/AMGQ0316
http://www.nxtbook.com/naylor/AMGQ/AMGQ0216
http://www.nxtbook.com/naylor/AMGQ/AMGQ0116
http://www.nxtbook.com/naylor/AMGQ/AMGQ0415
http://www.nxtbook.com/naylor/AMGQ/AMGQ0315
http://www.nxtbook.com/naylor/AMGQ/AMGQ0215
http://www.nxtbook.com/naylor/AMGQ/AMGQ0115
http://www.nxtbook.com/naylor/AMGQ/AMGQ0414
http://www.nxtbook.com/naylor/AMGQ/AMGQ0314
http://www.nxtbook.com/naylor/AMGQ/AMGQ0214
http://www.nxtbook.com/naylor/AMGQ/AMGQ0114
http://www.nxtbook.com/naylor/AMGQ/AMGQ0413
http://www.nxtbook.com/naylor/AMGQ/AMGQ0313
http://www.nxtbook.com/naylor/AMGQ/AMGQ0213
http://www.nxtbook.com/naylor/AMGQ/AMGQ0113
http://www.nxtbookMEDIA.com