ARTICLE
28 December 2018

US States' Patchwork Of Cybersecurity Regulations Will Increase Compliance Burden

CC
Clyde & Co

Contributor

Clyde & Co  logo
Clyde & Co is a leading, sector-focused global law firm with 415 partners, 2200 legal professionals and 3800 staff in over 50 offices and associated offices on six continents. The firm specialises in the sectors that move, build and power our connected world and the insurance that underpins it, namely: transport, infrastructure, energy, trade & commodities and insurance. With a strong focus on developed and emerging markets, the firm is one of the fastest growing law firms in the world with ambitious plans for further growth.
No federal law that would harmonize requirements expected.
United States Technology

Since March 2017, insurers and insurance intermediaries licensed in New York have become subject to stringent new cybersecurity regulations, which have been rolled out gradually and will go into full effect by March 2019. In 2017, the National Association of Insurance Commissioners (NAIC) also adopted the Insurance Data Security Law (NAIC Model). South Carolina became the first state to adopt the NAIC Model in May 2018. Although the NAIC Model is similar to New York's cybersecurity regulations, there are certain differences between them, and the states can add further deviations from New York's cybersecurity regulations as they adopt the NAIC Model into their own laws and regulations.

In 2019, other states will likely follow with the adoption of the NAIC Model or other cybersecurity laws and regulations that will apply to insurance licensees. At this time, there is no realistic expectation for a federal law that would preempt the states' cybersecurity regulations for the insurance industry and set harmonized requirements across the country.

As a result, even insurers and insurance intermediaries well-accustomed to navigating the differences among the US states' insurance laws, regulations and regulatory approaches will face a patchwork of cybersecurity requirements across the US. Even if the different states' requirements for cybersecurity end up being broadly similar, such that a licensee that meets the highest standards and requirements could satisfy the requirements across the US states, the different states will likely impose a range of new requirements such as the annual certifications of compliance required by New York, which will mean additional compliance burden. For global insurance groups juggling the requirements of EU's GDPR and similar laws being implemented around the world, navigating and complying with the range of cybersecurity requirements for the insurance industry across the US states will add further complexity to cybersecurity compliance efforts.

You can read the rest of our insurance predictions here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More