Proposed model law could beef up U.S. insurers’ cyber risk management

New cyber-related obligations being proposed south of the border, if approved, could promote more rigorous cyber risk management practices in the U.S. insurance market, Fitch Ratings suggests.

The CyberSecurity Working Group of the National Association of Insurance Commissioners (NAIC) has approved a new Insurance Data Security Model Law, notes a statement issued on Wednesday by the ratings firm.

The framework establishes industry standards for data security that will apply to a broad range of parties, including insurance companies, agents and brokers.

The proposals “motivate insurers to incorporate cyber security into their overall enterprise risk management and corporate governance practices,” Fitch Ratings notes.

The key provisions on the cyber risk management side include “minimum practices of board and senior management reporting and oversight of information security practices, and monitoring of third-party service provider arrangements and the outcome of cyber security events.”

Attacks can compromise data or disrupt websites, Fitch Ratings notes, carrying the potential for detrimental financial, operational or reputational consequences.

The anticipated benefit of beefed up cyber risk management, though, could be somewhat dampened by additional insurer compliance costs and associated risks of penalties for compliance violations, the statement points out.

Related: Cyber threat landscape growing, potential for emergence of destruction of service attacks: Cisco

Moving forward, the proposal will need to receive the approval of both the Innovation and Technology Task Force and NAIC Executive Committee to be a considered a model law.

“Organizations will be required to have a written information security program for protecting sensitive data, including incident response and data recovery plans to demonstrate their preparedness for cyber events,” Fitch Ratings reports.

As well, “companies will have to certify compliance annually to their state insurance commissioner and give notification of data breaches within 72 hours,” the firm adds.

As it stands, Fitch Ratings points out the proposed model law is credit-neutral for the U.S insurance sector and largely complementary to other federal and state regulations for cyber security.

“Application of model laws require state-by-state approval, which will take considerable time, and some individual states may adopt their own approaches to regulating insurers’ cyber security,” the statement notes.

Related: Global cyber attacks expected to up demand for related insurance, U.S. market could grow 10-fold: Fitch Ratings

Fitch Ratings states that the insurers it rates “have largely enhanced their data protection and network security practices in response to the growing threat of cyber attacks.” That said, they still “face challenges in keeping pace with technological change and the resourcefulness of computer hackers.”

Compliance challenges could be more pronounced for smaller insurance companies and distributors.

“Smaller organizations may have data security practices that fit the nature and scale of their business, but may need to allocate significant new resources and bear significant costs to meet the requirements of the model law,” Fitch Ratings suggests.

It is anticipated that “demand for cyber liability insurance coverage may expand for entities subject to the model law’s requirements,” the statement notes.

Related: Cyber line expected to be one of the leading P&C growth areas in the U.S. over the next few years: A.M. Best

Although cyber insurance has been a profitable business line for a number of specialist underwriters, Fitch Ratings cautions that “as an emerging peril with limited historical loss data for pricing purposes, untested and varying policy language and terms, and challenges in quantifying risk aggregations and catastrophe loss potential, it presents considerable uncertainty for insurers.”

Related: U.S. National Association of Insurance Commissioners adopts Cybersecurity Bill of Rights