Regulation Summary According to Section 2 of the act:
The purpose and intent of this Act is to establish standards for data security and standards for the investigation of and notification to the Commissioner of a Cybersecurity Event applicable to Licensees, as defined in Section 3.
Section 3 defines “Licensee” as follows:
“Licensee” means any Person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of this State ….
Section 3 also notes:
“Cybersecurity Event” means an event resulting in unauthorized access to, disruption or misuse of, an Information System or information stored on such Information System.
The term “Cybersecurity Event” does not include the unauthorized acquisition of Encrypted Nonpublic Information if the encryption, process or key is not also acquired, released or used without authorization.
We excerpt below specific Sections of The Model Law with which Thales eSecurity can help your organization comply:
Section 4. Information Security Program
D. Risk Management
Based on its Risk Assessment, the Licensee shall:
(2) Determine which security measures listed below are appropriate and implement such security measures.
(a) Place access controls on Information Systems, including controls to authenticate and permit access only to Authorized Individuals to protect against the unauthorized acquisition of Nonpublic Information;
(d) Protect by encryption or other appropriate means, all Nonpublic Information while being transmitted over an external network and all Nonpublic Information stored on a laptop computer or other portable computing or storage device or media;
(e) Adopt secure development practices for in-house developed applications utilized by the Licensee …;
(g) Utilize effective controls, which may include Multi-Factor Authentication procedures for any individual accessing Nonpublic Information;
(i) Include audit trails within the Information Security Program designed to detect and respond to Cybersecurity Events …;
(k) Develop, implement, and maintain procedures for the secure disposal of Nonpublic Information in any format
Section 5. Investigation of Cybersecurity Event
If the Licensee learns that a Cybersecurity Event has or may have occurred the Licensee or an outside vendor and/or service provider designated to act on behalf of the Licensee, shall conduct a prompt investigation.