June 10, 2016

Industry Update: NAIC Spring Meetings

By: Leslie Kosal

This spring, NAIC hosted two national conferences: the NAIC Spring 2016 National Meeting in New Orleans at the beginning of April and the Insurance Summit in Kansas City May 16 - 20. The Insurance Summit is a new event that combines separate conferences, including the E-Reg Conference, TechEx, Financial Summit, Market Regulation Summit, PIO Forum, CIPR Symposium and Continuing Legal Education Seminar

Major themes for both events included Cybersecurity and uniformity.

Let's start with Cybersecurity.

Since sensitive personal data must be shared with insurance companies, the industry is an obvious target for cyber-attacks. All the stakeholders in the insurance industry and insurance regulation have a vested interest in advancing cybersecurity.

In March, the NAIC's Cybersecurity Task Force released an initial draft of the Insurance Data Security Model Law and invited public comment. The purpose of the new model law is to "establish the exclusive standards for data security and investigation and notification of a breach of data security applicable to licenses in this state."

In his opening session remarks in New Orleans, NAIC President, John M. Huff, explained the importance of this model law. "Recognizing that one size does not fit all, the model allows for licensees to tailor their information security programs depending on size, complexity, nature, and scope of activities, as well as the sensitivity of consumer information to be protected."

At the Cybersecurity (EX) Task Force meeting on April 4 in New Orleans, NAIC stated that the new model law is intended to replace four separate previous NAIC model laws relating to cybersecurity.

While the number of model laws may be streamlined, general feedback from interested parties was that the language did not achieve practical uniformity.

Objections by trade groups and other interested parties included comments that the language is too broad, allows too much variation between states, and imposes the same requirements on the smallest producers as it does on the largest carriers.

The NAIC model law would exist in addition any other bills introduced in Congress, such as the Data Security Act. The NAIC believes that the proposed federal bill "undermines the existing authority of insurance regulators" and results "in lower consumer protection in the process."

Here are just a few additional points raised by industry in response to the release of the Insurance Data Security Model Law:

• 47 states already have laws for cybersecurity
• Preemption of a federal law is likely to be problematic
• Based on current language, licensing with major software companies like Microsoft would be "impossible"
• Each commissioner would review the consumer notice, resulting in differences at state level

?as for uniformity

Roger Sevigny, Commissioner from New Hampshire and Chair of the Producer Licensing Task Force, and Keith Kuzmich, from the California Department of Insurance and the new Chair of the Producer Licensing Working Group (PLWG), stressed uniformity in sessions this spring. With new licensing directors in many states, the working group will be reviewing state compliance with the uniform standards.

Moving forward, the Uniform Education Subgroup of the PLWG moved forward language for classroom standards, and will be proposing changes to the CER (CE reciprocity) course application in 2016, for implementation in 2017.

Other topics of note:

• CLAIM Act (HR 2998): Often referred to as "NARAB for Adjusters", this bill is still pending but the sponsoring legislator is not running for reelection. NAIC continues to have discussions with the adjuster trade groups about their desire for uniformity and reciprocity in this area.
• Additional NARAB Board members have been nominated this spring, bringing the total to 4 industry and 3 insurance commissioners. Until the nomination process is complete enough to constitute a quorum, there will be no decisions or clarifications about how NARAB would be implemented.

Security continues to be a top priority for Vertafore. We will continue to invest heavily in security improvements to ensure we protect customer information.

---