NAIC Insurance Data Security Model Law Compliance

Americas Map


State Dependent Enactment Date

NAIC Insurance Data Security Model Law Compliance

Adopted in the fourth quarter of 2017, the National Association of Insurance Commissioners (NAIC) Data Security Model Law (Model Law) requires insurers and other entities licensed by state insurance departments to develop, implement, and maintain an information security program; investigate any cybersecurity events; and notify the state insurance commissioner of such events.

States are working to introduce and pass this legislation now, and it is our understanding that the US Treasure Department will mandate the Model Law, if the States don’t adopt it within five years.

Thales eSecurity provides many of the solutions you need to comply with the Insurance Data Security Model Law’s requirements.

Regulation Summary

According to Section 2 of the act:

The purpose and intent of this Act is to establish standards for data security and standards for the investigation of and notification to the Commissioner of a Cybersecurity Event applicable to Licensees, as defined in Section 3.

Section 3 defines “Licensee” as follows:

“Licensee” means any Person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of this State ….

Section 3 also notes:

“Cybersecurity Event” means an event resulting in unauthorized access to, disruption or misuse of, an Information System or information stored on such Information System.

The term “Cybersecurity Event” does not include the unauthorized acquisition of Encrypted Nonpublic Information if the encryption, process or key is not also acquired, released or used without authorization.

We excerpt below specific Sections of The Model Law with which Thales eSecurity can help your organization comply:

Section 4. Information Security Program

D. Risk Management

Based on its Risk Assessment, the Licensee shall:

(2) Determine which security measures listed below are appropriate and implement such security measures.

(a) Place access controls on Information Systems, including controls to authenticate and permit access only to Authorized Individuals to protect against the unauthorized acquisition of Nonpublic Information;

(d) Protect by encryption or other appropriate means, all Nonpublic Information while being transmitted over an external network and all Nonpublic Information stored on a laptop computer or other portable computing or storage device or media;

(e) Adopt secure development practices for in-house developed applications utilized by the Licensee …;

(g) Utilize effective controls, which may include Multi-Factor Authentication procedures for any individual accessing Nonpublic Information;

(i) Include audit trails within the Information Security Program designed to detect and respond to Cybersecurity Events …;

(k) Develop, implement, and maintain procedures for the secure disposal of Nonpublic Information in any format

Section 5. Investigation of Cybersecurity Event

If the Licensee learns that a Cybersecurity Event has or may have occurred the Licensee or an outside vendor and/or service provider designated to act on behalf of the Licensee, shall conduct a prompt investigation.

Compliance Summary

Thales eSecurity can help you meet the many of the compliance requirements in the Model Law through the following:

Section 4 D 2 (a) and (g) Place Access Controls on Information Systems

Thales eSecurity’s Vormetric Data Security Manager enables the organization to limit user access privileges to information systems that include nonpublic information.

Section 4 D 2 (d) Protect by encryption or other appropriate means, all Nonpublic Information

Thales eSecurity’s Vormetric Transparent Encryption solution protects data with file and volume level data-at-rest encryption, access controls, and data access audit logging without re-engineering applications, databases or infrastructure. Deployment of the transparent file encryption software is simple, scalable and fast, with agents installed above the file system on servers or virtual machines to enforce data security and compliance policies. Policy and encryption key management are provided by the Vormetric Data Security Manager.

Vormetric Tokenization with Dynamic Masking lets administrators establish policies to return an entire field tokenized or dynamically mask parts of a field. With the solution’s format-preserving tokenization capabilities, managers can restrict access to sensitive assets, yet at the same time, format the protected data in a way that enables users to do their jobs.

To protect data in motion, Thales eSecurity’s Datacryptor 5000 network data encryption solution uses high-assurance encryption methods and state of the art key management techniques to provide robust security, low latency and high performance in Layer 2 and IP networks.

Section 4 D 2 (e) Adopt secure development practices for in-house developed applications

Designed for software vendors of all sizes and for enterprises that develop their own code, the Thales Code Signing Solution enables you to implement high assurance, high-efficiency code signing processes to protect your software from tampering and bring appropriate governance to your software publishing practices.

Section 4 D 2 (i) Include audit trails; and Section 5. Investigation of Cybersecurity Event

Thales eSecurity’s Vormetric Data Security Platform includes Security Intelligence Logs that generate audit trails designed to detect and respond to cybersecurity events that have a reasonable likelihood of materially harming any material part of the normal operations of the enterprise. These logs also enable investigation of cybersecurity events.

Section 4 D 2 (k) Develop, implement, and maintain procedures for the secure disposal of Nonpublic Information in any format

All Thales eSecurity encryption and tokenization solutions rely on cryptographic keys to encrypt and decrypt data. This means you can selectively “destroy” data simply by destroying the encryption keys for that data.

Working with You

Thales eSecurity can work with you and your third-party service providers to ensure their security meets your own rigorous standards. In addition, Thales has specialized cybersecurity products and services for enterprises using the Cloud, SaaS and other third-party services. These include multi-cloud encryption with centralized key and access control management as well as cloud key management and protection.

Data Sheet : Vormetric Data Security Platform

The Vormetric Data Security Platform makes it efficient to manage data-at-rest security across your entire organization. Built on an extensible infrastructure, Vormetric Data Security Platform products can be deployed individually, while sharing efficient, centralized key management.


Research and Whitepapers : Vormetric Data Security Platform Architecture White Paper

As security teams struggle to contend with more frequent, costly, and sophisticated attacks, data-at-rest encryption becomes an increasingly critical safeguard.


Data Sheet : Datacryptor 5000 Series

The Datacryptor 5000 Series is a family of high-speed data in motion security platforms that deliver high performance encryption at near zero latency. Using advanced connectivity features, the Datacryptor 5000 Series secures data through Ethernet and IPv4/IPv6 Wide Area Networks. Industry-unique throughput optimization techniques ensure up to 95% network efficiency over Metro Carrier Ethernet, IP, cellular, and SATCOM networks. While other solutions merely encrypt data, Datacryptors provide a complete security solution that scales from simple point-to-point to many hundreds of endpoints.


White Paper : Vormetric Security Intelligence with SIEM Integration

Vormetric Intelligence are granular event logs that produce an auditable trail of permitted and denied access attempts from users and processes, delivering unprecedented insight into file access activities. These logs can inform of unusual or improper data access and accelerate the detection of insider threats, hackers, and advanced persistent threats (APT) that have bypassed perimeter security. With the availability of pre-defined dashboards and reports, Vormetric Intelligence easily integrates with Security Intelligence Event Management (SIEM) tools. This white paper describes the integration of Vormetric Intelligence logs with Splunk, HP ArcSight and IBM QRadar SIEM tools, details the generated log messages and sample reports that can be generated.


White Paper : Vormetric Tokenization with Dynamic Data Masking

For too many IT organizations, complying with the Payment Card Industry Data Security Standard (PCI DSS) and corporate security policies has been far too costly, complex, and time consuming. Now, Thales eSecurity offers a better way. Vormetric Tokenization with Dynamic Data Masking helps your security team address its compliance objectives while gaining breakthroughs in operational efficiency.


Solution Briefs : Database Encryption Solutions

In today’s enterprises, databases house some of the most highly sensitive, tightly regulated data—the very data that is sought after by malicious insiders and external attackers. To safeguard against the kinds of database attacks that have dominated security headlines recently, organizations are increasingly implementing strong database encryption strategies.

Download this solution brief to learn how Thales can help you protect your critical data against both insider and external threats.


Other key data protection and security regulations

NYDFS Cybersecurity

Americas Map Thumbnail


Active now

The New York State Cybersecurity Requirements for Financial Services Companies, or 23 NYCRR Part 500, took effect March 1, 2017. Covered entities “will be required to annually prepare and submit to the superintendent a Certification of Compliance with New York State Department of Financial Services Cybersecurity Regulations.”

Learn More

NCUA FFIEC Standards

Americas Map Thumbnail


Active now

The National Credit Union Administration conducts audits of credit unions based on principles and standards outlined by the Federal Financial Institutions Examination Council (FFIEC). The FFIEC standards call for numerous security controls, including data access controls, encryption and key management and security monitoring.

Learn More

Monetary Authority of Singapore (MAS) Guidance

Americas Map Thumbnail


Active now

The Technology Risk Management (TRM) Guidelines are statements of industry best practices which financial institutions (FI) are expected to adopt, and the degree of observance with the spirit of the TRM Guidelines by a FI will be taken into account by MAS in its risk assessment of the FI. These guidelines hold for any FI that is doing business in Singapore.

Learn More
Contact a Compliance Specialist Contact Us
Are you fit for GDPR Take our readiness assessment now
Read the Compliance and Regulations Solutions Handbook Read the eBook
Посмотрите интерактивное демо Подробнее
Записаться на демо Записаться
Свяжитесь со специалистом Свяжитесь с нами