This act refers to any business-related information controlled by the insurance providers that would have a material adverse impact if it was disclosed, tampered with or accessed. In addition, the act includes personal customer information such as social security numbers, driver’s license number, banking and credit card information, personal health information and security codes or passwords.
Insurance providers are required to designate staff or an outside vendor to be responsible for the program. The designated entity should be qualified at identifying foreseeable internal and external threats that may result in unauthorized access, misuse, or destruction of business records or client information. In conjunction with those duties, the designated entity will ensure that adequate policies and procedures are in place to cover employee training, address data retention & deposal, cover threat detection, threat prevention, and threat response.
Policies & Plans
A detailed incident response plan must show how the company will react to a cybersecurity event. This detailed plan should address the goals of the incident response plan, assign clear roles and responsibilities of responding parties, establish decision-making authority, outline internal and external communications & information sharing, address the proper documentation and reporting for any incident, identify weaknesses, enact remediation, and evaluate the effectiveness of the incident response plan.
Insurance providers have until July 1, 2019 to met their specific requirements. All of their third-party service providers must meet requirements of this act by July 1, 2020 when it becomes fully enforced.