With the 2018 mid-term elections over, the Democratic Party leadership has indicated that the House Financial Committee will broadly focus its legislative agenda toward protecting consumers and investors, preserving financial sector stability, and encouraging responsible innovation in financial technology. Meanwhile, we expect that the Republican-controlled Senate will continue to focus its legislative agenda on remaining refinements not Act (EGRRCPA) passed in 2018. Beyond the dividend Congress, we note that the regulatory agencies are now all led by President Trump appointees who have discretion, subject to Congressional oversight, to calibrate their supervisory policies and programs.
Regardless of what definitive changes lawnmakers and regulators might make, such as the Financial Stability and Oversight Council's recent de-designation of individual insurers as Systemically Important Financial Institutions, insurance organizations should continue to drive effectiveness and efficiencies across their risk and compliance programs so they can meet applicable laws, regulations, and supervisory expectations.
CYBERSECURITY AND DATA PRIVACY
Cybersecurity and privacy are critical issues receiving regulatory attention from every direction.
In an age when hacking and data breaches have become so commonplace that they are almost expected, cybersecurity continues to dominate both the headlines and the regulatory agenda. This includes reporting on the cost of cybercrime (and on the investments organizations are making to enhance their cyber risk management programs), as well as a heightened focus on cybersecurity regulation and compliance.
For insurers to remain competitive, they need the ability to acquire and manage vast quantities of data to provide more relevant coverage for consumers. While marketplace innovations such as wearable computers and Internet of Things provide the ability to collect such data, having access to large volumes of contextual data introduces its own risk, related to unintended processing, loss, and theft. The risk is compounded because of changes in business models, such as adoption of cloud-based storage and computing, use of large-scale process automation, and increased adoption of data processors, to name a few.
US policymakers are keeping pace by introducing unprecedented privacy and cybersecurity laws. Governments outside the US are also focusing on cloud and data residency requirements, limiting the movement of data across borders. A selection of key legislative and regulatory developments is presented below to provide insights into the nature of issues that lawmakers are asking organizations to address.
EU General Data Protection Regulation
This year saw the European Union (EU) General Data Protection Regulation (GDPR) take effect in May 2018. The GDPR regulates the processing by an individual, a company or an organization of personal data relating to individuals in the EU.
Among numerous protections offered by GDPR, consumers need to be informed if their data is moved outside the EU; have the right to be "forgotten"; and must be given a chance to contest the use of automated algorithms. Other rights include the right to object to the use of one's data for marketing purposes, as well as the right to data portability (i.e., the ability to receive one's data in a machine-readable format and send it elsewhere, perhaps to another insurer competing for that consumer's business).
Insurers operating in the EU have numerous obligations under the GDPR-many of which are consistent with other data security regulations-including the obligation to appoint a data protection officer. Data transfers from the EU to the US are covered by the EU-US privacy shield framework.
California Consumer Privacy Act
In the United States, the State of California enacted the California Consumer Privacy Act of 2018 (CCPA), that greatly expands data subject rights and introduces provisions for civil class action lawsuits based on statutory or actual damages. The law takes effect in July 2020.
Although there may still be amendments before the law takes effect, for now it provides California citizens with some similar protections to the GDPR. These include the right to access personal information (and to know how a company uses that information), as well as the right to have information removed in some circumstances.
Among other rights, the CCPA "authorizes a consumer to opt out of the sale of personal information by a business and prohibits the business from discriminating against the consumer for exercising this right, including by charging the consumer who opts out a different price or providing the consumer a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer's data."
Consumers have a right to private action in response to uncorrected CCPA violations, and the state Attorney General is also empowered to pursue civil penalties. There are certain exemptions that are granted within the law for data that are subject to Health Insurance Portability and Accountability Act (HIPAA) and Gramm-Leach-Bliley Act (GLBA).
New York Department of Financial Services cybersecurity regulation
For US insurers, the New York State Department of Financial Services (NYDFS) regulation was the first of its kind-and the first to directly affect a significant number of insurers. It took effect on March 1, 2017, with a phase-in period concluding on March 1, 2019. The regulation requires nearly 2,000 insurers registered with the state to establish and maintain a risk-based cybersecurity program and supporting capabilities.
The two-year phase-in was intended to provide insurers a glide path toward compliance. Companies subject to the regulation should by now have satisfied most of its requirements, which include: creation of a written cyber security policy; designation of a Chief Information Security Officer (CISO); periodic penetration testing and vulnerability assessment; data preservation that enables accurate reconstruction of all financial transactions; and necessary accounting to respond to a cybersecurity event for at least three years.
To achieve compliance, a company's board of directors must be involved in the creation of standards and must receive regular reports on cybersecurity. In addition, companies are required to file a risk and safeguards assessment in their annual report to regulators.
The next and final phase of the NYDFS regulation--to be completed by March 1, 2019--is the requirement that financial services organizations establish cyber security controls and protocols for third-party risk management (TPRM). This includes requirements related to developing and implementing a TPRM program, maintaining a third-party inventory for service providers that access nonpublic information (NPI) or information systems, and performing due diligence and ongoing monitoring.
It is important to note that the NYDFS regulation expands the scope of covered third parties beyond typical vendors to include all third parties with access to NPI. Given this broad purview, programmatic essentials such as governance, reporting, and broader end-to-end life cycle management are key for the sustainable management of an effective TPRM program.
In the US, the National...