We’re joined by Simon Glairy, a recognized expert in insurance and Insurtech, whose work in risk management and AI-driven assessment has put him at the forefront of the industry’s digital evolution. With data security becoming a critical battleground for insurers, we’ll dive into the practical realities of complying with stringent regulations like Delaware’s Insurance Data Security Act. Our conversation will explore the intense pressure of annual compliance certifications, the rapid-response actions required after a cybersecurity breach, the complexities of managing third-party vendor risks, and the delicate art of maintaining customer trust when a data incident occurs.
With Delaware insurers facing that crucial February 15 compliance certification deadline each year, what do you see as the most critical components of the required written statement? Could you walk us through the process a domiciled insurer should follow to prepare that affidavit and avoid the all-too-common last-minute scramble?
That February 15 deadline feels like it looms over the entire first quarter for many insurers. The most critical piece isn’t just the signed affidavit itself, but the robust, documented reality it represents. Regulators want to see a living, breathing information security program, not a piece of paper. This means your written statement must confidently assert that you have conducted thorough risk assessments, identified threats, and implemented corresponding safeguards. To avoid that last-minute panic, the process has to be continuous. It should start on February 16 of the prior year, with ongoing monitoring, regular updates to your risk assessments, and meticulous documentation of any incidents or changes. The teams that do this best treat it like a year-round operational function, so when January arrives, they’re simply compiling the evidence, not creating it from scratch.
When a cybersecurity event is confirmed, the clock starts ticking incredibly fast—licensees must notify the Department of Insurance within just three business days. Can you describe the steps involved in an initial investigation to confirm a breach and gather all the necessary details under such an intense deadline?
Those first 72 hours are an absolute pressure cooker. The moment an anomaly is detected, the primary goal is to confirm if it’s a genuine cybersecurity event. This isn’t a time for assumptions. You must immediately mobilize your incident response team to determine what happened, how it happened, and the scope of the potential data compromise. This involves forensic analysis to trace the path of the breach and identify exactly what nonpublic information was accessed. The challenge is gathering enough specific detail for the notification—like discovery and occurrence dates and the types of information affected—while the investigation is still very much in motion. It requires a calm, methodical approach in the midst of chaos, all to meet that three-business-day window for getting the initial report to the state.
The Act’s mandate for overseeing third-party service providers became effective back in August 2021, yet it’s an area where many still struggle. What are the key elements of a robust third-party risk management program, and what kind of due diligence do you think regulators really expect to see?
This is about so much more than just having a clause in a contract. A truly robust program begins with exhaustive due diligence before you even sign with a vendor. You need to scrutinize their security posture, their own compliance history, and their incident response plans as if they were your own. Regulators expect to see evidence of this deep dive. After onboarding, the work continues with ongoing monitoring. This includes periodic risk assessments of your vendors, reviewing their security audits, and having clear protocols for how they will notify you if they experience a breach. The expectation is that you are actively managing the risk, not just delegating it. You must be able to prove that you are holding your partners accountable for protecting the consumer data you’ve entrusted to them.
The regulations provide exemptions for certain small or HIPAA-regulated licensees. For an insurer who believes they qualify, what’s the process for confirming their status, and what data security best practices should they still implement to safeguard consumer information?
Claiming an exemption requires careful and formal justification. The first step is a thorough internal review with legal counsel to confirm you squarely meet the statutory criteria, whether it’s based on size or because you’re already subject to HIPAA’s stringent security rules. This determination must be documented and ready for review if the Commissioner ever investigates. However, an exemption from certain parts of the Act is not a free pass on security. A data breach is reputationally devastating regardless of your size. Therefore, even exempt licensees should implement core best practices: conduct regular risk assessments, maintain a written security policy, train employees on data handling, and have a clear plan for responding to an incident. These fundamentals protect your consumers and your business, which is the ultimate goal.
When a data breach impacts consumers, the law mandates offering one year of free credit monitoring. From your perspective, how should an insurer manage the logistics of this, and what other steps are crucial for communicating effectively with affected policyholders to maintain their trust?
The offer of one year of free credit monitoring is the baseline, the tactical response. Logistically, this means having a partnership with a monitoring service ready to go, so you can deploy it quickly and seamlessly to a list of affected individuals within that 60-day notification window. But the real challenge is communication. This is where you win or lose trust. Your notification letter—sent in a closed-faced envelope, of course—must be crystal clear, honest, and empathetic. It should explain what happened in simple terms, what information was involved, and exactly what you are doing to protect them, including the credit monitoring. It’s about showing you take the situation seriously and are taking concrete, meaningful action to help them through it.
What is your forecast for data security regulations in the insurance industry?
I believe we are only seeing the beginning. The trend is toward greater harmonization across states, but also deeper and more prescriptive requirements. I forecast that future regulations will focus more intensely on preventative measures, mandating specific technologies or security frameworks rather than just high-level principles. We’ll likely see increased scrutiny on the security of AI and machine learning models as they become more integrated into underwriting and claims. The bar for “reasonable” security will continuously be raised, and regulators will expect insurers not just to comply, but to demonstrate a sophisticated, proactive, and predictive approach to cybersecurity. It’s shifting from a compliance exercise to a fundamental pillar of business resilience.
