The regulatory floor for insurance cybersecurity has risen sharply in 24 months. The final phased requirement of New York's Second Amendment to 23 NYCRR Part 500 takes effect November 1, 2025, and the NAIC Insurance Data Security Model Law (#668) has been adopted by 28 jurisdictions per the NAIC State Adoption Brief. Carriers that also touch protected health information or card-present transactions face overlapping HIPAA insurance compliance and PCI DSS insurance obligations. This whitepaper lays out how Quick Silver Systems operationalizes NYDFS 500 compliance, MFA insurance controls, and practical insurance data protection inside the Mercury Policy and Claims Administration System — with field-tested patterns that carriers, MGAs, and TPAs can deploy without rebuilding their core.
Insurance has always been data-rich, but the perimeter has moved. Claim files now include medical narratives, bank routing numbers, vehicle telemetry, and card tokens — data regulators treat as sensitive under at least four frameworks. Attacker sophistication has also accelerated. Deloitte estimates that 10% of P&C claims are fraudulent, producing an annual loss of roughly US$122 billion — much of it now enabled by synthetic-identity and deepfake tooling that a decade ago required a nation-state budget.
Regulators have responded. The NYDFS Second Amendment introduced phased obligations running from December 1, 2023 through November 1, 2025, and the Model Law is being adopted state by state with only modest textual drift. For a mid-sized carrier writing in ten states, the practical result is a layered control set: a national baseline from the Model Law, a stricter ceiling from New York, and vertical overlays on the specific data flows that touch health and card data.
The NAIC Insurance Data Security Model Law establishes a common framework that each state adapts into licensee-facing statute. Its core obligations are familiar to any CISO: conduct a documented risk assessment, maintain a written information security program, designate accountability at the board or senior-officer level, oversee third-party service providers, and notify the commissioner of a cybersecurity event — typically within 72 hours — when statutory thresholds are met. The official NAIC cybersecurity hub tracks implementing regulations and commissioner guidance for each state.
What has changed in 2025 is coverage. According to the August 2025 NAIC brief, 28 jurisdictions have now implemented Model Law #668. For a national carrier, that means the Model Law is effectively the operating baseline; bespoke state variations still exist but are narrowing.
Per the NAIC State Adoption Brief, the jurisdictions that have adopted Model Law #668 are: Alabama, Alaska, Connecticut, Delaware, Hawaii, Illinois, Indiana, Iowa, Kentucky, Louisiana, Maine, Maryland, Michigan, Minnesota, Mississippi, Missouri, New Hampshire, North Dakota, Ohio, Oklahoma, Pennsylvania, Puerto Rico, Rhode Island, South Carolina, Tennessee, Vermont, Virginia, and Wisconsin. Carriers licensed in any of these 28 should treat the Model Law's written information security program, third-party oversight, and 72-hour notification requirements as table stakes.
NYDFS 500 compliance sets the highest watermark for any entity licensed in New York. The Second Amendment, published in late 2023, is rolling out in four major phases. As Johnson Lambert summarizes, the amendment raises board accountability, introduces a "Class A" tier for the largest covered entities, tightens incident notification to 72 hours, and requires multi-factor authentication across substantially all privileged and remote access — not just for administrators.
The practical timeline matters for program planning. Flexera notes that the general compliance date for many of the amended provisions was April 29, 2024, with subsequent phases that added asset-management, vulnerability-management, and encryption expectations through 2025.
Two vertical frameworks layer on top of the state baseline. HIPAA insurance compliance applies whenever a carrier, TPA, or MGA handles protected health information — most commonly in Workers' Compensation, accident and health, long-term care, and any bodily-injury liability line where medical records are part of the claim file. Even carriers who are not "covered entities" become "business associates" of hospitals and provider networks, inheriting the Security Rule's administrative, physical, and technical safeguards by contract.
PCI DSS insurance touchpoints arise wherever card data is accepted — premium payments, deductible collection, and refund disbursement via card rails. The practical answer for most carriers is tokenization: the Mercury platform never stores PAN (primary account number) data; it stores a merchant-gateway token and the last four digits. Systems that never see PAN fall largely outside PCI DSS's most onerous network-segmentation and key-management obligations.
| Regulation | Applies To | Key Control Requirement | Breach Notification Window |
|---|---|---|---|
| NYDFS 23 NYCRR Part 500 | Entities holding a NY insurance license | Board-overseen CISO program, MFA, encryption, annual pen test | 72 hours to NYDFS |
| NAIC Model Law #668 | Licensees in 28 adopting jurisdictions | Written information security program, third-party oversight | 72 hours to state commissioner |
| HIPAA Security Rule | Carriers/TPAs handling PHI (WC, A&H, BI liability) | Administrative, physical, technical safeguards; audit logs | 60 days (HHS & individuals) |
| PCI DSS v4.0.1 | Any entity accepting card payments | Tokenization, segmentation, quarterly scans | Per card-brand contract (typically immediate) |
| GDPR (for international carriers) | Carriers with EU data subjects | Lawful-basis tracking, DPIA, data-subject rights | 72 hours to supervisory authority |
Four control families do most of the regulatory work. Deployed correctly, they satisfy the overlapping demands of NYDFS, the Model Law, HIPAA, and PCI DSS simultaneously.
The era of best-effort insurance cybersecurity is over. With NYDFS Part 500 fully phased in as of November 1, 2025 and the NAIC Insurance Data Security Model Law adopted in 28 jurisdictions, examiners now arrive expecting evidence — of board oversight, of documented risk assessments, of MFA coverage, of 72-hour notification rehearsals, and of third-party risk management. Carriers, MGAs, and TPAs that rely on ad-hoc documentation will find examinations painful; those that have industrialized their control evidence inside their core platform will find them routine.
The good news is that one well-designed control set can satisfy most of the overlap. Phishing-resistant MFA, tokenized card handling, encrypted PHI, continuous monitoring, and a tested notification runbook together cover the practical majority of overlapping obligations. Mercury is built to make those controls the default, not an overlay — so compliance becomes a byproduct of running the business, not a parallel workstream.
Quick Silver Systems would welcome the opportunity to walk through your current control inventory and show how Mercury's insurance data protection patterns can close the last-mile gaps before your next exam.
Quick Silver Systems has delivered Mercury Policy and Claims Administration System deployments with NYDFS, NAIC Model Law, HIPAA, and PCI DSS controls across commercial auto, Workers' Comp, and specialty lines. Contact us for a scoping conversation tailored to your regulatory footprint.