On Thursday, April 16, 2015, the Cybersecurity Task Force of the National Association of Insurance Commissioners (NAIC) adopted the “Principles for Effective Cybersecurity Insurance Regulatory Guidance.” Monica J. Lindeen, the NAIC President and Montana Commissioner of Securities and Insurance noted that these 12 principles “will serve as the foundation for protection of sensitive consumer information held by insurers as well as insurance producers and guide regulators who oversee the insurance industry.”
The press release announcing the adoption notes:
The document identifies types of safeguards regulators expect insurers to have in place to protect consumers from cybersecurity breaches. The twelve principles adopted direct insurers, producers, and other regulated entities to join forces in identifying risks and adopting practical solutions to protect information entrusted to them. The guiding principles are intended to establish insurance regulatory guidance that promotes coordination and protects insurance consumers.
The principles include:
Principle 1: State insurance regulators have a responsibility to ensure that personally identifiable consumer information held by insurers, producers and other regulated entities is protected from cybersecurity risks. Additionally, state insurance regulators should mandate that these entities have systems in place to alert consumers in a timely manner in the event of a cybersecurity breach. State insurance regulators should collaborate with insurers, insurance producers and the federal government to achieve a consistent, coordinated approach.
Principle 2: Confidential and/or personally identifiable consumer information data that is collected, stored and transferred inside or outside of an insurer’s, insurance producer’s or other regulated entity’s network should be appropriately safeguarded.
Principle 3: State insurance regulators have a responsibility to protect information that is collected, stored and transferred inside or outside of an insurance department or at the NAIC. This information includes insurers’ or insurance producers’ confidential information, as well as personally identifiable consumer information. In the event of a breach, those affected should be alerted in a timely manner.
Principle 4: Cybersecurity regulatory guidance for insurers and insurance producers must be flexible, scalable, practical and consistent with nationally recognized efforts such as those embodied in the National Institute of Standards and Technology (NIST) framework.
Principle 5: Regulatory guidance must be risk-based and must consider the resources of the insurer or insurance producer, with the caveat that a minimum set of cybersecurity standards must be in place for all insurers and insurance producers that are physically connected to the Internet and/or other public data networks, regardless of size and scope of operations.
Principle 6: State insurance regulators should provide appropriate regulatory oversight, which includes, but is not limited to, conducting risk-based financial examinations and/or market conduct examinations regarding cybersecurity.
Principle 7: Planning for incident response by insurers, insurance producers, other regulated entities and state insurance regulators is an essential component to an effective cybersecurity program.
Principle 8: Insurers, insurance producers, other regulated entities and state insurance regulatorsshould take appropriate steps to ensure that third parties and service providers have controls in place to protect personally identifiable information.
Principle 9: Cybersecurity risks should be incorporated and addressed as part of an insurer’s or an insurance producer’s enterprise risk management (ERM) process. Cybersecurity transcends the information technology department and must include all facets of an organization.
Principle 10: Information technology internal audit findings that present a material risk to an insurer should be reviewed with the insurer’s board of directors or appropriate committee thereof.
Principle 11: It is essential for insurers and insurance producers to use an information-sharing and analysis organization (ISAO) to share information and stay informed regarding emerging threats or vulnerabilities, as well as physical threat intelligence analysis and sharing.
Principle 12: Periodic and timely training, paired with an assessment, for employees of insurers and insurance producers, as well as other regulated entities and other third parties, regarding cybersecurity issues is essential.
The adoption of these principles comes on the heels of a request by the New York State Department of Financial Services requesting detailed cyber security reports from insurers in New York State.