NAIC Taking the Initiative on Cybersecurity Issues

Insurance, Cyber and Information Security Services, Financial Services

NAIC Taking the Initiative on Cybersecurity Issues

Receive-EmailAbout our Insurance Services

The National Association of Insurance Commissioners (NAIC) has certainly taken an important initiative regarding cybersecurity issues, as it is a major problem in our society today. Initially, the NAIC has adopted its
Guiding Principles for Cybersecurity as well as new reporting requirements for insurers to monitor cyber insurance policies to protect consumers.

The Guiding Principles for Cybersecurity looks to state insurance regulators to provide effective cybersecurity guidance, and was derived from the Securities Industry and Financial Market Association’s (SIFMA) Principles for Effective Cybersecurity Regulatory Guidance, which contains 12 principles. The 12 principles, in summary, are as follows:

Principles for Effective Cybersecurity Regulatory Guidance

PRINCIPLE 1: State insurance regulators have a responsibility to ensure that personally identifiable consumer information held by insurers, producers and other regulated entities is protected from cybersecurity risks. Additionally, state insurance regulators should mandate that these entities have systems in place to alert consumers in a timely manner in the event of a cybersecurity breach. State insurance regulators should collaborate with all responsible parties (insurers, insurance producers and the federal government) to achieve a consistent, coordinated approach.

PRINCIPLE 2: Confidential and/or personally identifiable consumer information data that is collected and stored should be appropriately safeguarded.

PRINCIPLE 3: State insurance regulators have a responsibility to protect information that is collected, stored and transferred inside or outside of an insurance department or at the NAIC and in the event of a breach, those affected should be alerted in a timely manner.

PRINCIPLE 4: Cybersecurity regulatory guidance for insurers and insurance producers must be flexible, scalable, practical and consistent with nationally recognized efforts such as those embodied in the National Institute of Standards and Technology (NIST) framework.

PRINCIPLE 5: Regulatory guidance must be risk-based and must consider the resources of the insurer or insurance producer, with the caveat that a minimum set of cybersecurity standards must be in place for all insurers and insurance producers that are physically connected to the Internet and/or other public data networks, regardless of size and scope of operations.

Principle 6: State insurance regulators should provide appropriate regulatory oversight, which includes, but is not limited to, conducting risk-based financial examinations and/or market conduct examinations regarding cybersecurity.

PRINCIPLE 7: Planning for incident response by insurers, insurance producers, other regulated entities and state insurance regulators is an essential component to an effective cybersecurity program.

PRINCIPLE 8: Insurers, insurance producers, other regulated entities and state insurance regulators should take appropriate steps to ensure that third parties and service providers have controls in place to protect personally identifiable information.

PRINCIPLE 9: Cybersecurity risks should be incorporated and addressed as part of an insurer’s or an insurance producer’s enterprise risk management (ERM) process. Cybersecurity transcends the information technology department and must include all facets of an organization.

PRINCIPLE 10: Information technology internal audit findings that present a material risk to an insurer should be reviewed with the insurer’s board of directors or appropriate committee thereof.

PRINCIPLE 11: It is essential for insurers and insurance producers to use an information-sharing and analysis organization (ISAO) to share information and stay informed regarding emerging threats or vulnerabilities, as well as physical threat intelligence analysis and sharing.

PRINCIPLE 12: Periodic and timely training, paired with an assessment, for employees of insurers and insurance producers, as well as other regulated entities and other third parties, regarding cybersecurity issues is essential.

Cybersecurity Initiatives

The NAIC has taken three other cybersecurity initiatives, which include:

  1. The NAIC Cybersecurity Task Force released a Consumer Cybersecurity Bill of Rights for public comment, which is intended to set standards for helping consumers if their personal information is compromised. The Task Force expects to adopt these standards by the end of August, 2015.
  2. The Cybersecurity Task Force is also coordinating with state insurance regulators to conduct examinations of insurance companies to verify that they are taking steps to protect confidential personal information.
  3. The NAIC is co-sponsoring a forum on September 10, 2015 with the Center for Strategic and International Studies (CSIS) entitled “Cyber Risk Management and Insurance” where experts, policy makers and business leaders will discuss cyber risks and how best to manage those risks.

Please contact a member of WS+B’s Insurance Services Group at [email protected] for further questions or assistance.

Len Hecht, CPA Leonard Hecht, CPA
609-520-1188
lhec[email protected]Leonard Hecht, CPA

Ask Our Experts

The information contained herein is not necessarily all inclusive, does not constitute legal or any other advice, and should not be relied upon without first consulting with appropriate qualified professionals.

Previous Post

Next Post

Read More
image of Financial Services chart increasing

Insurance

The Insurance Industry Services Team at Withum gives its clients a competitive edge. We offer specialized advice, key marketplace insights and solid preparation to help our clients meet the challenges […]

Learn More
Photo of a lock.

Cyber and Information Security Services

Cybersecurity: Businesses Need the Right Protection Our Cyber threats continue to grow at an exponential rate. Additionally, the constantly changing technical landscape, including the introduction of disruptive technologies such as […]

Learn More
image of Financial Services chart increasing

Financial Services

As an investor, you’re focused on growth and a strong return on investment. However, in a highly-regulated space, compliance, accountability and transparency are always top of mind. A keen focus […]

Learn More