NAIC Adopts Cybersecurity Regulatory Principles - What's Important to the Regulators
File this under: A View Into What the Regulators Deem Important. The National Association of Insurance Commissioners (NAIC), the standard-setting organization in the U.S. insurance industry created and governed by the chief insurance regulators from the 50 states, the District of Columbia, and five U.S. territories, recently published its “Principles for Effective Cybersecurity: Insurance Regulatory Guidance” (the “NAIC Guidance”).
Prepared by the NAIC Cybersecurity Task Force based on similar guidance issued by the Securities Industry and Financial Markets Association (SIFMA) last year, the NAIC Guidance is intended to:
- serve as a foundation for the type of controls regulators expect insurers and insurance producers to implement to safeguard sensitive consumer information and other confidential information entrusted to them from cybersecurity threats;
- assist state insurance regulators with the preparation of effective cybersecurity regulatory guidance for the insurance sector; and
- promote cooperation between regulators and the insurance industry in identifying and addressing cybersecurity risks.
The NAIC Guidance consists of twelve principles which are all centered on the protection of the insurance sector’s infrastructure and data from cyber attacks. Principles 1, 3, 4, 5, and 6 are addressed to state insurance regulators and provide that:
- state insurance regulators have a responsibility to: (a) ensure that personally identifiable consumer information held by insurers, insurance producers (collectively, “Covered Entities”) or other regulated entities should be safeguarded from cybersecurity risks, (b) mandate that Covered Entities have systems in place to alert consumers of a cybersecurity breach in a timely manner; (c) protect information collected, stored, and transferred inside or outside of an insurance department or at the NAIC, such as confidential information of Covered Entities and personally identifiable consumer information, and, in the event of a breach, alert affected entities and individuals in a timely manner;
- state insurance regulators should: (a) collaborate with Covered Entities and the federal government to set up a uniform and coordinated approach, and (b) provide appropriate regulatory oversight, such as, for example, conducting risk-based financial examinations and/or cybersecurity examinations of Covered Entities; and
- cybersecurity guidance for Covered Entities must be: (a) “flexible, scalable, practical, and consistent” with nationally recognize standards, such as the NIST cybersecurity framework, and (b) risk-based, taking into account the resources of the Covered Entity, however, a minimum set of cybersecurity controls must be implemented by all Covered Entities connected to the Internet and/or other public data networks, regardless of the size and operations of the Covered Entity.
Principles 2, 9, 10, 11, and 12 are addressed to Covered Entities and other regulated entities and provide that:
- confidential and personally identifiable consumer information collected, stored and transferred inside or outside a Covered Entity’s or other regulated entity’s network should be adequately protected;
- cybersecurity risks should be a part of and addressed as a part of a Covered Entity’s enterprise risk management process;
- an insurer’s board of directors or the applicable committee of the board of directors should review information technology internal audit findings presenting a material risk to the insurer; and
- it is critical for: (a) Covered Entities to use an information-sharing and analysis organization (ISAO) to share information and stay informed of emerging cyber threats and vulnerabilities as well as physical threats, and (b) Covered Entities and other regulated entities to conduct periodic cybersecurity training and assessments for their employees and other third parties.
Principles 7 and 8 addressed to state insurance regulators, Covered Entities and other regulated entities: (a) recommend that each of the foregoing take appropriate measures to ensure that service providers and other third parties have controls in place to protect personally identifiable information, and (b) identify incident response planning as an essential component of an effective cybersecurity program.
While the NAIC Guidance outlines very basic components of a cybersecurity program, insurers, insurance producers and other regulated entities in the insurance industry should become familiar with these guiding principles and incorporate them in their enterprise risk management program if they haven’t already done so to ensure that they focus on the same requirements as their regulators.