On April 16, 2015, the National Association of Insurance Commissioners (NAIC) Cyber Security Task Force issued its “Principles for Effective Cybersecurity: Insurance Regulatory Guidance.” The principles, which can be found here, are to serve as guidance to state insurance regulators in identifying safeguards that insurers and producers should have in place to protect consumer data from cybersecurity breaches. The document identifies 12 guiding principles that are “intended to establish insurance regulatory guidance that promotes these relationships and protects consumers.” They are:
- Principle 1: Regulators must ensure personally identifiable consumer information held by insurers and producers is protected from cybersecurity risks and that regulated entities have systems in place to timely alert consumer of a data breach.
- Principle 2: Regulated entities should appropriately safeguard confidential or personally identifiable information they collect, store, and/or transfer inside or outside of their networks.
- Principle 3: State regulators have a responsibility to protect information collected, store and transferred inside or outside of their departments or at the NAIC. This includes not just consumer’s information, but insurers and producers confidential business information as well. In the event of a breach of regulators’ networks, regulators should timely alert effected parties.
- Principle 4: Regulatory guidance for insurers and producers must be flexible, scalable, practical and consistent with other nationally recognized efforts such as those included in the National Institute of Standards and Technology (NIST) framework.
- Principle 5: Guidance must be risk-based and must consider the resources of the insurer or production. However, there must be a minimum set of cybersecurity standards in place for all insurers and producers connection to the internet or other public data networks.
- Principle 6: Regulators should provider appropriate oversight, including risk-based financial examinations and/or market conduct exams regarding cybersecurity.
- Principle 7: Incident response planning for insurers, producers, regulated entities and regulators is an essential component of an effective cybersecurity program.
- Principle 8: Appropriate steps should be taken by regulated entities and state regulators to ensure third parties and service providers have controls in place to protect personally identifiable information.
- Principle 9: Cybersecurity risks should be incorporated and addressed as part of an enterprise risk management program. Cybersecurity should not just be an IT issues, but must include all facets of the organization, including the C-suite.
- Principle 10: IT internal audits findings showing a material risk to an insurer should be reviewed with the organization’s board of directors or appropriate board committee.
- Principle 11: Insurers and insurance producers should use information-sharing and analysis organizations (ISAO) to share information and stay informed on emerging threats, vulnerabilities, and intelligence analysis and threat-sharing.
- Principle 12: Periodic training, paired with an assessment for employees and third-parties regarding cybersecurity is essential.
For more information regarding Kay Casto & Chaney’s Data Privacy and Cyber Security practice, click here. Kay Casto attorneys that can assist in this field include Robert Bandy, Jack Hoblitzell, Shannon Smith, and Sam Marsh.