US insurance industry cybersecurity guidelines

Cybersecurity insurance guidelinesThe risks confronting insurers by cybersecurity threats are certainly significant given the nature and amount of data required to conduct business. As organizations review their approach to building and reinforcing their data protection environments, the questions of where to start and what to focus on are inevitable. The U.S. insurance industry’s National Association of Insurance Commissioners (NAIC) has taken the topic head-on and recently issued guidelines that go into immediate effect. The NAIC expects insurers and regulators to implement these guidelines now rather than waiting for individual states to pass legislation.

Through the NAIC Cybersecurity Task Force, principles were drafted and open for public comment in early 2015. The objective of the NAIC’s efforts in this area is to help ensure that the industry is wellprepared for this business risk, thereby protecting consumers of insurance products. The principles also focus on state insurance regulators’ responsibilities in terms of oversight and promoting cooperation with insurers as issues emerge (see sidebar on next page).

The 12 NAIC cybersecurity principles serve as guidance to insurers, producers and state insurance regulators. The principles leverage similar work done in the securities industry by the Securities Industry and Financial Markets Association as well as the National Institute of Standards and Technology (NIST).

Principles for Effective Cybersecurity: Insurance Regulatory Guidance1
Due to ever-increasing cybersecurity issues, it has become clear that it is vital for state insurance regulators to provide effective cybersecurity guidance regarding the protection of the insurance sector’s data security and infrastructure. The insurance industry looks to state insurance regulators to aid in the identification of uniform standards, to promote accountability across the entire insurance sector, and to provide access to essential information. State insurance regulators look to the insurance industry to join forces in identifying risks and offering practical solutions. The guiding principles stated below are intended to establish insurance regulatory guidance that promotes these relationships and protects consumers.

Principle 1: State insurance regulators have a responsibility to ensure that personally identifiable consumer information held by insurers, producers and other regulated entities is protected from cybersecurity risks. Additionally, state insurance regulators should mandate that these entities have systems in place to alert consumers in a timely manner in the event of a cybersecurity breach. State insurance regulators should collaborate with insurers, insurance producers and the federal government to achieve a consistent, coordinated approach.

Principle 2: Confidential and/or personally identifiable consumer information data that is collected, stored and transferred inside or outside of an insurer’s, insurance producer’s or other regulated entity’s network should be appropriately safeguarded.

Principle 3: State insurance regulators have a responsibility to protect information that is collected, stored and transferred inside or outside of an insurance department or at the NAIC. This information includes insurers’ or insurance producers’ confidential information, as well as personally identifiable consumer information. In the event of a breach, those affected should be alerted in a timely manner.

Principle 4: Cybersecurity regulatory guidance for insurers and insurance producers must be flexible, scalable, practical and consistent with nationally recognized efforts such as those embodied in the National Institute of Standards and Technology (NIST) framework.

Principle 5: Regulatory guidance must be risk-based and must consider the resources of the insurer or insurance producer, with the caveat that a minimum set of cybersecurity standards must be in place for all insurers and insurance producers that are physically connected to the Internet and/or other public data networks, regardless of size and scope of operations.

Principle 6: State insurance regulators should provide appropriate regulatory oversight, which includes, but is not limited to, conducting risk-based financial examinations and/or market conduct examinations regarding cybersecurity.

Principle 7: Planning for incident response by insurers, insurance producers, other regulated entities and state insurance regulators is an essential component to an effective cybersecurity program.

Principle 8: Insurers, insurance producers, other regulated entities and state insurance regulators should take appropriate steps to ensure that third parties and service providers have controls in place to protect personally identifiable information.2

Principle 9: Cybersecurity risks should be incorporated and addressed as part of an insurer’s or an insurance producer’s enterprise risk management (ERM) process. Cybersecurity transcends the information technology department and must include all facets of an organization.

Principle 10: Information technology internal audit findings that present a material risk to an insurer should be reviewed with the insurer’s board of directors or appropriate committee thereof.

Principle 11: It is essential for insurers and insurance producers to use an information-sharing and analysis organization (ISAO) to share information and stay informed regarding emerging threats or vulnerabilities, as well as physical threat intelligence analysis and sharing.

Principle 12: Periodic and timely training, paired with an assessment, for employees of insurers and insurance producers, as well as other regulated entities and other third parties, regarding cybersecurity issues is essential.

Highlights of specific requirements are worth noting:
  • Covered entities (insurers and producers) need to address cyberrisk in their enterprise risk management process (e.g., ORSA).
  • The board of directors (responsible board committee) is to review any material IT internal audit findings.
  • The covered entity must stay informed of cyberthreats through the use of an informationsharing organization.
  • Several principles address state insurance regulators’ responsibilities, including providing guidance in their state that is “flexible, scalable, practical and consistent” with nationally recognized standards such as NIST.
  • Along with reinforcing fundamental data privacy principles around data collection, storage, use and destruction, the guidelines identify incident response planning as a basic component of a sound cybersecurity environment.

Your next steps With the continued risk of poor cybersecurity in the headlines and the increased focus by regulators, the topic needs to be high on senior managements’ agenda. It is clear that data privacy is good business. Consider benchmarking your current cybersecurity program through an independent assessment of both your IT controls and your data privacy program maturity. This investment now can help minimize such issues down the road and serve as a readiness step for your next market conduct exam.

Download the PDF.

Contacts John Swanick
U.S. Insurance Leader
T +1 215 814 4070
M +1 610 246 2156

Mark Lastner
Managing Director
U.S. Insurance Regulatory
Practice Leader
T +1 215 814 1750
M +1 267 844 2029

Matthew Cassidy
Insurance Practice
T +1 215 814 4073
M +1 610 774 4190

1 National Association of Insurance Commissioners Cybersecurity Task Force, “Principles for Effective Cybersecurity: Insurance Regulatory Guidance,” April 16,2015.
2 These principles have been derived from the Securities Industry and Financial Markets Association’s “Principles for Effective Cybersecurity Regulatory Guidance.”