The National Association of Insurance Commissioners (NAIC) Cybersecurity Task Force adopted Principles for Effective Cybersecurity Insurance Regulatory Guidance on April 16, 2015. The document identifies types of safeguards regulators expect insurers to have in place to protect consumers from cybersecurity breaches. The guiding principles are intended to establish insurance regulatory guidance that promotes coordination and protects insurance consumers.
The principles themselves say that “[s]tate insurance regulators should collaborate with insurers, insurance producers and the federal government to achieve a consistent, coordinated approach” to cybersecurity. While not promoting any specific security protocols, the guidelines provide that regulatory guidance should be “flexible, scalable, practical and consistent with nationally recognized efforts such as those embodied in the National Institute of Standards and Technology (NIST) framework.” In addition, insurance industry members are urged to take steps to safeguard confidential, personally identifiable consumer information, put in place incident response plans and employee training programs, ensure third parties and service providers have controls to protect sensitive data, and incorporate cybersecurity risks into their enterprise risk management process.
Echoing a broad theme sounded by the White House earlier this year, the principles call for the insurance industry to use an information-sharing and analysis organization (ISAO) to share information and stay informed regarding emerging threats or vulnerabilities, as well as physical threat intelligence analysis and sharing.
“These principles will serve as the foundation for protection of sensitive consumer information held by insurers as well as insurance producers and guide regulators who oversee the insurance industry,” said Monica J. Lindeen, NAIC President and Montana Commissioner of Securities and Insurance.