On September 21, the National Association of Insurance Commissioners (the NAIC) IT Examination Working Group (the Working Group) adopted amendments to the IT section of the Financial Condition Examiners Handbook (the Handbook) to strengthen the Handbook’s already existing cybersecurity guidance. Charged with improving this guidance, the Working Group compared the Handbook’s guidance to the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Additionally, the Working Group incorporated into the adopted amendments many of the suggestions received from state departments of insurance and interested parties, including (a) emphasizing that an examiner should consider the size and complexity of an insurer, the laws and regulations to which the insurer is subject, and the volume and type of sensitive information obtained by the insurer; (b) detailing the roles of an insurer’s board of directors and senior management; and (c) clarifying that IT examiners can leverage the work of outside auditors.

The adopted amendments instruct examiners to assess whether an insurer has proper procedures in place to manage cybersecurity risks, including:

  • Identification. Insurers should devote resources to the identification of cybersecurity risks and conduct a cybersecurity risk assessment process that includes some amount of management and/or board involvement, appropriate to the distinct roles of the board and senior management, as well as a sufficient level of technical expertise to ensure that issues are well understood and responded to appropriately.
  • Prevention. A robust prevention strategy should (a) include a combination of strong policies, system and network access controls, and data security protection, as appropriate to the broad security environment in which the insurer is operating, including the volume and type of sensitive information obtained, maintained or transmitted by the insurer, the security laws and regulations to which it is subject, its size and complexity, and the nature and scope of its activities; (b) address risks presented by third-party access to network information; and (c) include employee training that details risk-prevention objectives and the importance of an employee’s assigned responsibilities.
  • Detection. Insurers should have a strong set of detective controls that enable timely identification and mitigation of threats that may include anti-virus and anti-malware software, as well as network monitoring.
  • Response and Recovery. Insurers should have an incident response plan that may leverage concepts from the insurer’s broader disaster recovery plan, but may also require unique considerations since recovering from a cybersecurity incident involves consideration of an IT-specific event. Notwithstanding, the examiner should note that network threats and incidents are not rare events like environmental incidents.

Upon adoption, Working Group Chair Patrick McNaughton (WA) emphasized that maintaining adequate cybersecurity guidance will be an ongoing task and that the Working Group must be “ever vigilant” in this area.