The Cybersecurity Task Force of the National Association of Insurance Commissioners (NAIC) has released formal guidance outlining the data security safeguards that the insurance industry and state insurance regulators should implement to ensure that sensitive information and the industry’s data infrastructure are protected from cybersecurity intrusions.
Released on April 16, 2015, the NAIC’s “Principles for Effective Cybersecurity: Insurance Regulatory Guidance” outlines 12 principles for the protection of confidential and/or personally identifiable consumer information held by insurers, insurance producers and other entities regulated by state insurance regulators.
With one exception, the principles do not introduce new compliance burdens and generally reflect the industry’s existing best practices. However, in light of the recent high-profile data breaches at Trustmark Insurance Company, CareFirst BlueCross BlueShield, Premera Blue Cross, and Anthem, the NAIC guidance is a healthy reminder to the insurance industry that the implementation and maintenance of robust cybersecurity measures helps to minimize the risks of data breaches.
12 Steps to Cyberwellness
The NAIC guidance is a scant one—only one and one-third pages long—but it outlines the NAIC’s expectations of the industry and state regulators, as follows:
- Principles 2, 7, 8, 9, 10, 11, and 12: To-Do List for Industry
The NAIC guidance affirms that “[c]ybersecurity transcends the information technology department and must include all facets of an organization.” The guidance notes that essential components of an effective cybersecurity program are planning for breach-incident responses by insurers, insurance producers, and other regulated entities, and periodic and timely training and assessments for employees and third-party service providers. All entities should take appropriate steps to ensure that third-party service providers who may have access to information have controls in place to protect this information from unauthorized access.
Cybersecurity risks should also be incorporated into and addressed as part of an entity’s enterprise risk management (ERM) process. Any information technology findings in any internal audit review that present a material risk should be escalated to the entity’s board of directors.
The NAIC guidance notes thatconfidential and/or personally identifiable consumer information that is collected, stored, and transferred within or outside an entity’s network should be safeguarded to minimize breach exposure. However, not all data sharing needs such safeguards. The guidance notes that it is “essential” for insurers and insurance producers to use an information-sharing and analysis organization (ISAO) to share information, including physical threat intelligence analysis, and to stay informed regarding emerging threats or vulnerabilities. This latter mandate, that insurers and insurance producers participate in an ISAO, may add a new compliance burden, even for those in the industry with robust cybersecurity programs. These formerly voluntary programs will now likely expand in scope and membership.
- Principles 1, 3, 4, 5, and 6: To-Do List for State Insurance Regulators
Because state insurance regulators are the cybersecurity enforcement police for the industry, the guidance notes that regulators have an affirmative responsibility to ensure that confidential and/or personally identifiable consumer information held by insurers, producers, and other regulated entities is protected from cybersecurity risks. State insurance regulators should provide appropriate regulatory oversight, which includes, but is not limited to, conducting risk-based financial examinations and/or market conduct examinations regarding cybersecurity. The NAIC encouraged regulators to mandate that regulated entities have systems in place to timely alert consumers in the event of a cybersecurity breach.
The guidance notes that cybersecurity regulatory guidance for insurers and insurance producers must be flexible, scalable, practical, and consistent with nationally recognized efforts, such as those in the National Institute of Standards and Technology (NIST) framework. Although regulatory guidance should be risk-based and reflect the resources of the insurer or insurance producer, a minimum set of cybersecurity standards must be in place for all entities that are physically connected to the internet and/or other public data networks, regardless of the size and scope of the entity’s operations.
The compliance burden is not one-sided. The guidance notes that state insurance regulators also have a responsibility to, among other things, protect insurers’ or insurance producers’ confidential information and personally identifiable consumer information that is collected, stored, and transferred within or outside their departments and to timely alert those affected by any data breach.
Insurers, insurance producers, and other regulated entities should review their current cybersecurity compliance programs to ensure that the programs incorporate the foundational and “transcendental” principles outlined in the NAIC guidance. At a minimum, many companies may need to join one or more ISAOs to comply with these new principles.
Although the principles provide a basic outline for a cybersecurity compliance program, chief privacy, information security, and technology officers in the industry must continue to conduct cyberrisk assessments to robustly address and respond to the ever-increasing cyberthreats faced by the insurance industry. The failure to comply with the NAIC’s guidance may place an insurer, insurance producer, or other regulated entity at additional risk of regulatory scrutiny.