On April 16, 2015, the Cybersecurity Task Force of the U.S. National Association of Insurance Commissioners (“NAIC”) adopted 12 “Principles for Effective Cybersecurity Insurance Regulatory Guidance” (the “Principles”). The Principles are aimed at both insurers and the bodies that regulate the industry.
The NAIC’s Cybersecurity Task Force was formed in November 2014, and is tasked with assisting the NAIC in addressing issues relating to cybersecurity in the insurance industry.
As stated by NAIC President Monica J. Lindeen, these principles are intended to “serve as the foundation for protection of sensitive consumer information held by insurers as well as insurance producers and guide regulators who oversee the insurance industry.” The Principles were derived from the Securities Industry and Financial Markets Association’s (SIFMA) “Principles for Effective Cybersecurity Regulatory Guidance” issued in October 2014.
In addition to the Principles, the Task Force is expected in the future to release a consumer bill of rights for insurance industry consumers affected by a data breach.
The Principles and Interaction with Canadian Approaches
The Principles generally provide high-level guidance on regulation of cybersecurity in the industry. In particular, the Principles state that regulators “have a responsibility to ensure that personally identifiable consumer information held by insurers, producers and other regulated entities is protected from cybersecurity risks” (Principle 1). In addition, the Principles provide that “cybersecurity regulatory guidance for insurers and insurance producers must be flexible, practical and consistent with nationally recognized efforts” such as those embodied in the National Institute of Standards and Technology (Principle 4) and that “regulatory guidance must be risk-based and must consider the resources of the insurer or insurance producer, with the caveat that a minimum set of cybersecurity standards must be in place” (Principle 5).
The emphasis on a risk-based approach and flexible regulatory guidance is consistent with the view expressed recently by the Insurance Industry of Canada in its report Cyber Risks: Implications for the Insurance Industry in Canada that cyber security should be customized for the particular organization:
Cyber security is not a one-size-fits-all approach. Organizations have unique risks and different tolerances for loss. To address the specific circumstances of each organization, security practices will and should differ between organizations and over time. There is no agreement about cyber best practices that should be applied in all situations.
The Principles do provide some specific guidance. Regulators should require that regulated entities have in place systems to provide timely alerts to consumers affected by a breach (Principle 1). Regulated entities should have in place the appropriate controls (Principle 8) and periodic and timely training regarding cybersecurity issues (Principle 12). Planning for incident response (Principle 7) should also be required, information sharing about emerging threats should occur through an information-sharing and analysis organization (Principle 11) and cybersecurity should form part of an insurer’s enterprise risk management process (Principle 9).
In Canada, the Office of the Superintendent of Financial Institutions (“OSFI”) previously issued in 2013 very detailed Cyber Security Self-Assessment Guidance which applies to federally regulated insurers, among others. It will be interesting to see if OSFI and provincial insurance regulators’ cybersecurity regulatory initiatives are influenced by NAIC’s Principles going forward.