The National Association of Insurance Commissioners (“NAIC”) recently released a draft of its proposed Principles For Effective Cybersecurity Insurance Regulatory Guidance (the “Guidance”), prepared by its cybersecurity (EX) task force. The NAIC’s guidance was released in the wake of regulatory initiatives in New York, Connecticut and Illinois.
Effective cybersecurity programs are intended to strengthen the insurance sector’s defense and responses to cyber attacks. State regulators are expected to identify uniform standards to strengthen the insurance industry’s response, to promote accountability across the insurance marketplace and to provide open access to information regarding such measures, so that regulators and industry representatives together can identify risks and appropriate remediation efforts.
The NAIC’s Guidance contains eighteen guiding principles “intended to establish insurance regulatory guidance that promotes those relationships and protects consumers and the insurance industry.” Principles identified in the March 12, 2015 draft are derived from SIFMA’s (Securities Insurance and Financial Markets Association) “Principles for Effective Cybersecurity Regulatory Guidance.” The NAIC’s 18 guiding principles are set forth in the draft proposal. To view the principles, click here.
In addition to the Guidance, the NAIC’s Property and Casualty Insurance Committee (C) has developed the “Annual Statement Supplement for Cybersecurity Policies,” which requires companies writing cybersecurity coverage to: (i) identify the range of limits offered in a to the stand-alone policy; (ii) the range of coverage limits offered in a commercial multi-peril package policy; (iii) losses paid under each; (iv) the quantification of direct premium earned for the cybersecurity coverage (if quantifiable); and (v) whether the cybersecurity policy is a claims-made policy, and if so, if tail coverage is offered.
In view of the increased regulatory scrutiny on cybersecurity, it is anticipated that additional states will seek to conduct cybersecurity assessments and develop methodologies to regulate carriers with regard to their cybersecurity initiatives.