Self-described as a “U.S. standard-setting and regulatory support organization”, the National Association of Insurance Commissioners (NAIC) is governed by the chief regulators from the 50 states, the District of Columbia and five U.S. territories with the purpose of, among other things, establishing standards and best practices for the insurance industry. Recently, the NAIC commissioned a cybersecurity task force to address the risks associated with storing private information in electronic format. Last week, the task force adopted 12 “Principles for Effective Cybersecurity Insurance Regulatory Guidance”, with the goal of establishing a series of benchmarks for the protection of consumer information. I’ve highlighted just a few below. To view the complete list, click HERE.

Principle 5: Regulatory guidance must be risk-based and must consider the resources of the Insurer or insurance producer, with the caveat that a minimum set of cybersecurity standards must be in place for all insurers and insurance producers that are physically connected to the Internet and/or other public data networks, regardless of size and scope of operations.

  • Recognizes that cybersecurity outlays must be tailored to fit an organization’s profile, but also that all businesses, regardless of size, should take steps to protect consumer information

Principle 7: Planning for incident response by insurers, insurance producers, other regulated entities and state insurance regulators is an essential component to and effective cybersecurity program.

  • All organizations maintaining private consumer information should incorporate a data breach response plan

Principle 9: Cybersecurity risks should be incorporated and addressed as part of an insurer’s or an insurance producer’s enterprise risk management (ERM) process. Cybersecurity transcends the information technology department and must include all facets of an organization.

  • Cybersecurity is not just an IT issue – a holistic, organization-wide approach is necessary for the establishment of a defensible protocol.

Principle 12: periodic and timely training, paired with an assessment, for employees of insurers and insurance producers, as well as other regulated entities and other third parties, regarding cybersecurity issues is essential.

  • Training and periodic assessments are two of the best ways to prevent the loss of sensitive data