12 Cybersecurity Mandates from the NAIC
April 20, 2015 3:21 PM
The twelve principles "will serve as the foundation for protection of sensitive consumer information held by insurers as well as insurance producers and guide regulators who oversee the insurance industry, said Monica J. Lindeen, NAIC President and Montana Commissioner of Securities and Insurance. All content from NAIC. All photos: Fotolia
Principle 1
State insurance regulators have a responsibility to ensure that personally identifiable consumer information held by insurers, producers and other regulated entities is protected from cybersecurity risks. Additionally, state insurance regulators should mandate that these entities have systems in place to alert consumers in a timely manner in the event of a cybersecurity breach. State insurance regulators should collaborate with insurers, insurance producers and the federal government to achieve a consistent, coordinated approach.
Principle 2
Confidential and/or personally identifiable consumer information data that is collected, stored and transferred inside or outside of an insurers, insurance producers or other regulated entitys network should be appropriately safeguarded.
Principle 3
State insurance regulators have a responsibility to protect information that is collected, stored and transferred inside or outside of an insurance department or at the NAIC. This information includes insurers or insurance producers confidential information, as well as personally identifiable consumer information. In the event of a breach, those affected should be alerted in a timely manner.
Principle 4
Cybersecurity regulatory guidance for insurers and insurance producers must be flexible, scalable, practical and consistent with nationally recognized efforts such as those embodied in the National Institute of Standards and Technology (NIST) framework.
Principle 5
Regulatory guidance must be risk-based and must consider the resources of the insurer or insurance producer, with the caveat that a minimum set of cybersecurity standards must be in place for all insurers and insurance producers that are physically connected to the Internet and/or other public data networks, regardless of size and scope of operations.
Principle 6
State insurance regulators should provide appropriate regulatory oversight, which includes, but is not limited to, conducting risk-based financial examinations and/or market conduct examinations regarding cybersecurity.
Principle 7
Planning for incident response by insurers, insurance producers, other regulated entities and state insurance regulators is an essential component to an effective cybersecurity program.
Principle 8
Insurers, insurance producers, other regulated entities and state insurance regulators should take appropriate steps to ensure that third parties and service providers have controls in place to protect personally identifiable information.
Principle 9
Cybersecurity risks should be incorporated and addressed as part of an insurers or an insurance producers enterprise risk management (ERM) process. Cybersecurity transcends the information technology department and must include all facets of an organization.
Principle 10
Information technology internal audit findings that present a material risk to an insurer should be reviewed with the insurers board of directors or appropriate committee thereof.
Principle 11
It is essential for insurers and insurance producers to use an information-sharing and analysis organization (ISAO) to share information and stay informed regarding emerging threats or vulnerabilities, as well as physical threat intelligence analysis and sharing.
Principle 12
Periodic and timely training, paired with an assessment, for employees of insurers and insurance producers, as well as other regulated entities and other third parties, regarding cybersecurity issues is essential.