In April, the Cybersecurity Task Force of the National Association of Insurance Commissioners adopted “Principles for Effective Cybersecurity: Insurance Regulatory Guidance,” derived from similar principles of the Securities Industry and Financial Markets Association.
An introduction to the 12 principles indicates a collaborative effort between state insurance regulators and the insurance industry in dealing with cybersecurity issues—with the industry looking to state regulators “to aid in the identification of uniform standards [and] promote accountability across the entire insurance sector,” and regulators looking to the industry “to join forces in identifying risks and offering practical solutions.” Principle 1 also references collaboration with the federal government “to achieve a consistent, coordinated approach” to cybersecurity risk.
Among other things, the principles also state that:
State insurance regulators have a responsibility to ensure that personally identifiable information (PII) of consumers held by insurers and other regulated entities is protected from cybersecurity risks, and that they should mandate that insurers have systems to issue timely alerts to consumers when cyber breaches. (Principle 1)
PII that is collected, stored and transferred inside or outside of an insurer’s, insurance producer’s or other regulated entity’s network should be appropriately safeguarded (Principle 2).
State insurance regulators have parallel responsibilities to protect information that is collected, stored and transferred inside or outside of an insurance department or at the NAIC, including insurers’ confidential information and consumer PII. (Principle 3)
Regulatory guidance must be flexible, scalable, practical and consistent with nationally recognized efforts such as those embodied in the National Institute of Standards and Technology (NIST) framework.” (Principle 4)
Guidance from regulators must also be risk-based, and while it must consider individual insurer resources, there must be “a minimum set of cybersecurity standards” for all insurers regardless of size and scope of operations. (Principle 5)
Remaining principles note that appropriate regulatory oversight will include conducting risk-based financial and market conduct examinations regarding cybersecurity, and discuss some of the risk management measures expected of insurers: planning for incident response; ensuring that third parties and service providers have controls in place to protect PII; incorporating cybersecurity in the ERM process; board review of material IT internal audit findings; employee training on cybersecurity issues.
In addition, principle 11 states that an information-sharing and analysis organization for insurers and products is an essential component of cybersecurity for the industry, allowing participants to stay informed about emerging vulnerabilities and physical threat intelligence.
Two of 18 originally proposed draft principles had referred to enhanced solvency oversight of cyber insurers and the collection of data on cyber insurance sales, but these were removed from the final 12 principles adopted by the task force.