The National Association of Insurance Commissioners (NAIC), an organization that provides support and coordinates the efforts of state insurance regulators, will focus on cybersecurity issues at its meeting in Phoenix, Arizona on March 28, 2015 through March 31, 2015. The NAIC Industry Liaison Committee is scheduled to meet and hear a panel discussion on cyber insurance on March 30, 2015.
The NAIC will review and comment on documents that may ultimately be adopted by state insurance regulators. One draft document, Principles for Effective Cybersecurity Insurance Regulatory Guidance, was developed by the Cybersecurity (EX) Task Force of the NAIC to “help state insurance departments identify uniform standards, promote accountability and provide access to essential information.” This document was developed to outline the process for insurance regulators to work with the insurance industry “to identify risks and offer practical solutions” related to cybersecurity. The draft proposed on March 12, 2015 is based on 18 “Principles” for insurance commissioners to “provide effective cybersecurity guidance” to insurance companies and includes the following:
- Principle 5: Compliance with cybersecurity regulatory guidance must be flexible, scalable, practical and consistent with the national efforts embodied in the National Institute of Standards and Technology (NIST) framework.
- Principle 9: Planning for crisis response for insurance regulators, insurers and insurance producers is an essential component to an effective cybersecurity program.
- Principle 16: Periodic and timely training for employees of insurers and insurance producers regarding cybersecurity issues is essential.
- Principle 17: Enhanced solvency oversight is needed for insurers selling cyber insurance to businesses and families.
The NAIC’s Principles, intended to bring uniformity and accountability for cybersecurity to the insurance industry, are important because insurers have sensitive data and provide services based on their integrity. While a breach at Target or Home Depot has proven to be a tremendous problem, a data breach or hack at an insurer offering cyber insurance may undermine the entire cyber insurance system.
Tressler will continue to provide updates on the NAIC’s review and comments of these Principles.