The NAIC has released a draft of its proposed Principles for Effective Cybersecurity Insurance Regulatory Guidance, developed by the Cybersecurity (EX) Task Force. According to the NAIC, “it has become clear that it is vital for insurance regulators to provide effective cybersecurity guidance regarding the protection of the insurance sector’s data security and infrastructure. The insurance regulators commend insurance companies for conducting a review of their cybersecurity policies, regulations, and guidance with the goal of strengthening the insurance sector’s defense and response to cyber-attacks. The insurance industry looks to the insurance regulators to aid in the identification of uniform standards, promoting accountability across the entire insurance sector, and to provide access to essential information. The insurance regulators also depend upon the insurance industry to join forces in identifying risks and the offering of practical solutions.”
The draft contains 18 guiding principles, which are “intended to establish insurance regulatory guidance that promotes these relationships and protects consumers and the insurance industry.”
The principles highlight the significant role and responsibilities of insurance regulators in this area and call for national collaboration on a “risk-based and threat-informed” basis and compliance with the National Institute of Standards and Technology (NIST) framework. The principles call for inclusion of cybersecurity risks in any insurers’ and insurance producers’ Enterprise Risk Management process, the encryption of data collected, stored and transferred, and timely training for employees of insurers and producers on cybersecurity issues. The principles also include additional measures for insurers selling cyber insurance that includes enhanced solvency oversight and the collection of additional data on the sale of said products.
The NAIC is seeking comments by March 23, 2015. They may be directed to [email protected].