The National Association of Insurance Commissioners (“NAIC”) has encouraged insurers and state insurance regulators to act proactively in reducing cybersecurity risks to consumer financial and health information.  On April 16, the NAIC adopted the Principles for Effective Cybersecurity Insurance Regulatory Guidance (“Principles”), twelve regulatory principles aimed at increasing the protection of [confidential and personally identifiable information] against cybersecurity breaches.  The Principles promote collaboration between regulators charged with guidance and oversight, and insurers that can identify risks and offer practical solutions for protecting sensitive information.

The Principles charge insurers with identifying risks to, and adopting cybersecurity practices governing, confidential and personally identifiable information.  Insurers should safeguard any such information that is collected, stored, and transferred, whether inside or external to an insurer’s network.  The NAIC also recommends that insurers ensure that third parties entrusted with sensitive information have appropriate security controls; and further recommends specific cybersecurity practices insurers should implement.  These include incident response planning, incorporating cybersecurity practices into their enterprise management process; providing periodic training for employees; and sharing information technology audit results with the insurer’s board of directors.  All insurers, regardless of size, will likely be required to have a system in place to enable them to timely alert affected parties in the event of a cybersecurity breach.

The Principles further recommend that insurers look to state insurance regulators for guidance on and oversight of cybersecurity practices.  In this respect, the NAIC recommends that state regulators require insurers to have a timely notification system in place in the event of a breach, but otherwise be flexible enough to guide insurers of varying size and resource level.  The NAIC encourages that state regulators impose minimum standards applicable to all regulated entities “that are physically connected to the Internet,” regardless of size and scope of operations.  Oversight of insurer practices includes risk-based financial examinations of cybersecurity practices.  Beyond those requirements, the Principles suggest that from the perspective of the NAIC, state regulators should be free to create flexible standards consistent with nationally recognized cybersecurity efforts, such as those recently adopted by the National Institute of Standards and Technology.  Finally, the NAIC recognizes that state regulators are equally responsible for protecting sensitive information, and that they should implement controls to protect insurer and consumer information maintained at state insurance departments or the NAIC.

For the complete list of the twelve guiding principles, click here.