NAIC Passes Insurance Data Security Model Law
Cybersecurity model law creates information security standards for insurers
NAIC Ramps Up Cybersecurity Efforts
Insurance Highlighted at Congressional Hearing on Cyber
NAIC's cyber chair testifies on emerging challenges on cyber insurance issues
NAIC Responds to Premera Breach
Insurance Data Security Model Law
Adopted October 24, 2017
The Cybersecurity Landscape Presentation
May 18, 2016, CIPR Event
Cybersecurity Issues, Challenges, and Solutions Program
May 18, 2016, CIPR Event
Cybersecurity Legislative Issue Brief
Roadmap for Cybersecurity Consumer Protections
Adopted December 17, 2015
Principles for Effective Cybersecurity: Insurance Regulatory Guidance
Adopted April 16, 2015
Cybersecurity & Insurance Companies
2014 Fall National Meeting Presentation at the Financial Stability Task Force
The Year Before Us: Perspectives from NAIC President Ted Nickel
March 2017, CIPR Newsletter
Recent Regulatory Initiatives to Tackle the Growing Threat of Cyber Risk
December 2015, CIPR Newsletter
Cybersecurity takes Center Stage
May 2015, CIPR Newsletter
CIPR Event Examines Cyber Liability Risk and Issues Facing the Insurance Industry
July 2014, CIPR Newsletter
Managing Cyber Risks
October 2012, CIPR Newsletter
Last Updated 10/31/17
Issue: Cybersecurity risks have become more significant as critical consumer financial and health information is increasingly stored in electronic form. As people become more reliant on electronic communication, and as businesses collect and maintain ever more granular pieces of information on their customers, the opportunity for bad actors to cause difficulties for businesses and the public is exploding. Recent high-profile data breaches have led regulators to work toward strengthening insurer defenses against attacks.
In late 2014, the NAIC Executive (EX) Committee appointed the Cybersecurity (EX) Working Group to serve as the central focus for insurance regulatory activities related to cybersecurity. State insurance regulators are committed to developing tools to ensure effective regulation to protect consumers. The NAIC recently adopted an Insurance Data Model Security Law which creates rules for insurers, agents and other licensed entities covering data security, investigation and notification of breach. This includes maintaining an information security program based on ongoing risk assessment, overseeing third-party service providers, investigating data breaches and notifying regulators of a cybersecurity event. The NAIC has already developed a Roadmap for Cybersecurity Consumer Protections and Principles for Effective Cybersecurity: Insurance Regulation Guidance. These documents served as the chassis for building the Insurance Data Security Model Law.
Cyber Risk Management
In recent years, the demand for cyber insurance has increased significantly in response to sharply heightened risk awareness. However, managing cyber risks through insurance is relatively new. Although the market for cyber liability insurance is off to a good start, it is expected to grow dramatically over time as businesses gradually become more aware that current policies do not adequately cover cyber risks. With each announcement of a system failure leading to a significant business loss, the awareness grows. This growing awareness has stimulated demand for cyber liability insurance products.
As data breaches occur more frequently, there are additional pressures for business to step up efforts to protect the personal information in their possession. Cyber-attacks may come from nation states, terrorists, criminals, activists, external opportunists and company insiders (both intentional and unintentional). Cybercriminals attack to gain some type of political, military or economic advantage. They usually steal money or information that can eventually be monetized, such as credit card numbers, health records, personal identification information and tax returns.
Cyber risks include:
Cyber Liability Policies
Most businesses are familiar with their commercial insurance policies providing general liability coverage to protect the business from injury or property damage. However, most standard commercial lines policies do not cover many of the cyber risks mentioned above. To cover these unique cyber risks through insurance requires the purchase of a special cyber liability policy. However, cyber risk remains difficult for insurance underwriters to quantify due in large part to a lack of actuarial data. Insurers compensate by relying on qualitative assessments of an applicant’s risk management procedures and risk culture. As a result, policies for cyber risk are more customized than other risk insurers taken on, and, therefore, more costly. The type of business operation will dictate the type and cost of cyber liability coverage. The size and scope of the business will play a role in coverage needs and pricing, as will the number of customers, the presence on the Web, the type of data collected and stored, and other factors.
Cyber liability policies might include one or more of the following types of coverage:
Securing a cyber-liability policy will not be a simple task. Insurers writing this coverage will be interested in the risk-management techniques applied by the business to protect its network and its assets. The insurer will probably want to see the business’ disaster response plan and evaluate it with respect to the business’ risk management of its networks, its website, its physical assets and its intellectual property. The insurer will most likely be keenly interested in how employees and others are able to access data systems. At a minimum, the insurer will probably want to know about antivirus and anti-malware software, the frequency of updates and the performance of firewalls.
Status: The NAIC and state insurance regulators have made significant progress on their efforts to tackle cybersecurity issues. The Cybersecurity (EX) Task Force adopted the Principles for Effective Cybersecurity Insurance Regulatory Guidance in April 2015. The 12 principles adopted direct insurers, producers, and other regulated entities to join forces in identifying risks and adopting practical solutions to protect information entrusted to them. Additionally, the NAIC is developing new reporting requirements for insurers to better track cyber insurance policies issued in the marketplace.
The NAIC is moving forward with additional initiatives designed to help protect consumer information and educate the public about cyber risks. The Cybersecurity (EX) Working Group worked extensively to develop a Cybersecurity Consumer Bill of Rights detailing what consumers can expect from insurance companies, agents and other businesses following a data breach. After extensive review and discussion, the Bill of Rights was adopted by the NAIC Executive (EX) Committee and Plenary on Dec. 17, 2015 and the title amended the “NAIC Roadmap for Cybersecurity Consumer Protections .” In addition, on October 24th, 2017, the NAIC adopted the Insurance Data Security Model Law during a joint meeting of the Executive (EX) Committee and Plenary. The Insurance Data Security Model Law establishes the standards for data security and investigation and notification of a breach of data security applicable to insurance providers. The NAIC also updated its Financial Condition Examiners Handbook and will be updating the Market Regulation Handbook.
The Cybersecurity (EX) Working Group also worked with the Property and Casualty Insurance (C) Committee and the Financial Condition (E) Committee to develop the Cybersecurity and Identity Theft Insurance Coverage Supplement for insurer financial statements to gather financial performance information about insurers writing cyber-liability coverage nationwide. The first year the Supplement was required to be filed was with the 2015 Annual Statement filed in April of 2016. This year insurers reported information on the 2016 calendar results. More than 500 insurers have provided businesses and individuals with cybersecurity insurance, with the 75% of the insurers writing cybersecurity insurance as part of a package policy. An overview shows a cybersecurity insurance market of roughly $1.8 billion in direct written premium for insurers required to file the Supplement. Insurers writing standalone cybersecurity insurance products reported approximately $921 million in direct written premium and those writing cybersecurity insurance as part of a package policy reported roughly $864 million in premium writings. .
Lastly, the NAIC and Stanford Cyber Initiative recently hosted a joint cybersecurity forum to provide insight into current cyber threats and the role insurance plays in mitigating risks. The forum, held during National Cybersecurity Awareness Month, featured a keynote from Richard A. Clarke, former U.S. National Coordinator for Security, Infrastructure Protection and Counter-Terrorism. Clarke's address was accompanied by panels focusing on understanding cyber risks, the range of cyber threat scenarios and identifying potential gaps in cyber insurance coverage and risks. A video replay of the event is coming soon.