NAIC Passes Insurance Data Security Model Law
Cybersecurity model law creates information security standards for insurers
NAIC Ramps Up Cybersecurity Efforts
Insurance Highlighted at Congressional Hearing on Cyber
NAIC's cyber chair testifies on emerging challenges on cyber insurance issues
NAIC Responds to Premera Breach
Insurance Data Security Model Law
Adopted October 24, 2017
The Cybersecurity Landscape Presentation
May 18, 2016, CIPR Event
Cybersecurity Issues, Challenges, and Solutions Program
May 18, 2016, CIPR Event
Cybersecurity Legislative Issue Brief
Roadmap for Cybersecurity Consumer Protections
Adopted December 17, 2015
Principles for Effective Cybersecurity: Insurance Regulatory Guidance
Adopted April 16, 2015
The Year Before Us: Perspectives from NAIC President Ted Nickel
March 2017, CIPR Newsletter
Recent Regulatory Initiatives to Tackle the Growing Threat of Cyber Risk
December 2015, CIPR Newsletter
Cybersecurity takes Center Stage
May 2015, CIPR Newsletter
CIPR Event Examines Cyber Liability Risk and Issues Facing the Insurance Industry
July 2014, CIPR Newsletter
Cyber Liability: It's Just a Click Away
2014, Journal of Insurance Regulation
Managing Cyber Risks
October 2012, CIPR Newsletter
Last Updated 7/11/18
Issue: Cybersecurity is perhaps the most important topic for the insurance sector today. Insurers and insurance producers must protect the highly sensitive consumer financial and health information collected as part of the underwriting and claims processes. This Personally Identifiable Information (PII) is entrusted to the industry by the public.
Amid the rising incidence of cyberattacks and the growing number of high-profile data breaches (e.g., the U.S. Office of Personnel Management, Anthem, Premera, Target, JP Morgan, Neiman Marcus, Home Depot and Equifax), the government has stepped up its scrutiny of cybersecurity. This has led to increasing calls for legislation and regulation for enhanced cybersecurity measures to address the numerous risks posed by a cyberattack, including, but not limited to: (1) identity theft; (2) business interruption; (3) damage to reputation; (4) data repair costs; (5) theft of customer lists or trade secrets; (6) hardware and software repair costs; (7) credit monitoring services for impacted consumers; and (8) litigation costs. Most commercial property and general liability policies do not cover cyber risks, and cyber insurance policies are highly customized for clients in a new and quickly growing market currently estimated around $2.49 billion. This number includes surplus lines data, which the NAIC received for the first time in 2016.
In February 2014, the National Institute of Standards and Technology (NIST) released a framework for improving critical infrastructure cybersecurity. The framework provides a structure of standards, guidelines and practices to aid organizations, regulators and customers with critical infrastructures in effectively managing their cyber risks. The NIST recently issued a draft update to its framework aimed at further developing its voluntary guidance on reducing cyber risks. Neither house of Congress have recently passed any bills addressing cybersecurity; however, this remains to be a key issue at the Federal level.
Status: There have been two major breaches of health insurance information in recent years. In addition to directly working with Anthem and Premera to resolve immediate concerns, state insurance regulators continue to monitor cybersecurity in the insurance sector very closely with their federal counterparts.
The NAIC has completed several cybersecurity activities in recent years. This includes: the adoption of the Principles for Effective Cybersecurity: Insurance Regulatory Guidance, the NAIC Roadmap for Cybersecurity Consumer Protections and the NAIC Insurance Data Security Model Law (#668). The Model Law requires insurers to implement an information security program and investigate and notify the state insurance commissioner of cybersecurity events. The Treasury Department, in its Report on Asset Management and Insurance, endorsed the model and recommended that Congress should consider preempting the states if it is not adopted in 5 years.
In addition, the NAIC adopted a Cybersecurity Insurance Coverage Supplement for the P/C annual financial statement to collect information about cybersecurity insurance markets. The NAIC is also considering creating a Cybersecurity Insurance Institute and an Anti-Fraud Depository. The Institute would concentrate on perpetrators of fraud by identity theft, ransomware and other electronic means. The Depository would be a suspected/confirmed fraud database based on the collection of other types of fraud committed by more traditional means.