Any cyber security regulations governing insurance companies and producers need to be “scalable, practical and consistent” with rules enforced in other industries, according to guidelines issued late last week by the National Association of Insurance Commissioners.
The NAIC outlined 12 principles Friday it says will “serve as the foundation” for any insurance regulation aimed at protecting sensitive customer information kept by insurers and producers. The principles largely push for flexibility in any rules or guidance issued by regulators, even asking that guidance be risk-based and “consider the resources of the insurer or insurance producers.”
Any regulations should also be developed in consultation with insurers, insurance producers and the federal government to “achieve a consistent, coordinated approach,” the NAIC said.
However, the group is firm about instituting a minimum set of cyber security standards for all insurers and producers who are physically connected to the Internet or other public data networks, regardless of their size or scope of operations.
The release of the “Guiding Principles” document from the NAIC Cybersecurity (EX) Task Force follows the high-profile data breaches of insurance companies like Anthem Inc. and Premera Blue Cross Blue Shield, in which nearly 100 million health insurance consumers had sensitive data exposed to hackers.
Insurance departments in several states are now leading investigations into both data breaches, and the Cybersecurity Task Force is setting to work developing several sets of guidelines to protect consumer information and insurance company data security.
In addition to last week’s document, task force leader Adam Hamm says the group plans to develop a consumer “bill of rights” that details what consumers can rightfully expect from their insurance companies following a breach.
The 12 principles in the NAIC document include:
- State insurance regulators have a responsibility to ensure that personally identifiable consumer information held by insurers, producers and other regulated entities is protected from cybersecurity risks. Regulators should mandate that these entities have systems in place to alert consumers in a timely manner in the vent of a breach.
- Confidential information and/or personally identifiable consumer information data that is collected, stored and transferred inside or outside of an insurance entity’s network should be safeguarded
- Regulators have a responsibility to protect information that is collected inside or outside of an insurance department or at the NAIC.
- Cybersecurity regulatory guidance for insurance entities must be flexible, scalable, practical and consistent with nationally recognized efforts such as those embodied in the National Institute of Standards and Technology.
- Regulatory guidance must be risk based and consider the resources of the insurance entity; however, a minimum set of standards must be in place for all, regardless of size or scope of operations.
- State regulators must provide appropriate regulatory oversight, including conducting risk-based financial examinations or market conduct examinations related to cybersecurity.
- Planning for incident response by insurance entities.
- Insurance entities must take appropriate steps to ensure third parties and service providers have controls in place to protect personally identifiable information.
- Cybersecurity risks should be incorporated and addressed as part of an insurance entity’s enterprise risk management process.
- IT internal audit findings that present a material risk to an insurer should be reviewed with the board of directors or appropriate committee.
- Insurers and producers should use an information-sharing and analysis organization (ISAO) to share information and stay informed regarding emerging threats or vulnerabilities.
- Periodic and timely training, paired with an assessment, for employees of insurance entities regarding cybersecurity issues is essential.