On April 16, 2015, the Cybersecurity Task Force of the National Association of Insurance Commissioners adopted 12 principles for effective cybersecurity insurance regulatory guidance. Recognizing that cybersecurity risks pose a significant threat to consumer financial and health information, as highlighted by recent, significant data breaches, the NAIC took steps to guide insurance regulators in protecting the information of insurance consumers, and the information infrastructure of the industry. The 12 principles, available here, include guidance as to security safeguards, incident response planning, employee training and vendor management, among other subjects important to the protection of consumer information, and insurance industry infrastructure. Notably, Principle 4 provides, “Cybersecurity regulatory guidance for insurers and insurance producers must be flexible, scalable, practical and consistent with nationally recognized efforts such as those embodied in the National Institute of Standards and Technology (NIST) framework.”
State insurance regulators should find the new guiding principles helpful as they work to promote privacy and security across the insurance industry. All insurance industry participants and their vendors should familiarize themselves with the 12 Principles, and engage with the regulators in order to anticipate and potentially shape the resulting future standards, requirements and practices.