Insurance Regulatory Bellwether: NAIC Adopts 12 Principles for Effective Cybersecurity for Regulators

The National Association of Insurance Commissioners (“NAIC”) is all over cybersecurity. On April 16, 2015, as a part of its aggressive work plan to help the insurance sector come up with an effective cybersecurity framework in the face of a tidal wave of data security breaches that pose a significant threat to consumer financial and health information, the NAIC’s Cybersecurity Task Force adopted 12 principles for effective cybersecurity insurance regulatory guidance.

The principles are general policy statements identifying areas of concern to the NAIC and are intended to guide insurance regulators in creating specific regulations protecting the information of insurance consumers, and the information infrastructure of the insurance industry. The 12 principles address security safeguards for confidential and personally identifiable consumer information, incident response planning and consumer security breach notifications, incorporating cybersecurity risks into a company’s internal risk management process, employee training and vendor management, and similar topics. Principle 4 clarifies that “Cybersecurity regulatory guidance for insurers and insurance producers must be flexible, scalable, practical and consistent with nationally recognized efforts such as those embodied in the National Institute of Standards and Technology (NIST) framework.”

The guidelines are a bellwether of regulations to come, and insurance industry participants and their vendors should familiarize themselves with the 12 principles and consider engaging with regulators in order to anticipate and potentially help shape the future standards, requirements, and practices. Of course, they should also update and maintain appropriate data management policies and practices.