X
    X
    X
    X

    Insurance Regulatory Bellwether: NAIC Adopts 12 Principles for Effective Cybersecurity for Regulators

    Locke Lord Publications

    The National Association of Insurance Commissioners (“NAIC”) is all over cybersecurity. On April 16, 2015, as a part of its aggressive work plan to help the insurance sector come up with an effective cybersecurity framework in the face of a tidal wave of data security breaches that pose a significant threat to consumer financial and health information, the NAIC’s Cybersecurity Task Force adopted 12 principles for effective cybersecurity insurance regulatory guidance.

    The principles are general policy statements identifying areas of concern to the NAIC and are intended to guide insurance regulators in creating specific regulations protecting the information of insurance consumers, and the information infrastructure of the insurance industry. The 12 principles address security safeguards for confidential and personally identifiable consumer information, incident response planning and consumer security breach notifications, incorporating cybersecurity risks into a company’s internal risk management process, employee training and vendor management, and similar topics. Principle 4 clarifies that “Cybersecurity regulatory guidance for insurers and insurance producers must be flexible, scalable, practical and consistent with nationally recognized efforts such as those embodied in the National Institute of Standards and Technology (NIST) framework.”

    The guidelines are a bellwether of regulations to come, and insurance industry participants and their vendors should familiarize themselves with the 12 principles and consider engaging with regulators in order to anticipate and potentially help shape the future standards, requirements, and practices. Of course, they should also update and maintain appropriate data management policies and practices.

    Explore Additional Topics

    Disclaimer

    Please understand that your communications with Locke Lord LLP through this website do not constitute or create an attorney-client relationship with Locke Lord LLP. Any information you send to Locke Lord LLP through this website is on a non-confidential and non-privileged basis. Therefore, do not send or include any information in your email that you consider to be confidential or privileged.