Influential National Association of Insurance Commissioners (NAIC) Moves On Cyber

Bob Gourley March 14, 2015

Cybersecurity practitioners and policymakers have long been discussing the potential positive benefits of smart insurance policy and standards to reduce risk. Of the many actions and activities we see in the insurance world today, the news of NAIC involvement is seen as particularly interesting.

What is the NAIC?

The National Association of Insurance Commissioners (NAIC) is the U.S. standard-setting and regulatory support organization created and governed by the chief insurance regulators from the 50 states, the District of Columbia and five U.S. territories. Through the NAIC, state insurance regulators establish standards and best practices, conduct peer review, and coordinate their regulatory oversight. NAIC members form the national system of state-based insurance regulation in the U.S.

What have they announced?

NAIC has coordinated two drafts which will provide comprehensive policy for oversight of insurance regarding cybersecurity:

The first is a draft of Principles for Effective Cybersecurity Insurance Regulatory Guidance, developed by the Cybersecurity (EX) Task Force. This document will help state insurance departments identify uniform standards, promote accountability, and provide access to essential information. It also outlines the process for working with the insurance industry to identify risks and offer practical solutions.
The second draft document: the Annual Statement Supplement for Cybersecurity policies, comes from the NAIC’s Property and Casualty Insurance (C) Committee.

Here are the 18 draft principles from this first document:

NAIC’s Principles for Effective Cybersecurity Insurance Regulatory Guidance

Principle 1. Insurance regulators have a significant role and responsibility regarding protecting consumers from cybersecurity risks.
Principle 2. Insurance regulators have a significant role and responsibility regarding the insurers’ efforts to protect sensitive customer health and financial information.
Principle 3. Insurance regulators have a significant role and responsibility in protecting the sensitive information housed in insurance departments and at the NAIC.
Principle 4. Insurance regulators recognize the value of collaboration in the development of regulatory guidance with insurers, insurance producers, consumers and the federal government with the goal of a consistent, coordinated national approach.
Principle 5. Compliance with cybersecurity regulatory guidance must be flexible, scalable, practical and consistent with the national efforts embodied in the National Institute of Standards and Technology (NIST) framework.
Principle 6. Regulatory guidance must consider the resources of the insurer or insurance producer.
Principle 7. Effective cybersecurity guidance must be risk-based and threat-informed.
Principle 8. Insurance regulators should provide appropriate regulatory oversight, which includes but is not limited to, conducting risk-based, value-added financial examinations and/or market conduct examinations regarding cybersecurity.
Principle 9. Planning for crisis response for insurance regulators, insurers, and insurance producers is an essential component to an effective cybersecurity program.
Principle 10. The effective management of cybersecurity by third parties and service providers is essential for protection of consumer’s sensitive personal health and financial information.
Principle 11. Information sharing is important for risk management purposes; however, it must be limited to essential cybersecurity information and protect sensitive confidential information.
Principle 12. Cybersecurity risks should be included and addressed as part of an insurers and insurance producers Enterprise Risk Management processes.
Principle 13. High level information technology internal audit findings should be discussed at the insurers and insurance producers Board of Director meetings.
Principle 14. It is essential for insurers and insurance producers to join Financial Services Information Sharing and Analysis Center (FSISAC) to share information and stay informed about cyber and physical threat intelligence analysis and sharing.
Principle 15. Sensitive data collected and stored and transferred inside or outside of an insurers or insurance producers network should be encrypted.
Principle 16. Periodic and timely training for employees of insurers and insurance producers regarding cybersecurity issues is essential.
Principle 17. Enhanced solvency oversight is needed for insurers selling cyber insurance to businesses and families.
Principle 18. Additional data on the sale of cyber insurance products should be collected to assist insurance regulators with oversight of financial and market regulation.

Regarding Principle 7. Effective cybersecurity guidance must be risk-based and threat-informed. We most strongly endorse that point. Our Daily Threat Brief is now informing executives across most every sector of the economy and can provide a strong baseline on the threat to inform cyber security guidance. Subscribe for free at https://www.oodaloop.com

For more information, visit www.naic.org.

For more see:

The Principles of Enterprise Technology

Top 10 CTO Principles

Marc Andreessen on the future of technology and implications for interactions between government and citizens

Thorn: Digital Defenders of Children

About Bob Gourley

Bob Gourley is the CTO and Co-Founder of the due diligence and cybersecurity consultancy OODA LLC , which publishes CTOvision.com and OODAloop.com. Bob's background is as an all source intelligence analyst and an enterprise CTO.

Gain Powerful Insights Into The Future With OODA Loop’s Technology Tracking

In a continuation of our journey to bring the best, most actionable technology content to enterprise decision-makers we have merged our research and reporting activities into the OODAloop.com site (both CTOvision.com and OODAloop.com are owned and operated by OODA LLC). CTOvision will focus only on one small niche, a vision for a technology enabled future. […]

CTOvision and OODA: Big Changes Coming Soon

In a continuation of our journey to bring the best, most actionable technology content to enterprise decision-makers we are merging our research and reporting activities into the OODAloop.com site (both CTOvision.com and OODAloop.com are owned and operated by OODA LLC). This will give our community access to the same technology summaries we currently produce as […]

Give Your Career A Boost By Learning From Experienced Decision Makers

Our video and audio podcast, the OODAcast, provides content that can help accelerate your career and improve your decision making. The series is based on interviews of some of the greatest most accomplished enterprise technologists we can find. We ask questions designed to pull out lessons applicable to accelerating the career of any professional. We […]

Think Twice Before Deciding To Use A Personal VPN: You could be getting some really bad advice

From the 1930s to 1950s (far too long) the medical community just would not wake up to the fact that cigarettes could cause harm (see More Doctors Smoke Camels). Why did they stick with this misperception for so long? When so many good people come to the wrong conclusion it probably means some deeply human […]

Please help spread the word: USNI and NIP Essay Contest: This year’s challenge area a key one for the nation

Please help share the content at this link to any thinker/writer you know: 2020 Information Warfare Essay Contest This contest is open to all contributors, active-duty, military, reservists, veterans, and civilians. Generally the winners have had a solid understanding of the nature of modern conflict, but really any thinkers/writers should look over the contest and […]

Centripetal wins historic $2.6-$3.2 Bil vs. Cisco Systems; largest US patent infringement award to date

Editor’s note: I am proud to say I have a history with Centripetal Networks serving on their board and then later as an advisor. It was horrible to learn that a Tech Titan like Cisco was infringing on their patents. It is good now to see when the facts were reviewed justice was done. -bg […]

Super Bowl Ads Indicate Big Businesses Think You Are Afraid of AI

Tom Loftus provided an insightful review of some of Super Bowl ads in the 4 Feb 2019 Wall Street Journal. Like AI parody in SNL, these ads really poked fun at computers: Seriously, did anyone catch the commercials? If the Super Bowl is the zeitgeist, then it is safe to say that America is not […]

HBO’s Westworld: The Man In Black is a special kind of Twitter user

HBO’s Westworld is a modern take on the Michael Crichton SciFi tale of a robotic amusement park. The HBO version has a new twist. The creators/writers were all exposed to years of Twitter, which has influenced every episode and the entire arch of two seasons of the show. Now that season two is wrapping up, […]

All Enterprise Techies Should Watch HBO’s SciFi Epic Westworld: It will help us dialog over shared experiences on what we will not be creating

Westworld season one was a great mix of science fiction and drama and action and it was done in a way that should help people think through many tech ethics questions, like how do we want to treat our robots? Does treating robots with violence change our nature? Can robots become sentient? HBO has a […]

Related