- The Cybersecurity (EX) Task Force of the National Association of Insurance Commissioners (NAIC) announced that it adopted new cybersecurity regulations, designed to help protect sensitive consumer information.
The cybersecurity regulations highlight 12 principles that state insurance regulators should follow to protect sensitive information and infrastructure, according to NAIC. It is the regulators’ responsibility to ensure that any personally identifiable consumer information held by insurers, producers and other regulated entities is protected from cybersecurity risks. The proper notification systems should also be in place, ensuring that consumers are notified in a timely manner.
Another regulation stipulates that cybersecurity regulations for insurers and insurance producers “must be flexible, scalable, practical and consistent” with nationally recognized efforts. This could include what the National Institute of Standards and Technology (NIST) has outlined in its framework.
NAIC also called for state insurers to provide appropriate regulatory oversight, including but not limited to, conducting risk-based financial examinations. Additionally, regulators should provide market conduct examinations regarding cybersecurity, according to NAIC.
Many of the principles align with regulations that are already in place for healthcare organizations through the HIPAA Privacy Rule or Security Rule, and touch on issues such as information sharing and performing risk-based analyses:
Principle 9: Cybersecurity risks should be incorporated and addressed as part of an insurer’s or an insurance producer’s enterprise risk management (ERM) process. Cybersecurity transcends the information technology department and must include all facets of an organization.
Principle 10: Information technology internal audit findings that present a material risk to an insurer should be reviewed with the insurer’s board of directors or appropriate committee thereof.
Principle 11: It is essential for insurers and insurance producers to use an information-sharing and analysis organization (ISAO) to share information and stay informed regarding emerging threats or vulnerabilities, as well as physical threat intelligence analysis and sharing.
Principle 12: Periodic and timely training, paired with an assessment, for employees of insurers and insurance producers, as well as other regulated entities and other third parties, regarding cybersecurity issues is essential.
However, in the wake of large-scale health data breaches like Anthem and Premera, it will be interesting to see how cybersecurity measures develop for insurers as a whole.
“These principles will serve as the foundation for protection of sensitive consumer information held by insurers as well as insurance producers and guide regulators who oversee the insurance industry,” NAIC President and Montana Commissioner of Securities and Insurance Monica J. Lindeen said in a statement.
NAIC has also expressed concern specifically for the healthcare industry in terms of cybersecurity regulations. After the Anthem data breach, NAIC called for a multi-state examination of the health insurer and its affiliates.
“Since the news broke, regulators have been working together and have been in discussion with Anthem executives,” Lindeen said at the time. “We are in agreement that an immediate and comprehensive review of the company’s security must be a priority to ensure protection of consumers who are covered by Anthem.”
The organization added that all 56 states and territories should sign on to the examinations because the Anthem data breach was so large and will potentially affect many individuals.