Insurance industry regulators (NAIC) push cybersecurity requirements
Cybersecurity and insurance providers share one very similar and discerning viewpoint. Our business decisions and services we provide to customers are always based on risk. We help clients understand how threats, vulnerabilities, and their impact may disrupt personal and business continuity. The National Association of Insurance Commissioners (NAIC), a regulating body, has recognized the cybersecurity risks to their industry and has started taking action.
The NAIC website states that “Cybersecurity is perhaps the most important topic for the insurance sector today.”
The “Insurance Data Security Law” is born
NAIC’s solution to their cybersecurity challenges is the creation of the Insurance Data Security Law. The law is modeled and based on previous cybersecurity legislation passed by the State of New York; 23 NYCRR 500. The law mandates that insurance providers create and maintain an information security program to protect their organization and the data of their clients.
The Model Law has been submitted to all 50 states and is anticipated to pass. It will be overseen by the State Insurance Commissioner’s office and must be adhered to by any individual and/or entity licensed in that State.
Addressing risk: Legislation and Self-Regulation
The NAIC model law is certainly a step in the right direction. Regulation and laws will help businesses reduce their attack surface and manage risk. With the NAIC Model Law being anticipated to pass in each state, in addition to individual state laws on data security, how does a business know where to begin? We recommend businesses review State requirements and begin developing a plan to address each item.
While each law is unique in its own way, we’re seeing a common theme across the board involving these key concepts:
- Risk Assessment
- Policies & Procedures Review
- Incident Response Plan Development and Review
- Security Awareness Training
- Multi-Factor Authentication
- 3rd Party Security Programs
- Backup procedures
- Active Directory implementation
- Continuous monitoring
- Implement and regularly assess safeguards
The details of each law start to vary in the Breach Notification requirements, primarily where they discuss the timeline for reporting a breach and how/who must be notified. This can all be addressed in a well written Incident Response Plan. To make sure your plan is effective and thorough, it’s best to work with an experienced cybersecurity professional.
While the above may be soon mandated by law, it’s important to remember that checking boxes do not guarantee a cyber-attack or breach will not happen. The requirements will help reduce the risk for agencies in compliance but should be taken further to continually monitor systems and data for a breach.
When do businesses need to start taking action?
Some states have already passed laws, while others like this NAIC Model Law are still under review. In the meantime, hackers aren’t waiting for legislation to catch up – if anything, attacks are becoming more and more rampant year over year.
With your business still at risk, there’s no reason to wait to start being more secure. Cybersecurity services are more affordable than most people realize and taking some simple steps to implement services like Security Awareness Training may be enough to thwart your next phishing email/ransomware attack.
It’s a serious gamble to wait for government regulations to catch up to the real-world threats that risk your business’ reputation, operations, and overall success.
Have questions about the NAIC Model Law?
Does your business have questions about the NAIC Model Law? Rigid Bits has deep connections in the Insurance industry and can help your business understand your risks and options for reducing those risks. We’ve developed specific packages to help your business meet regulatory requirements as well as solutions to providing true business security.
Contact us for more information.