Cybersecurity risks have become more significant as critical consumer financial and health information is increasingly stored in electronic form. On April 16, 2015, the National Association of Insurance Commissioners (NAIC) adopted guidance concerning the protection of sensitive consumer information held by insurers and insurance producers. The document also is intended to aid insurance regulators in the identification of uniform standards, to promote accountability across the entire insurance sector, and to provide access to essential information.
The guidance consists of 12 principles that were derived from similar cybersecurity regulatory guidance issued by the Securities Industry and Financial Markets Association (SIFMA). Among other things, the NAIC indicates that state insurance regulators have a responsibility to ensure that personally identifiable consumer information held by insurers, producers and other regulated entities is protected from cybersecurity risks. Further, the guidance states that regulators should mandate that these entities have systems in place to promptly alert consumers in the event of a breach.
The NAIC notes that regulatory guidance must be risk-based and must consider the resources of the insurer or insurance producer, but with the caveat that a minimum set of cybersecurity standards must be in place for all insurers and insurance producers that are physically connected to the Internet and/or other public data networks, regardless of size and scope of operations. The NAIC expects insurers, producers, and other regulated entities to join forces in identifying risks and adopting practical solutions to protect information entrusted to them, including planning for incident response and taking steps to ensure that third parties and service providers have controls in place to protect personally identifiable information.
In the wake of several recent large-scale data breach incidents, companies can expect to see more laws and regulation regarding data security on both the federal and state level. Although the concepts included in the NAIC guidance are not particularly new, insurers and other regulated entities will likely want to review the guidance to ensure that they are focusing on the same basic principles as the regulators. Companies outside of the insurance area may also find the guidance useful for their own cybersecurity efforts.