Shortly after the discovery of a cybersecurity breach at the health insurance company Anthem, Inc., the National Association of Insurance Commissioners (NAIC) called for a multi-state examination of Anthem’s cybersecurity practices to determine what protections were in place and what actions could have been taken to minimize data losses.  The examination is currently underway and led by insurance regulators from California, Indiana, Maine, Missouri, New Hampshire, North Dakota and South Carolina.  It should be noted that while this appears to be the first large scale multi-state examination of an insurer’s cybersecurity practices, some insurance departments, such as Connecticut, have already been conducting review of an insurer’s cybersecurity policies and procedures as part of its regular examinations.

Subsequently, NAIC released for comment two draft documents on cybersecurity. The first draft document, developed by NAIC’s recently created Cybersecurity Task Force, is entitled “Principles for Effective Cybersecurity Insurance Regulatory Guidance” (the Principles).  The Principles were designed to help state insurance departments identify cybersecurity risk and establish uniform standards to protect against it. The Principles also identify ways in which state regulators and NAIC can work with the insurance industry to flag these risks and work together on meaningful solutions.

The second draft document, developed by NAIC’s Property and Casualty Insurance Committee, is NAIC’s “Annual Statement Supplement for Cybersecurity Policies” (the Supplement).  The Supplement reviews recent cybersecurity exposures.

In addition to NAIC’s multi-state examination of Anthem, and its release of the draft Principles and Supplement, the New York State Department of Financial Services (NYDFS) is also looking into insurers’ cybersecurity practices.  NYDFS recently released the results of its cybersecurity survey of insurance companies. The survey inquired about insurers’ current and future cybersecurity programs, including their use of third-party vendors.  Forty-three insurance companies responded to the survey and provided insight into existing and planned cybersecurity programs, as well as the nature of measures taken by them to safeguard sensitive data and/or to protect against loss due to security incidents.

Links:

NYDFS is the principal regulator for insurance companies operating in the State of New York, as well as certain financial entities and other financial institutions. NAIC is the U.S. standard-setting and regulatory support organization created and governed by the chief insurance regulators from the 50 states, the District of Columbia and five U.S. territories.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kathleen Porter Kathleen Porter

Kathy Porter’s practice straddles the areas of intellectual property, business transactions, trade regulation, and Internet law and includes import/export control issues, such as compliance and enforcement, competition, privacy, and data security. She counsels businesses on the development and implementation of data security and…

Kathy Porter’s practice straddles the areas of intellectual property, business transactions, trade regulation, and Internet law and includes import/export control issues, such as compliance and enforcement, competition, privacy, and data security. She counsels businesses on the development and implementation of data security and privacy practices to comply with the patchwork of laws and rules applicable to the collection, use, safeguarding, sharing, and transfer of protected or personal data. She regularly structures arrangements with promoters, marketers, website exchanges, and other third parties for the purchase, sale, sharing, and safeguarding of personal data. Kathy prepares and negotiates representations, warranties, and indemnities regarding personal or protected data and privacy and data practices. She also assists clients with privacy audits and works with third-party certification organizations to obtain certification of companies’ privacy practices. She guides clients through internal investigations to assess and address notice and other obligations regarding privacy breaches. Kathy often works closely with our litigation attorneys to manage external investigations such as those by federal or state regulators. Read her rc.com bio here.