Shortly after the discovery of a cybersecurity breach at the health insurance company Anthem, Inc., the National Association of Insurance Commissioners (NAIC) called for a multi-state examination of Anthem’s cybersecurity practices to determine what protections were in place and what actions could have been taken to minimize data losses.  The examination is currently underway and led by insurance regulators from California, Indiana, Maine, Missouri, New Hampshire, North Dakota and South Carolina.  It should be noted that while this appears to be the first large scale multi-state examination of an insurer’s cybersecurity practices, some insurance departments, such as Connecticut, have already been conducting review of an insurer’s cybersecurity policies and procedures as part of its regular examinations.

Subsequently, NAIC released for comment two draft documents on cybersecurity. The first draft document, developed by NAIC’s recently created Cybersecurity Task Force, is entitled “Principles for Effective Cybersecurity Insurance Regulatory Guidance” (the Principles).  The Principles were designed to help state insurance departments identify cybersecurity risk and establish uniform standards to protect against it. The Principles also identify ways in which state regulators and NAIC can work with the insurance industry to flag these risks and work together on meaningful solutions.

The second draft document, developed by NAIC’s Property and Casualty Insurance Committee, is NAIC’s “Annual Statement Supplement for Cybersecurity Policies” (the Supplement).  The Supplement reviews recent cybersecurity exposures.

In addition to NAIC’s multi-state examination of Anthem, and its release of the draft Principles and Supplement, the New York State Department of Financial Services (NYDFS) is also looking into insurers’ cybersecurity practices.  NYDFS recently released the results of its cybersecurity survey of insurance companies. The survey inquired about insurers’ current and future cybersecurity programs, including their use of third-party vendors.  Forty-three insurance companies responded to the survey and provided insight into existing and planned cybersecurity programs, as well as the nature of measures taken by them to safeguard sensitive data and/or to protect against loss due to security incidents.


NYDFS is the principal regulator for insurance companies operating in the State of New York, as well as certain financial entities and other financial institutions. NAIC is the U.S. standard-setting and regulatory support organization created and governed by the chief insurance regulators from the 50 states, the District of Columbia and five U.S. territories.