The National Association of Insurance Commissioners is in the process of developing cybersecurity examinations that will allow state insurance regulators to determine necessary cybersecurity measures and associated risks, and communicate these requirements to insurers. As with other examinations performed by insurance regulators, details of regulation will vary by state, and states like California that have been at the forefront of data breach reporting requirements are likely to have stringent requirements that reflect the variety and value of the industries within the state.
The NIST framework for cybersecurity technology is likely to form the foundation of the NAIC’s examinations, and the NIST framework has been accepted by a range of industries as a useful guideline document. Insurers should expect that where their policies align most closely with the NIST framework, they will have the easiest time documenting their expectations and communicating those expectations to clients.
Even within insurance companies, adequate cybersecurity measures should be a concern; cybersecurity is not only a problem of clients, and insurers can test new examinations and guidelines on their own organizations. For example, cyber risk assessments should be performed regularly and communicated to senior management; third party vendor relationships should be closely supervised for security and access controls; risks should be ranked in terms of critical data, and security measures should address the greatest risks most thoroughly; and incident response processes should be documented and established prior to the discovery of an incident, to ensure rapid response and communication.
Amendments to the IT section of the Financial Condition Examiners’ Handbook that strengthen pre-existing cybersecurity guidance provide an example of examination guidelines for other industries that are likely to follow in NAIC cybersecurity examinations. These amendments include:
Prevention. A robust prevention strategy should (a) include a combination of strong policies, system and network access controls, and data security protection, as appropriate to the broad security environment in which the insurer is operating, including the volume and type of sensitive information obtained, maintained or transmitted by the insurer, the security laws and regulations to which it is subject, its size and complexity, and the nature and scope of its activities; (b) address risks presented by third-party access to network information; and (c) include employee training that details risk-prevention objectives and the importance of an employee’s assigned responsibilities.
Detection. Insurers should have a strong set of detective controls that enable timely identification and mitigation of threats that may include anti-virus and anti-malware software, as well as network monitoring.
Response and Recovery. Insurers should have an incident response plan that may leverage concepts from the insurer’s broader disaster recovery plan, but may also require unique considerations since recovering from a cybersecurity incident involves consideration of an IT-specific event. Notwithstanding, the examiner should note that network threats and incidents are not rare events like environmental incidents.
Follow the conversation on Medium