UPDATE: For additional insight on the NAIC Guidance, please see our recent quotes in Modern Health Care Magazine's article entitled "Insurers Face Tougher Oversight on Protecting Data"
Effective April 16, 2015, the Cybersecurity Task Force of the National Association of Insurance Commissioners (NAIC) adopted Principles for Effective Cybersecurity Insurance Regulatory Guidance. The 12 principles which were adopted direct insurers, producers, and other regulated entities to join forces in identifying risks and adopting practical solutions to protect information entrusted to them, and are intended to establish insurance regulatory guidance that promotes coordination and protects insurance consumers. As explained by the NAIC, cybersecurity risks have become more significant as critical consumer financial and health information is increasingly stored in electronic form, and recent high-profile data breaches have led regulators to work toward strengthening insurer defenses against attacks. Consumers have a right to expect that personal financial and health information entrusted to insurers and health care providers is secure.
Among other things, the Principles note that insurance regulators have a responsibility to ensure that personally identifiable consumer information held by insurers, producers and other regulated entities is protected from cybersecurity risks. Additionally, state insurance regulators should mandate that these entities have systems in place to alert consumers in a timely manner in the event of a cybersecurity breach, and the regulators should collaborate with insurers, insurance producers and the federal government to achieve a consistent, coordinated approach. Further, regulatory guidance must be risk-based and must consider the resources of the insurer or insurance producer, with the caveat that a minimum set of cybersecurity standards must be in place for all insurers and insurance producers that are physically connected to the Internet and/or other public data networks, regardless of size and scope of operations. State insurance regulators should provide appropriate regulatory oversight, which includes, but is not limited to, conducting risk-based financial examinations and/or market conduct examinations regarding cybersecurity.
In addition, the Principles note that cybersecurity risks should be incorporated and addressed as part of an insurer's or an insurance producer's enterprise risk management) process, as cybersecurity transcends the information technology department and must include all facets of an organization. Towards that end, the Principles guide that periodic and timely training, paired with an assessment, for employees of insurers and insurance producers, as well as other regulated entities and other third parties, regarding cybersecurity issues is essential.