On April 16, the NAIC's Cybersecurity Task Force announced twelve "Principles for Effective Cybersecurity Insurance Regulatory Guidance," intended to advise industry regulators concerning the privacy and security practices of insurance agents, companies and others that fall under their jurisdiction. Here's what privacy professionals should know about this new set of principles.
Whose Principles?
The NAIC, or National Association of Insurance Commissioners, is an organization created as a forum for state insurance leaders to coordinate, promote consistency and set standards and best practices.
Since the insurance industry in the U.S. is regulated at the state level through the departments of insurance for each state and jurisdiction—fifty-six insurance commissioners in all, from fifty states, five territories, and the District of Columbia—the NAIC's model laws and regulations can ease compliance challenges for multi-state insurance companies, agents and others.
What are the Principles?
The full text of the new NAIC guidance is available here and makes for a relatively quick read; to summarize:
Principle 1 places on regulators the responsibility "to ensure that personally identifiable consumer information," an undefined term, "is protected from cybersecurity risks." Further, all "regulated entities" must have a "timely" consumer breach notification system.
Principle 2 directly requires that regulated entities safeguard data, but uses slightly different description: "Confidential and/or personally identifiable consumer information data."
Principle 3 turns to the responsibility of regulators, requiring that departments of insurance and the NAIC protect "insurers’ or insurance producers’ confidential information, as well as personally identifiable consumer information" and that they notify those affected by a breach "in a timely manner."
Principle 4 lists the ideal characteristics of regulatory guidance: "flexible, scalable, practical and consistent with nationally recognized efforts such as those embodied in the National Institute of Standards and Technology (NIST) framework."
Principle 5 emphasizes basing standards on the risks and resources of the insurer or agent—but maintaining "a minimum set of cybersecurity standards ... regardless of size and scope of operations."
Principle 6 instructs regulators to "provide appropriate regulatory oversight," such as "risk-based financial examinations and/or market conduct examinations regarding cybersecurity."
Principle 7 addresses the importance of incident response plans—for regulators and the regulated alike.
Principle 8 assigns a responsibility to regulated entities and regulators "to ensure that third parties and service providers have controls in place to protect personally identifiable information."
Principle 9 argues for a holistic view of risk management: placing cybersecurity underneath the larger umbrella of enterprise risk management (ERM), where it "transcends the information technology department."
Principle 10 takes responsibility for reviewing risks and IT audits to the highest level: the board of directors.
Principle 11 encourages members of the insurance industry to work with "an information-sharing and analysis organization (ISAO)," in which their systems and those of their colleagues will report incidents to allow for a rapid response—and to prevent a virus or vulnerability from crippling the industry. There is an educational aspect as well, since these entities will help insurers "stay informed regarding emerging threats or vulnerabilities, as well as physical threat intelligence analysis and sharing." Paired with President Obama's February executive order promoting ISAOs, this guidance follows a recent trend.
Principle 12 emphasizes the importance of cybersecurity training and assessment of employees (both for insurance entities and third parties).
What's Next?
NAIC model laws, regulations and guidance are not directly binding on the industry, so privacy professionals should look to their state (or territory or district) government to determine the extent to which these new principles enter into state law. NAIC recommendations are often adopted in part or whole by state legislators or regulators, so its guidance can provide a key early indicator of emerging issues and coming regulatory trends—and give you a head start.
Even if implemented, it remains to be seen just how impactful these principles might be, since some of this guidance may align with existing requirements from state insurance regulators or state financial laws. For example: insurance companies and agents are already subject to the Gramm-Leach-Bliley Act (GLBA) and its "affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ non-public personal information” (15 U.S.C. § 6801). (For more, check out the the GLBA Guide on the IAPP's Resource Center. )
Ultimately, the effect will vary by state. State laws with stricter requirements are not preempted by GLBA, so more elements of the NAIC principles may already be on the books—or states could use this new guidance as an opportunity to beef up their laws. Insurance departments, currently charged with regulating GLBA requirements for their industry, may similarly have more stringent standards in their regulations already or may look to add to the existing body or requirements.
Since several of the NAIC principles promote cutting-edge best practices—ISAOs, holistic ERM, board oversight of risk and audits and more—that might not yet be contemplated by industry organizations' existing policies and procedures, some insurers could find themselves scrambling to catch up.
Privacy pros should take a look now to see how their entity would measure up. Then, when your legislature or regulator acts, you can tell your boss that it's already taken care of.