NAIC’s model cybersecurity law is a wake-up call for the insurance industry
We knew this day was coming. The National Association of Insurance Commissioners (NAIC) adopted the Insurance Data Security Model Law.
As the NAIC press release states, “the model law creates rules for insurers, agents, and other licensed entities covering data security, investigation, and breach notification. This includes maintaining an information security program based on ongoing risk assessment, overseeing third-party service providers, investigating data breaches, and notifying regulators of a cybersecurity event.”
For insurance companies, this is a wake-up call to take action on your information security program. Here are six tips to kickstart your compliance process.
- Review cybersecurity law requirements
Dive into the insurance data security model law to see what’s required.
For example, Section 4. Information Security Program details implementing a program and requirements for assessments, reporting, audits, policies, and procedures. That sounds easy on the surface but grows in complexity the more you read. You need to not only identify internal and external threats but also assess the potential damage and take proactive steps like using policies and procedures to manage the threats.
In Section 6. Notification of a Cybersecurity Event, you’ll learn about the model law’s breach notification rule. The notification window is 72 hours from the determination of a cyber event. Suffice it to say, if a policyholder is harmed and you just learned about it, the clock is ticking.
- Perform a gap analysis
Conduct an audit of your organization’s current cybersecurity controls, policies and standards. Are they formalized and in writing? That’s a step you’ll need to take.
Now compare your organization’s controls, policies, and standards to NAIC’s model cybersecurity requirements. What’s different or lacking? Identifying gaps and conducting risk assessments will point you in the right direction. You’ll know your priorities, risks, and marching orders.
- Define business processes
To fill gaps and comply with the NAIC cybersecurity law, start from within by defining your business processes.
You need a long-term solution to satisfy compliance with cybersecurity laws, as well as existing and new regulations, not to mention adapt to regulatory change. Start by mapping out your processes. Identify interactions, deliverables, and parties involved. Now define roles and responsibilities, as well as catalog inventory. You want to know who does what and which assets are at risk of cyber attacks.
- Focus on third parties
The NAIC model cybersecurity law gives special attention to security measures with third-party providers. You’re responsible for oversight, ensuring third parties implement administrative, technical, and physical measures to protect and secure information systems and nonpublic information that are accessible, or held by, third-party service providers.
Meeting third-party security requirements means conducting assessments to ensure third parties are delivering the aforementioned. In Section 4. C. Risk Assessment, it stipulates identifying threats with an ongoing assessment and an annual review of systems, controls, processes, and procedures. Whether it’s your organization or your third parties, assessments are the go-to tool and vigilance is the driver.
- Streamline compliance
Armed with the knowledge from steps 1-4, you’re ready to formalize compliance processes. The most direct way to go about that is finding a technology that adapts to your processes. Don’t buy into the hype of a turnkey solution that forces you to adapt to another system. Integrated risk management platforms offer a better option, plus they deliver three key capabilities demanded by a cybersecurity law. One, support and integrate information security programs. Two, facilitate incident response management. Three, streamline regulatory compliance.
Look for an integrated risk management platform that can house your information security program, as well as equip you to manage compliance activities and incidents efficiently and effectively. If and when you have to report a cybersecurity event, the platform will save you time gathering the required documentation and reporting the event within the 72-hour window.
- Create a culture of security
Good security practices among the rank and file is important. According to Tom Garrubba with the Santa Fe Group, 60-70 percent of the data breaches occur within the organization. Instilling a culture of security can help address a majority of data breaches and is harmonious with cybersecurity law compliance.
By creating a culture of security within your organization, you can more easily carry out the requirements of NAIC’s model cybersecurity law. Implement policies and procedures to communicate importance and drive behavior. Use security training with role playing, learning assessments, and other best practices from the employee training world. Then keep the education top of mind with tactics like sharing phishing examples. The reward for your efforts is being the catalyst for a more security conscious workforce.
Insurance for insurance companies
NAIC’s model cybersecurity law doesn’t have an enactment date yet and may undergo fine-tuning. However, taking proactive steps toward compliance is insurance for insurance companies.
Insurance companies have information on policyholders that hackers would love to steal. Law or not, a strong cybersecurity program is essential for protecting policyholder data and helping prevent data breaches that have plagued many industries and major players. Do what you do best as an insurance company. Envision tomorrow and take action today.
Learn about CIS’s first five controls and examine what each control addresses.
Learn about how privacy programs and the importance of being prepared for a breach.
Learn about the constant vigilance of continuous security monitoring.