The NAIC has begun its efforts to amp up state insurance department oversight of cybersecurity practices with the release of two documents for public comment. The first, entitled Principles for Effective Cybersecurity Insurance Regulatory Guidance (the “Principles”), is a document listing 18 principles for effective regulatory guidance regarding the protection of the insurance sector’s data security and infrastructure. The second is a proposed supplement to the annual statement to provide disclosure about cybersecurity insurance coverage written by U.S. licensed insurers. Comments on both drafts are due March 23.
The Principles were developed by the NAIC’s Cybersecurity (EX) Task Force, which is charged with making recommendations on cybersecurity issues, coordinating with other NAIC committees, and communicating with other groups outside the NAIC on cybersecurity issues, including information sharing. The NAIC has stated the Principles will help state insurance departments identify uniform standards, promote accountability, and provide access to essential information. It also described the Principles document as outlining a process for working with the insurance industry to identify risks and offer practical solutions.
The Principles are derived from the nearly identically named Principles for Effective Cybersecurity Regulatory Guidance issued by the Securities Industry and Financial Markets Association (SIFMA) on October 20, 2014. The NAIC and SIFMA principles share in common recognition of the value of public-private collaboration in the development of regulatory guidance and an acknowledgment of the role of the federal government in developing a consistent national approach. The Principles recognize that “regulatory guidance should be flexible, scalable and practical,” and that the NAIC’s guidance should be “consistent with the national efforts embodied in the National Institute of Standards and Technology (NIST) framework.” The NIST Framework was issued by the White House in February 2014 as a collaborative effort between government and the private sector to provide a flexible approach that applies the principles and best practices of risk management to cybersecurity in order to improve the security and resilience of the nation’s critical infrastructure. In that regard, the Principles call for cybersecurity risks to be addressed as part Enterprise Risk Management processes. The Principles also address corporate governance, stating that “high level information technology audit findings” should be discussed at board of directors meetings.
Consistent with the approach taken by other financial regulators, the Principles state that effective cybersecurity guidance should be “risk-based and threat-informed,” and stress that it is essential that insurers and insurance producers join the Financial Services Information Sharing and Analysis Center (FSISAC) in order to share threat information and stay informed about best practices. Both FINRA and the New York Department of Financial Services made similar points in their reports issued earlier this year.
Incident response planning, encryption, periodic and timely training of employees, and effective management of cybersecurity risks posed by third parties and service providers are also critical elements of the Principles. Regulatory oversight in the form of “risk-based, value-added” financial and/or market conduct exams regarding cybersecurity is also a crucial element of the Principles.
Finally, the Principles address cybersecurity insurance, recognizing the need for enhanced solvency oversight of insurers selling cybersecurity insurance and stating that additional data on the sale of cybersecurity insurance products should be collected to assist insurance regulators with their financial and market conduct oversight of the cybersecurity insurance industry. To that end, the NAIC’s Property and Casualty Insurance (C) Committee has proposed a Cybersecurity Insurance Coverage Supplement that asks for direct written and earned premiums, paid and incurred direct losses (with separate disclosure for costs of direct defense and cost containment), number of claims-made and occurrence policies in force and limits offered. It asks for premium and loss data separately for stand-alone and multiple peril policies. It remains to be seen whether industry will push back on a requirement to disclose this information as part of the publicly available annual statement supplements.
As noted, comments on both documents are due on March 23. Both proposals likely will be discussed during the upcoming Spring National Meeting in Phoenix.
