Cybersecurity is an issue of growing importance for insurers as well as society in general. Insurers encounter cybersecurity issues in a variety of ways. Like all members of the interconnected business community, insurers are potential targets as they hold consumer personal information. Because of this, insurers have an obligation to take steps to protect that information as well as to play a role in the development of how society responds to the growing exposure to cyber risk by insuring.
The economic vitality and national security of the United States depends on a stable, safe, and resilient cyberspace. Individuals and business rely on a vast and interconnected array of networks for power, communications, financial services, transportation, and health, in addition to the provision of government services. Almost no aspect of 21st century life is not directly affected or threatened by cyber criminals and terrorists.
The 114th Congress passed legislation incentivizing the sharing of cyber-threat information between the private sector and the federal government. The main provision in the bill, called the Cybersecurity Information Sharing Act (CISA), provides protections from liability, non-waiver of privilege, and protections from Freedom of Information Act disclosure to encourage companies voluntarily to share information—specifically, information about “cyber threat indicators” and “defensive measures”—with the federal government, state and local governments, and other companies and private entities. To qualify for these protections the information shared must meet strict requirements such as the removal of personal information.
NAMIC supports federal activity that would help improve the nation’s ability to withstand cyber-attacks through threat information-sharing. Any information sharing requirements should not be overly burdensome and any security standards must be technologically neutral and based on outcomes.
January 21, 2020 NAMIC is working to educate members of the House Financial Services Committee on the potential pitfalls of legislation to expand the ability of less-regulated insurance entities to write new lines of insurance ahead of a Jan. 29 hearing on the bill. Read more
January 21, 2020 President Trump signed the first phase of a trade agreement with the Chinese government at the White House Jan 25 and announced that talks for the second phase will begin soon. As part of the agreement, the United States will lower tariffs on... Read more
January 21, 2020 The House Financial Services Committee Subcommittee on Investor Protection, Entrepreneurship, and Capital Markets held a hearing Jan. 15 titled “Overseeing the Standard Setters: An Examination of the Financial Accounting Standards Board and... Read more
In 2014, the NAIC formed a Cybersecurity Task Force to undertake an ambitious agenda of work products, following the disclosure of a massive security breach at the health insurer Anthem. The Task Force developed a set of regulatory principles, proposed a “Bill of Rights” for consumers, and set out to develop a model law addressing data security issues for insurers and other regulated entities. The Task Force also enhanced financial exam standards to focus on cybersecurity issues and developed a supplement to the annual statement to collect information on insurers’ writing of cybersecurity insurance.
The NAIC Cybersecurity Task Force development of both data security standards and security breach protocol measures has involved addressing many issues including: 1) the breadth of definitions regarding personal information and cybersecurity breach event; 2) the inclusion of a harm trigger to determine when notice to regulators and consumers is required; and 3) the obligation to ensure proper measures and practices of third-party service providers.
NAMIC has engaged in every initiative undertaken by the Cybersecurity Task Force by continually stressing the need for regulatory measures to be risk-based and scalable to match the needs and abilities of entities of varying size and complexity, and to be workable from a compliance perspective.
January 16, 2020 The Group Capital Calculation (E) Working Group issued a memorandum (Att. 1 – GCC Memo) to the Group Solvency Issues (E) Working Group regarding needed changes to the Insurance... Read more
January 16, 2020 The Statutory Accounting Principles (E) Working Group hosted a teleconference Jan. 8 to discuss comments received from industry representatives on a controversial proposal that, if adopted, would... Read more
January 16, 2020 The next step to expand the number of bond designations in the property/casualty Risk Based Capital formula from six to 20 categories was formally taken as the CATF exposed for... Read more
December 13, 2019 Attendees of the Group Capital Calculation (E) Working Group meeting on Dec. 7 were among the first to look at preliminary field-testing results of the GCC tool being developed by the working group. NAIC staff has reviewed 31... Read more
December 13, 2019 The Property and Casualty (C) Committee dedicated time to hear presentations from a trade panel that included NAMIC. The industry was charged with discussing possible underinsurance challenges and solutions, particularly in the context of... Read more
Understanding the Evolving Cybersecurity Standards Landscape for Insurers
The amazing benefits of a technologically advanced and interconnected society have not been attained without the price of sobering exposure to substantial and even potentially catastrophic harm. The headlines regularly convey the latest security breaches, typically involving increasing volumes of a variety of information being accessed or stolen, affecting a larger number of individuals as potential victims. Unsurprisingly, the insurance industry, given its role in supporting risk management by businesses and individuals, has not been immune in...
December 13, 2019 The NAIC Innovation and Technology (EX) Task Force moved forward with its intention to explore anti-rebating modernization at the fall meeting in Austin. Three significant decisions were made concerning the work of the task force in this regard. Read more
November 5, 2019 An update on the current status of NAMIC’s discussions with the Virginia Bureau of Insurance regarding the bureau’s draft cybersecurity legislation follows... Read more
October 28, 2019 The Senate Banking Committee held a hearing Oct. 24 titled “Data Ownership: Exploring Implications for Data Privacy Rights and Data Valuation,” its fourth hearing on data security and privacy issues hosted this year. During this hearing the... Read more
October 24, 2019 The Virginia Bureau of Insurance has issued its final cybersecurity law proposal to the industry. NAMIC has been working with the bureau to improve earlier drafts of the legislation that significantly strayed... Read more
August 9, 2019 Enacted HB 174 substantially adopts the provisions of NAIC’s Insurance Data Security model law. The Delaware Department of Insurance released a letter detailing the enactment. Read more