Last Updated 12/20/2022
Issue: Cybersecurity is perhaps one of the most important topics for the insurance sector today. Insurers and insurance producers must protect the highly sensitive consumer financial and health information collected as part of the underwriting and claims processes. This personally identifiable information (PII) is entrusted to the industry by the public.
Amid the rising incidence of cyberattacks and the growing number of high-profile data breaches, the government has stepped up its scrutiny of cybersecurity. This has led to increasing calls for legislation and regulation for enhanced cybersecurity measures to address the numerous risks posed by a cyberattack, including, but not limited to: (1) identity theft; (2) business interruption; (3) damage to reputation; (4) data repair costs; (5) theft of customer lists or trade secrets; (6) hardware and software repair costs; (7) credit monitoring services for impacted consumers; and (8) litigation costs. Most commercial property and general liability policies do not cover cyber risks, and cyber insurance policies are highly customized for clients. In 2020, premiums were estimated at around $6.5 billion, an increase of 61% from the prior year. This number reflects both stand-alone cybersecurity insurance products as well as those writing cybersecurity insurance as part of a package policy. It also includes alien surplus lines data, which the NAIC began collecting in 2016. The latest Report on the Cybersecurity Insurance Market can be found here.
The National Institute of Standards and Technology (NIST) has provided a cybersecurity framework for improving critical infrastructure cybersecurity, most recently updated in 2020. The framework provides a structure of standards, guidelines, and practices to aid organizations, regulators, and customers with critical infrastructures in effectively managing their cyber risks. The framework provides a structure of standards, guidelines and practices to aid organizations, regulators and customers with critical infrastructures in effectively managing their cyber risks.
State insurance regulators serve on the U.S. Department of the Treasury's (Treasury Department) Financial Banking and Information Infrastructure Committee (FBIIC) where they work with federal regulators to address cyber threats in the United States. State insurance regulators continue to monitor cybersecurity in the insurance sector closely. In addition, regulators work with insurers to resolve immediate concerns when a data breach occurs at an insurance company. State insurance regulators are also in the unique position of regulating and monitoring the solvency and market activities of insurance carriers underwriting cybersecurity policies.
International bodies, like the International Association of Insurance Supervisors (IAIS) and the IAIS’ Operational Resilience Task Force (ORTF) also take an active role in addressing cybersecurity with state insurance regulators monitoring and participating in ongoing international discussions. The IAIS adopted an Application Paper on Supervision of Insurer Cybersecurity in 2018. More recently, the ORTF is developing an Issues Paper on operational resilience in the insurance sector.
Status: The NAIC membership has adopted several projects and recommendations of the former Cybersecurity (EX) Working Group:
- Adopted the Principles for Effective Cybersecurity: Insurance Regulatory Guidance.
- Adopted the NAIC Roadmap for Cybersecurity Consumer Protections, a project aimed at bolstering consumer protection.
- Updated the Financial Condition Examiners Handbook for revised cybersecurity protocols.
- Recommended the Market Regulation Handbook be updated similarly.
- Adopted the new Insurance Data Security Model Law (#668) which requires insurers and other entities licensed by state insurance departments to develop, implement and maintain an information security program; investigate any cybersecurity events; and notify the state insurance commissioner of such events. 21 states have adopted the model to date.
With the launch of the Innovation, Cybersecurity, and Technology (H) Committee, the Cybersecurity (H) Working Group has been reformed to again allow a forum for discussions related to cybersecurity. Cybersecurity insurance matters remain under the Property and Casualty Insurance (C) Committee. (Exact charge: Report on the cyber insurance market including data reported within the Cybersecurity Insurance and Identity Theft Coverage Supplement.)
The actions taken by regulators should reflect, among other things, a commitment to the effective supervision of cybersecurity related matters both through the financial and market examination processes which are both bolstered by the passage of the Model Law.
Committees Active on This Topic
February 2020, NAIC Consumer Resource