Last Updated 4/1/2020

Issue: Cybersecurity is perhaps one of the most important topics for the insurance sector today. Insurers and insurance producers must protect the highly sensitive consumer financial and health information collected as part of the underwriting and claims processes. This personally identifiable information (PII) is entrusted to the industry by the public.

Amid the rising incidence of cyberattacks and the growing number of high-profile data breaches (e.g., the U.S. Office of Personnel Management, Anthem, Premera Blue Cross, Target, JP Morgan Chase, Neiman Marcus, Home Depot and Equifax), the government has stepped up its scrutiny of cybersecurity. This has led to increasing calls for legislation and regulation for enhanced cybersecurity measures to address the numerous risks posed by a cyberattack, including, but not limited to: (1) identity theft; (2) business interruption; (3) damage to reputation; (4) data repair costs; (5) theft of customer lists or trade secrets; (6) hardware and software repair costs; (7) credit monitoring services for impacted consumers; and (8) litigation costs. Most commercial property and general liability policies do not cover cyber risks, and cyber insurance policies are highly customized for clients in a new and quickly growing market currently estimated around $3.1 billion. This number includes surplus lines data, which the NAIC began collecting in 2016.

The National Institute of Standards and Technology (NIST) has provided a framework for improving critical infrastructure cybersecurity, most recently updated in 2018. The framework provides a structure of standards, guidelines and practices to aid organizations, regulators and customers with critical infrastructures in effectively managing their cyber risks.

Status: There have been two major breaches of health insurance information in recent years. In addition to directly working with Anthem and Premera Blue Cross to resolve immediate concerns, state insurance regulators continue to monitor cybersecurity in the insurance sector closely. State insurance regulators serve on the U.S. Department of the Treasury's (Treasury Department) Financial Banking and Information Infrastructure Committee (FBIIC) where they work with federal regulators to address cyber threats in the U.S. State insurance regulators are also in the unique position of regulating and monitoring the solvency of insurance carriers underwriting cybersecurity policies.

The NAIC has completed several cybersecurity activities in recent years. In 2014, the NAIC formed a Cybersecurity (EX) Working Group charged with identifying regulatory priorities and activities. The group was disbanded in late 2017 after the NAIC membership adopted several of the Working Group's recommendations, including:

The cybersecurity charges were moved up to the Innovation and Technology (EX) Task Force following the disbanding of the Cybersecurity (EX) Working Group in late 2017

In addition, the NAIC membership adopted a Cybersecurity Insurance and Identity Theft Coverage Supplement for the property/casualty annual financial statement to collect information about cybersecurity insurance markets. Filings have been received for data from 2015 - 2018. Analysis of 2018 data showed approximately 500 insurers provided business and individuals with cyber insurance in the U.S with 96% writing the coverage as part of a package policy.

Committees Active on This Topic

Additional Resources

News Releases

Understanding the NAIC Insurance Data Security Model Law

NAIC Passes Insurance Data Security Model Law
Cybersecurity model law creates information security standards for insurers

NAIC/Stanford Host Joint Cybersecurity Forum



Media queries should be directed to the NAIC Communications Division at 816-783-8909 or

CIPR Homepage