Last Updated 9/18/19
Issue: Cybersecurity is perhaps one of the most important topics for the insurance sector today. Insurers and insurance producers must protect the highly sensitive consumer financial and health information collected as part of the underwriting and claims processes. This personally identifiable information (PII) is entrusted to the industry by the public.
Amid the rising incidence of cyberattacks and the growing number of high-profile data breaches (e.g., the U.S. Office of Personnel Management, Anthem, Premera Blue Cross, Target, JP Morgan Chase, Neiman Marcus, Home Depot and Equifax), the government has stepped up its scrutiny of cybersecurity. This has led to increasing calls for legislation and regulation for enhanced cybersecurity measures to address the numerous risks posed by a cyberattack, including, but not limited to: (1) identity theft; (2) business interruption; (3) damage to reputation; (4) data repair costs; (5) theft of customer lists or trade secrets; (6) hardware and software repair costs; (7) credit monitoring services for impacted consumers; and (8) litigation costs. Most commercial property and general liability policies do not cover cyber risks, and cyber insurance policies are highly customized for clients in a new and quickly growing market currently estimated around $3.1 billion. This number includes surplus lines data, which the NAIC began collecting in 2016.
In February 2014, the National Institute of Standards and Technology (NIST) released a framework for improving critical infrastructure cybersecurity. The framework provides a structure of standards, guidelines and practices to aid organizations, regulators and customers with critical infrastructures in effectively managing their cyber risks. The NIST issued an updated framework, NIST 1.1, in April 2018. The updated framework includes updates regarding authentication and identity; self-assessing cybersecurity risk; managing cybersecurity within the supply chain; and vulnerability disclosure.
Status: There have been two major breaches of health insurance information in recent years. In addition to directly working with Anthem and Premera Blue Cross to resolve immediate concerns, state insurance regulators continue to monitor cybersecurity in the insurance sector closely. State insurance regulators serve on the U.S. Department of the Treasury's (Treasury Department) Financial Banking and Information Infrastructure Committee (FBIIC) and on the Executive Branch and Independent Agency Regulatory Cybersecurity Forum, where they work with federal regulators to address cyber threats in the U.S. State insurance regulators are also in the unique position of regulating and monitoring the solvency of insurance carriers underwriting cybersecurity policies.
The NAIC has completed several cybersecurity activities in recent years. Much of the work has been done under the now disbanded Cybersecurity (EX) Working Group. The cybersecurity charges were moved up to the Innovation and Technology (EX) Task Force following the disbanding of the Cybersecurity (EX) Working Group in late 2017. Before disbanding, the NAIC membership adopted several of the Working Group's recommendations, including:
- Adopted the Principles for Effective Cybersecurity: Insurance Regulatory Guidance. The 12 principles direct insurers, producers and other regulated entities to better identify risks and develop practical solutions to protect consumer information.
- Adopted the NAIC Roadmap for Cybersecurity Consumer Protections, a project aimed at bolstering consumer protection.
- Updated the Financial Condition Examiners Handbook for revised cybersecurity protocols.
- Recommended the Market Regulation Handbook be updated similarly.
- Adopted the new Insurance Data Security Model Law (#668). Model #668 requires insurers and other entities licensed by state insurance departments to develop, implement and maintain an information security program; investigate any cybersecurity events; and notify the state insurance commissioner of such events. The states are now working to introduce the model in their legislatures. South Carolina was the first state to enact Model #668 followed by Ohio.
In 2019, the Market Regulation and Consumer Affairs (D) Committee adopted a charge to review state insurance privacy protections regarding the collection, use, and disclosure of information gathered in connection with insurance transactions. The Committee will also recommend changes, as needed, to certain NAIC models such as the NAIC Insurance Information and Privacy Protection Model Act (#670) and the Privacy of Consumer Financial and Health Information Model Regulation (#672) by the 2020 Summer National Meeting.
In addition, the NAIC membership adopted a Cybersecurity Insurance and Identity Theft Coverage Supplement for the property/casualty annual financial statement to collect information about cybersecurity insurance markets. Filings have been received for 2015, 2016 and 2017 data. Analysis of 2017 data showed approximately 500 insurers provided business and individuals with cyber insurance in the U.S. A little over half of these coverages were written as stand-alone policies.
Committees Active on This Topic
The Year Before Us: Perspectives from NAIC President Ted Nickel
March 2017, CIPR Newsletter
Insurance Data Security Model Law
Adopted October 24, 2017
Cybersecurity Legislative Issue Brief
The Cybersecurity Landscape Presentation
May 18, 2016, CIPR Event
Cybersecurity Issues, Challenges, and Solutions Program
May 18, 2016, CIPR Event
Recent Regulatory Initiatives to Tackle the Growing Threat of Cyber Risk
December 2015, CIPR Newsletter
Roadmap for Cybersecurity Consumer Protections
Adopted December 17, 2015
Cybersecurity takes Center Stage
May 2015, CIPR Newsletter
Principles for Effective Cybersecurity: Insurance Regulatory Guidance
Adopted April 16, 2015
CIPR Event Examines Cyber Liability Risk and Issues Facing the Insurance Industry
July 2014, CIPR Newsletter
Cyber Liability: It's Just a Click Away
2014, Journal of Insurance Regulation
Managing Cyber Risks
October 2012, CIPR Newsletter
NAIC Passes Insurance Data Security Model Law
Cybersecurity model law creates information security standards for insurers
Insurance Highlighted at Congressional Hearing on Cyber
NAIC's cyber chair testifies on emerging challenges on cyber insurance issues