The National Association of Insurance Commissioners (NAIC) adopted 12 principles for “direct insurers, producers, and other regulated entities to join forces in identifying risks and adopting practical solutions to protect information entrusted to them” on April 17, 2015. The NAIC’s 12 “Principles for Effective Cybersecurity: Insurance Regulatory Guidance” included these Principles:
Principle 4: Cybersecurity regulatory guidance for insurers and insurance producers must be flexible, scalable, practical and consistent with nationally recognized efforts such as those embodied in the National Institute of Standards and Technology (NIST) framework.
Principle 7: Planning for incident response by insurers, insurance producers, other regulated entities and state insurance regulators is an essential component to an effective cybersecurity program.
Principle 9: Cybersecurity risks should be incorporated and addressed as part of an insurer’s or an insurance producer’s enterprise risk management (ERM) process. Cybersecurity transcends the information technology department and must include all facets of an organization.
Principle 10: Information technology internal audit findings that present a material risk to an insurer should be reviewed with the insurer’s board of directors or appropriate committee thereof.
Principle 12: Periodic and timely training, paired with an assessment, for employees of insurers and insurance producers, as well as other regulated entities and other third parties, regarding cybersecurity issues is essential.
Time will only tell if these Principles are adopted and they help cyberinsuranced insureds.