Committees Active on This Topic

News Releases

Additional Resources

NAIC/CIPR Articles

Contacts

Media queries should be directed to the NAIC Communications Division at 816-783-8909 or news@naic.org

Eric Nordman
Director, Regulatory Services and CIPR
816-783-8232

CIPR Homepage

CIPR Newsletter | Subscribe

Cybersecurity

Last Updated 4/30/18

Issue: Cybersecurity is perhaps the most important topic for the insurance sector today. Insurers and insurance producers must protect the highly sensitive consumer financial and health information collected as part of the underwriting and claims processes. This Personally Identifiable Information (PII) is entrusted to the industry by the public.

Amid the rising incidence of cyberattacks and the growing number of high-profile data breaches (e.g., the U.S. Office of Personnel Management, Anthem, Premera, Target, JP Morgan, Neiman Marcus, Home Depot and Equifax), the government has stepped up its scrutiny of cybersecurity. This has led to increasing calls for legislation and regulation for enhanced cybersecurity measures to address the numerous risks posed by a cyberattack, including, but not limited to: (1) identity theft; (2) business interruption; (3) damage to reputation; (4) data repair costs; (5) theft of customer lists or trade secrets; (6) hardware and software repair costs; (7) credit monitoring services for impacted consumers; and (8) litigation costs. Most commercial property and general liability policies do not cover cyber risks, and cyber insurance policies are highly customized for clients in a new and quickly growing market currently estimated around $2.49 billion. This number includes surplus lines data, which the NAIC received for the first time in 2016.

In February 2014, the National Institute of Standards and Technology (NIST) released a framework for improving critical infrastructure cybersecurity. The framework provides a structure of standards, guidelines and practices to aid organizations, regulators and customers with critical infrastructures in effectively managing their cyber risks. The NIST recently issued a draft update to its framework aimed at further developing its voluntary guidance on reducing cyber risks. Neither house of Congress have recently passed any bills addressing cybersecurity; however, this remains to be a key issue at the Federal level.

Status: There have been two major breaches of health insurance information in recent years. In addition to directly working with Anthem and Premera to resolve immediate concerns, state insurance regulators continue to monitor cybersecurity in the insurance sector very closely. State insurance regulators serve on the U.S. Department of the Treasury's Financial Banking and Information Infrastructure Committee (FBIIC) and on the Executive Branch and Independent Agency Regulatory Cybersecurity Forum, where they work with federal regulators to address cyber threats in the U.S. State insurance regulators are also in the unique position of regulating and monitoring the solvency of insurance carriers underwriting cybersecurity policies.

The NAIC has completed several cybersecurity activities in recent years. Much of the work has been done under the now disbanded Cybersecurity (EX) Working Group. The cybersecurity charges were moved up to the Innovation and Technology (EX) Task Force following the disbanding of the Cybersecurity (EX) Working Group at the 2017 NAIC Fall National Meeting. Before disbanding, the NAIC adopted several of the Working Group's recommendations including:

  • Adopted of the Principles for Effective Cybersecurity: Insurance Regulatory Guidance. The 12 principles direct insurers, producers and other regulated entities to better identify risks and develop practical solutions to protect consumer information.
  • Adopted of the NAIC Roadmap for Cybersecurity Consumer Protections, a project aimed at bolstering consumer protection.
  • Updated the NAIC Financial Examination Handbook for revised cybersecurity protocols
  • Recommended the NAIC Market Regulation Handbook be updated similarly
  • Adopted of the NAIC Insurance Data Security Model Law (#668). The Model Law requires insurers and other entities licensed by state insurance departments to develop, implement, and maintain an information security program; investigate any cybersecurity events; and notify the state insurance commissioner of such events. States are now working to introduce the model in their legislatures.

The Treasury Department, in its Report on Asset Management and Insurance, endorsed the model and recommended that Congress should consider preempting the states if it is not adopted in 5 years. Separately, there continues to be work in Congress on legislative proposals relating to Data Security, some of which would be preemptive of state authorities.

In addition, the NAIC adopted a Cybersecurity Insurance Coverage Supplement for the P/C annual financial statement to collect information about cybersecurity insurance markets. The initial filings were received April 1, 2016 for 2015 data and the second year of filings were received in April 2017 for 2016 data. Analysis for 2016 data showed more than 500 insurers provided business and individuals with cyber insurance in the U.S. The vast majority of these coverages were written as endorsements to commercial and personal policies. However, the size of the stand-alone market increased significantly.

The NAIC is considering creating a Cybersecurity Insurance Institute. The Institute would concentrate on perpetrators of fraud by identity theft, ransomware and other electronic means. The idea came as the outcome of the NAIC/Stanford University Joint Cybersecurity Forum on October 11, 2017. The Institute might include:

  • Collection and cataloging of data on cyber breaches;
  • Studying cybersecurity breach events;
  • Providing information on cyber risk mitigation;
  • Serving as the "Underwriters Laboratory" for cyber risks;
  • Development of an educational component encompassing the development of educational and instructional materials to provide students with a comprehensive education on cyber security matters;
  • Creation of a multilevel set of certifications granted for successful completion of educational courses; Provision of high quality continuing education for those with certifications;
  • Creation of a Federated Digital Identity to replace current use of PII for identity varication purposes, making PII valueless to hackers; and
  • A process for continuous tracking of cybersecurity risks.

Additionally, the NAIC is considering developing an Anti-Fraud Depository. The Depository would be a suspected/confirmed fraud database based on the collection of other types of fraud committed by more traditional means.