The NAIC adapted the following principles from the Securities Industry and Financial Market Association’s “Principles for Effective Cybersecurity Regulatory Guidance.”
Here are seven of the key guidelines.
- State insurance regulators have the responsibility to ensure personally identifiable consumer information is protected from cybersecurity risks, and they should mandate entities have systems to alert consumers in a timely manner in the event of a breach.
- Regulatory guidance for insurers regarding cybersecurity should be “flexible, scalable, practical and consistent” with nationally recognized frameworks and standards.
- Regulatory guidance should take into consideration the resources available to the insurer, while maintaining a minimum standard.
- Critical to an effective cybersecurity program is incident response planning.
- Cybersecurity risks should be included in insurers’ enterprise risk management processes and include all elements of an organization, not just the IT department.
- Insurers should use information sharing and analysis organizations to remain informed of threats or vulnerabilities.
- Periodic training and assessments are essential to cybersecurity programs.
To access the full list of 12 principles, click here.
More articles on cybersecurity:
House to combine cybersecurity threat information sharing bills
Healthcare.gov cybersecurity ‘incidents’ to be reported
Growing incidence of medical identity fraud puts healthcare organizations on red alert
