Cybersecurity is an issue of growing importance for insurers as well as society in general. Insurers encounter cybersecurity issues in a variety of ways. Like all members of the interconnected business community, insurers are potential targets as they hold consumer personal information. Because of this, insurers have an obligation to take steps to protect that information as well as to play a role in the development of how society responds to the growing exposure to cyber risk by insuring.
The economic vitality and national security of the United States depends on a stable, safe, and resilient cyberspace. Individuals and business rely on a vast and interconnected array of networks for power, communications, financial services, transportation, and health, in addition to the provision of government services. Almost no aspect of 21st century life is not directly affected or threatened by cyber criminals and terrorists.
The 114th Congress passed legislation incentivizing the sharing of cyber-threat information between the private sector and the federal government. The main provision in the bill, called the Cybersecurity Information Sharing Act (CISA), provides protections from liability, non-waiver of privilege, and protections from Freedom of Information Act disclosure to encourage companies voluntarily to share information—specifically, information about “cyber threat indicators” and “defensive measures”—with the federal government, state and local governments, and other companies and private entities. To qualify for these protections the information shared must meet strict requirements such as the removal of personal information.
NAMIC supports federal activity that would help improve the nation’s ability to withstand cyber-attacks through threat information-sharing. Any information sharing requirements should not be overly burdensome and any security standards must be technologically neutral and based on outcomes.
May 21, 2020 WASHINGTON, D.C. — The National Association of Mutual Insurance Companies, the American Property Casualty Insurance Association, and the Independent Insurance Agents & Brokers of America, Inc. today unveiled a new customer-focused proposal for... Read more
May 21, 2020 As I was reflecting the other day on where we are with the COVID-19 crisis, I thought of Winston Churchill, having just finished Erik Larson’s great new book, The Splendid and the Vile: A Saga of Churchill, Family, and... Read more
May 18, 2020 After sending letters to the Treasury Department and the White House highlighting the consequences of enacting retroactive business interruption policy, Sen. Tim Scott, R-S.C., Rep. Steve Stivers, R-Ohio, and Rep. Ted Budd, R-N.C., received... Read more
In 2014, the NAIC formed a Cybersecurity Task Force to undertake an ambitious agenda of work products, following the disclosure of a massive security breach at the health insurer Anthem. The Task Force developed a set of regulatory principles, proposed a “Bill of Rights” for consumers, and set out to develop a model law addressing data security issues for insurers and other regulated entities. The Task Force also enhanced financial exam standards to focus on cybersecurity issues and developed a supplement to the annual statement to collect information on insurers’ writing of cybersecurity insurance.
The NAIC Cybersecurity Task Force development of both data security standards and security breach protocol measures has involved addressing many issues including: 1) the breadth of definitions regarding personal information and cybersecurity breach event; 2) the inclusion of a harm trigger to determine when notice to regulators and consumers is required; and 3) the obligation to ensure proper measures and practices of third-party service providers.
NAMIC has engaged in every initiative undertaken by the Cybersecurity Task Force by continually stressing the need for regulatory measures to be risk-based and scalable to match the needs and abilities of entities of varying size and complexity, and to be workable from a compliance perspective.
May 22, 2020 The Statutory Accounting Principles (E) Working Group continues to propose and implement accounting interpretations related to COVID-19. An issue of great interest to NAMIC members relates to guidance on how to account for premium refunds issued in... Read more
May 22, 2020 The NAIC distributed a data call letter on May 11 to property/casualty insurers in 48 states, the District of Columbia, and the U.S. Virgin Islands, requesting data on business interruption coverage written in 2019 or 2020. The data call is... Read more
May 22, 2020 Development around the NAIC Group Capital Calculation, a regulatory tool to be used to consider the aggregated regulatory capital held by an insurance group, took two major steps this week. First, the NAIC exposed for a 60-day comment period... Read more
May 22, 2020 The NAIC Casualty Actuarial and Statistical (C) Task Force failed to expose for comment its expected near-final draft of a white paper on predictive analytics and modeling due to drafting errors. The task force held a previously scheduled call on... Read more
May 22, 2020 The Antifraud (D) Task Force held a call on May 20. As reflected on its agenda, the purpose was "to discuss the effects of COVID-19 as it relates to insurance fraud" and to "hear updates from state insurance departments as well as other... Read more
Understanding the Evolving Cybersecurity Standards Landscape for Insurers
The amazing benefits of a technologically advanced and interconnected society have not been attained without the price of sobering exposure to substantial and even potentially catastrophic harm. The headlines regularly convey the latest security breaches, typically involving increasing volumes of a variety of information being accessed or stolen, affecting a larger number of individuals as potential victims. Unsurprisingly, the insurance industry, given its role in supporting risk management by businesses and individuals, has not been immune in...
April 28, 2020 The Virginia Bureau of Insurance has solicited comments from NAMIC and its member companies on implementing regulations associated with HB 1334, the Virginia Insurance Data Security Act, passed during the... Read more
April 16, 2020 NAMIC previously reported that the Privacy Protections (D) Working Group had not met outside of regulatory-only meetings since mid-February, nor had it distributed any new materials to the public. On April 15... Read more
April 13, 2020 The Senate Commerce Committee held a "paper hearing" April 9 titled "Enlisting Big Data in the Fight Against Coronavirus" in which the committee received written witness testimony and exchanged written questions and answers so it could continue its... Read more
March 30, 2020 On its first call of the year held in mid-February, the Privacy Protections (D) Working Group indicated that it would be going into regulator-only mode for a while and would prepare a key issues document that would be circulated for the Spring National... Read more
March 30, 2020 The last meeting of the NAIC Big Data Working Group in Austin in 2019 revealed the continuing work of the group and attempts to ascertain where it may all be leading. Due to COVID-19, attempts to meet in Phoenix and via teleconferencing have been... Read more