The National Association of Insurance Commissioners has now taken on twelve new regulatory guidance principles.
The National Association of Insurance Commissioners (NAIC), has recently announced its adoption of twelve Principles for Effective Cybersecurity Insurance Regulatory Guidance.
This is an important move from this standards setting organization which is made up of regulators from across the country.
These twelve cybersecurity insurance principles have come at a time in which the threats to the industry have been receiving a tremendous amount of time in the spotlight, particularly following the Anthem data breach. That one situation, alone, has underscored the vital importance of employing appropriate protection techniques when it comes to securing sensitive customer data within the insurance sector.
The NAIC has been working vigilantly to be able to address the challenge of cybersecurity insurance.
Now, the organization has come up with the list of principles in order to give insurance regulators in every state in the country, as well as other participants in the industry, the guidance that they require in order to properly secure sensitive financial, personal, and health care data. These principles have been written in order to offer a broad description of the guidelines, practices, and measures that should be taken by regulators in the states as well as by the industry as a whole, when it comes to the protection of that customer information.
This guidance from the NAIC may also offer uniformity in the industry across the country, and it takes on an approach that is risk-based with regards to regulations that are set into place by state regulators.
The present situation presents far too many forms of regulations for data protection without vital uniformity across industries and states. This situation brings about considerable compliance costs to businesses. Among the primary examples of this struggle are the laws in each state regarding breach notification.
Several of the cybersecurity insurance principles are essentially a statement of guidelines based on common-sense for the treatment of sensitive personal data. For instance, Principle 2 says that “[c]onfidential and/or personally identifiable consumer information data that is collected, stored and transferred inside or outside of an insurer’s, insurance producer’s or other regulated entity’s network should be appropriately safeguarded.”