Recognizing the need for better cybersecurity in the insurance sector, the National Association of Insurance
Commissioners (NAIC) recently published “Principles for Effective Cybersecurity: Insurance Regulators
Guidance.” The NAIC document provides best practices for insurance regulators and companies, focusing on
the protection of the sector’s infrastructure and data from cyber-attacks.
2. PwC 1
Cybersecurity regulatory
guidance for the insurance sector
Summary
Recognizing the need for better cybersecurity in the insurance sector, the National Association of Insurance
Commissioners (NAIC) recently published “Principles for Effective Cybersecurity: Insurance Regulators
Guidance.” The NAIC document provides best practices for insurance regulators and companies, focusing on
the protection of the sector’s infrastructure and data from cyber-attacks.
After outlining below the NAIC’s guidance for state regulators and insurance providers, we focus on what the
insurance sector should expect to see in the coming year. Specifically, we discuss the following seven changes
we anticipate:
1. An increase in cybersecurity regulations;
2. A focus on consumer privacy;
3. An increase in cybersecurity spending;
4. The growing importance of cybersecurity information-sharing and analysis groups;
5. The Board’s and management’s involvement in cybersecurity;
6. The increased need to manage third-party risks; and
7. The link between cybersecurity and risk management.
It’s important to note that the NAIC’s action was unsurprising. High-profile data breaches at several health
insurance providers exposed data on 90 million consumers1, revealing the industry’s vulnerability. Thus far,
US banks and payment processors have led the way on cybersecurity, both because they have been frequent
targets of cyber-attacks and because of strong regulatory enforcement (e.g., FFIEC, GLBA, and PCI DSS). It’s
time for insurance companies to play catch-up, and NAIC is spurring them on.
Background
The NAIC is the standard-setting and regulatory-support organization created and governed by the chief
insurance regulators from the 50 states, the District of Columbia, and five US territories. While the NAIC
represents these regulators’ collective views, individual state and territorial regulators oversee the insurance
companies’ practices within their jurisdictions. Only a few states (e.g., New York, California, and
Massachusetts) have actually enacted data protection laws which apply to the insurance sector. Thus, most
individual regulators have been left to their own devices when it comes to cybersecurity practices, particularly
given that there is no central regulator defining industry standards and no uniform set of requirements.
Consequently, individual regulators on the whole have been using different standards when examining
cybersecurity practices, with cybersecurity requirements varying state-to-state.
The NAIC became involved in order to help both insurance regulators and companies. Specifically, it
conducted a multi-state examination of a breached insurer’s cybersecurity practices and determined what
actions the company could have taken to minimize its data loss. It then published two documents related to
cybersecurity:
1 Jose Pagliery, CNN Money. Premera health insurance hack hits 11 million people. March 17, 2015. Available at:
http://money.cnn.com/2015/03/17/technology/security/premera-hack/
3. PwC 2
Principles of Cybersecurity – Created by the NAIC’s Cybersecurity Task Force (formed in November,
2014), the document is intended to (a) help insurance regulators identify cybersecurity risks and
communicate a uniform set of control requirements to their covered entities, and (b) promote
cooperation between regulators and the insurance industry in identifying and addressing cybersecurity
risks. It applies to state regulators (“Insurance Regulators”) and insurers, insurance producers, and
other regulated entities (“Covered Entities”); and
Annual Statement Supplement for Cybersecurity – The NAIC’s Property and Casualty Insurance
Committee, created this document to establish requirements for insurers that provide cyber insurance
coverage. Specifically, it requires insurers to report the range of limits offered on cyber insurance
policies (both stand-alone and commercial, multi-peril packages), losses paid under each policy, earned
premiums, whether policies are claims made policies and whether tail coverage is offered.
Principles of cybersecurity
The following table summarizes the NAIC Guidance:
Entity Guidance
Insurance
Regulators
Should ensure that confidential and personally-identifiable information (PII) that covered
entities hold is protected from cybersecurity risks.
Should mandate that insurance providers have systems in place to alert consumers in a timely
manner of cybersecurity breaches. Insurance regulators should collaborate with insurers,
insurance producers, and the federal government to achieve a consistent, coordinated approach.
Should protect covered entities’ confidential information and PII that is collected, stored, and
transferred inside or outside of an insurance department or at the NAIC. In the event of a
breach, those affected should be alerted in a timely manner.
Should deliver flexible, scalable, and practical cybersecurity regulatory guidance for covered
entities that is consistent with nationally-recognized efforts such as those embodied in the
National Institute of Standards and Technology (NIST) framework.
Regulatory guidance should be risk-based and consider the resources of the covered entities,
with the caveat that a minimum set of cybersecurity standards must be in place for all covered
entities that are physically connected to the Internet, regardless of size and scope of operations.
Should provide appropriate regulatory oversight, including (but is not limited to) conducting
risk-based financial examinations and/or market conduct examinations regarding cybersecurity.
Covered
Entities
Customer PII that is collected, stored, and transferred inside or outside of a covered entity’s
network should be appropriately safeguarded.
Should implement incident response planning activities as part of cybersecurity program,
including conducting cyber incident response tabletop exercises.
Should take appropriate steps to ensure that third parties and service providers have controls in
place to protect PII. This may include third-party assessments to understand service providers’
current controls environments.
Cybersecurity risks should be incorporated and addressed as part of the enterprise risk
management process. Cybersecurity transcends the information technology department and
must include all facets of an organization.
A board of directors or its appropriate committee should review information technology audit
findings that present a material risk to an organization.
Should participate in an information-sharing and analysis group to share information and stay
informed regarding emerging threats or vulnerabilities.
Periodic and timely training, paired with an assessment, should be considered an essential
component of all cybersecurity programs.
4. PwC 3
What should insurance companies expect?
Over the next few years, we anticipate many changes in the insurance sector related to cybersecurity. The
following are some of major changes we expect:
1. Increase in Cybersecurity Regulations – According to PwC’s recently released The Global State of
Information Security SurveyTM cybersecurity regulation within the Financial Services industry is only
expected to increase in 2015 and beyond2. Based on the NAIC’s guidance, we expect the various US
states and their insurance regulators to pass cybersecurity regulations to ensure that covered entities
have adequate controls in place to protect consumer PII. Covered entities will be required to
demonstrate resilience to cyber-attacks, including malware attacks, insider threats, data corruption and
destruction, and denial of service attacks.
2. Focus on Consumer Privacy – In addition to cybersecurity regulations, Covered Entities will be
expected to comply with privacy regulations. The Consumer Privacy Bill of Rights, which the Obama
administration proposed, includes provisions mandating transparency, individual control, respect for
context, focused collection and responsible use, security, access and accuracy, and accountability. If
passed into law, the Consumer Privacy Bill of Rights would require covered entities to provide
transparent descriptions of their data collection practices, and to limit how and what data they collect.
Additionally, global data privacy laws, such as the European Union’s General Data Protection
Regulation, increase compliance obligations of US Insurance companies doing business globally.
3. Increase in Security Spending – In order to implement adequate controls and comply with the
regulatory requirements, covered entities will increase their cybersecurity spending. According to the
New York State Department of Financial Services (NYDFS) study “Report on Cyber Security in the
Insurance Sector”, released in February 2015, 86% of insurers expect their security budgets to increase
in the next three years. The study noted that only 51% insurers had budgeted for cybersecurity
incidents3.
4. Importance of Information Sharing Organizations – Information-sharing will be an essential part of
insurance companies’ cybersecurity strategies. We expect to see more insurance companies join
Information Security and Analysis Centers (ISAC), such as FS-ISAC, or the recently-announced
insurance ISAO.
5. Board and Management Involvement – In order for organizations to better address cybersecurity
threats and regulatory guidance, we anticipate a push to increase senior management and board
involvement in cybersecurity issues and decision-making. According to the NYDFS Study, only 30% of
boards of directors receive updates on cybersecurity issues on a quarterly basis.
6. Managing Third-Party Risks – Concerns will grow around third-party risks and potential cybersecurity
threats that can arise when sharing networks with business partners. Covered entities will be expected
to demonstrate adequate oversight of their service provider relationships.
7. Link between Cybersecurity and Risk – As cybersecurity incidents continue to proliferate,
organizations must reposition their security strategies to align closely with their broader risk-
management activities.
2 PwC-GSISS. http://www.pwc.com/gx/en/consulting-services/information-security-survey/. n.d.
3 NYDFS-Study. http://www.dfs.ny.gov/reportpub/dfs_cyber_insurance_report_022015.pdf. February 2015.
5. PwC 4
Contacts
Joseph Nocera
(312) 298-2745
joseph.nocera@pwc.com
Christopher Morris
(617) 530-7938
christopher.morris@pwc.com
Shawn Connors
(646) 471-7278
shawn.joseph.connors@pwc.com
Scott Dillman
(646) 471-5764
scott.dillman@pwc.com
Andrew Toner
(646) 471-8327
andrew.toner@pwc.com
Prakash Venkata
(617) 530-7622
prakash.venkata@pwc.com
David Roath
(646) 471-5876
david.roath@us.pwc.com
Contributors: Harish Siripurapu, Christopher Almaraz