Processes and approaches for NAIC’s 12 principles …

The NAIC’s adoption of the Principles for Effective Cybersecurity Insurance Regulatory Guidance introduces a set of framework attributes which may soon be required under state regulator’s ORSA guidance.  The NAIC has stated that, “due to ever-increasing cybersecurity issues, it has become clear that it is vital for state insurance regulators to provide effective cybersecurity guidance regarding the protection of the insurance sector’s data security and infrastructure.”

 
The NAIC emphasizes that the “insurance industry looks to state insurance regulators to aid in the identification of uniform standards, to promote accountability across the entire insurance sector, and to provide access to essential information”.
 
In this post, we describe some practical ways to implement a cybersecurity framework to add tangible value to an organization, as a primary goal, and meet the goals of the NAIC as a resulting benefit or “corollary”.
 
We will address each of the NAIC principles in turn, and outline processes and approaches to meet these goals, while also ensuring an approach which provides tangible value to the insurer.

 

PRINCIPLE 1: Insurers must ensure that personally identifiable consumer information is protected from cybersecurity risks. Insurance companies must have systems in place to alert consumers in a timely manner in the event of a cybersecurity breach.

  • A best-practice approach is to take a “business back” view where one starts with the consideration of the business value chain to identify the most critical aspects of regular and continued operations.
  • This view will highlight those aspects of the business model which are crucial to ongoing achievement of business goals and the effective delivery of products or services.
  • Because the guidance is focused on the defensive aspect of protection of sensitive information, it is also necessary to take a bottom-up view and work with the CISO function to identify and mitigate the threats to personally identifiable consumer information in a manner which aligns with corporate culture, resources and strategic objectives.
  • It is essential to consider the human element, which includes vulnerabilities that exist due to potential deviations from policy and protocol, whether out of convenience or lack of awareness.
  • Proper training is crucial to develop a risk-aware mindset that is aligned with strategic vision and short-term goals.
  • A clearly communicated and robust framework must be put in place to ensure the management of business continuity or disaster-recovery events.

 

PRINCIPLE 2: Confidential and/or personally identifiable consumer information data that is collected, stored and transferred inside or outside of an insurer’s, insurance producer’s or other regulated entity’s network should be appropriately safeguarded.

  • Ideally, an enterprise risk management (ERM) framework is put in place, and includes rigorous third-party risk management best practices, and enables coordination with compliance, privacy, and legal functions within the organization.
  • In many cases, it is difficult to even to produce an inventory of information assets that must be protected. An effective approach is to combine bottom-up and top-down organizational intelligence to identify how, when, and where such sensitive data is collected and used.  Those involved in business generation and use of customer data will provide one view of the critical exposures, while the IT function will address the issue from the point of view of servers, databases, and networks (and associated vulnerabilities) which hold this information.
  • A comprehensive and robust third-party and vendor risk-management framework must be implemented to identify business-unit and enterprise exposures, concentration of risk, and correlations.
  • Third-party risk management should assess risks specific to the relevant business and vendor but also incorporate indicators of general country and industry risk levels.

 

PRINCIPLE 3:Insurers have a responsibility to protect information that is collected, stored and transferred inside or outside of the organization. This information includes insurers’ or insurance producers’ confidential information, as well as personally identifiable consumer information. In the event of a breach, those affected should be alerted in a timely manner.

  • To a large extent, this responsibility is addressed under the recommendations for Principle 2, above, but it is also essential to incorporate a formal business-continuity, disaster-recovery, and crisis-communication protocol.
  • A policy should be put in place that articulates roles and responsibilities in the event of a breach, including a timeline and set of action steps to ensure prompt notification.

 

See also: Insurance Nexus Global Trend Map #12: Cybersecurity

 

PRINCIPLE 4: Cybersecurity regulatory guidance for insurers and insurance producers must be flexible, scalable, practical and consistent with nationally recognized efforts such as those embodied in the National Institute of Standards and Technology (NIST) framework.

  • The NIST framework allows for a flexible approach to implementation; an organization should leverage its current and effective processes to meet this standard.
  • When a customized approach meets all the NIST goals, but in a potentially different manner, the company should provide a mapping of NIST objectives to their cyber-risk management framework, as an aid to external stakeholders.

 

PRINCIPLE 5:Regulatory guidance must be risk-based and must consider the resources of the insurer or insurance producer, with the caveat that a minimum set of cybersecurity standards must be in place for all insurers and insurance producers that are physically connected to the Internet and/or other public data networks, regardless of size and scope of operations.

  • As with the expectations of an ERM framework, an early and critical question is “what are the organization’s risk exposures?”; this question must be answered in the context of the company itself, any third-parties, customers, and other stakeholders including investors, regulators, ratings agencies, and the Board of Directors.
  • When feasible, risk exposures should be quantified in dollar terms or other metrics that are typically used in the organization to make business decisions (e.g. earnings, capital, return on equity etc.)

 

PRINCIPLE 6 states that insurance regulators should provide appropriate regulatory oversight, which includes, but is not limited to, conducting risk-based financial examinations and/or market-conduct examinations regarding cybersecurity. The premise of this exposition is that insurers will naturally be prepared to respond to requests under these examinations. No special preparations will be required, provided that the risk framework is robust, comprehensive, and includes proper documentation.

 

PRINCIPLE 7 indicates that planning for incident response by insurers, insurance producers, other regulated entities and state insurance regulators is an essential component of an effective cybersecurity program. As with Principle 6, this planning and preparedness will be a consequence of the overall value-adding approach that is outlined within.

 

  • This principle is addressed by the third-party risk-management program and effective vendor due diligence and ongoing monitoring.
  • It is important to have a mechanism to assess exposures to third parties in the aggregate, and not merely on a business-unit or service-specific basis.
  • An organization must assess their risks stemming from third-party risk management frameworks; it is clear that a company can suffer substantial economic impacts and reputational damage stemming from malfeasance of business partners.

 

PRINCIPLES 8-10 are addressed by the value-added approach described above and are stated, respectively, as follows:

  • Insurers, insurance producers, other regulated entities and state insurance regulators should take appropriate steps to ensure that third parties and service providers have controls in place to protect personally identifiable information.  
  • Cybersecurity risks should be incorporated and addressed as part of an insurer’s or an insurance producer’s enterprise risk management (ERM) process. Cybersecurity transcends the information technology department and must include all facets of an organization.
  • Information-technology internal audit findings that present a material risk to an insurer should be reviewed with the insurer’s board of directors or appropriate committee thereof.

 

See also: Insurance Nexus Global Trend Map #12: Cybersecurity

 

PRINCIPLE 11: It is essential for insurers and insurance producers to use an information-sharing and analysis organization (ISAO) to share information and stay informed regarding emerging threats or vulnerabilities, as well as physical threat-intelligence analysis and sharing.

  • Rather than reinvent the wheel, it is often effective and economical to adopt industry standards and best practices.  Methods and processes can often be adapted from sector peers or, in some cases, from organizations in a separate sector.
  • This type of information sharing is often a means toward cyber-risk-management benchmarking and is nearly always of interest to members of the Board.

 

PRINCIPLE 12:Periodic and timely training, paired with an assessment, for employees of insurers regarding cybersecurity issues is essential.

  • As with ERM, culture and organizational awareness is essential for risk management to be more than a document or set of policies.
  • A highly effective approach is to link security of data and information to business goals and long-term company value; any perceived distinction between what is “good for the company” versus protection of customer and client information must be revealed to be a fallacy.

 

Want to read more about the latest cybersecurity-in-insurance trends? Why not check out the dedicated installment in our Global Trend Map series: 

https://www.reutersevents.com/insurance/blog/insurance-nexus-global-trend-map-12-cybersecurity