Insurance regulators set goals for cyber security rulesReprints
Cyber security regulatory guidance for insurers and insurance producers must be flexible, according to principles issued by the National Association of Insurance Commissioners.
The 12 principles, announced Friday “will serve as the foundation for protection of sensitive consumer information held by insurers as well as insurance producers and guide regulators who oversee the insurance industry,” said NAIC President Monica J. Lindeen, in a statement. Ms. Lindeen also serves as Montana commissioner of securities and insurance.
Among other things, cyber security regulatory guidance should also be “scalable, practical and consistent with nationally recognized efforts such as those embodied in the National Institute of Standards and Technology,” according to the principles, which were adopted by the insurance regulatory group's Cybersecurity Task Force,
The principles also hold that cyber security risks should be incorporated and addressed as part of underwriters' or producers' enterprise risk management process. “Cyber security transcends the information technology department and must include all facets of an organization,” according to the NAIC.
In addition, the principles say that regulatory guidance must be risk-based “and must consider the resources of the insurer or insurance producer.” The NAIC adds, however, that a minimum set of cyber security standards must be in place for “all insurers and insurance producers that are physically connected to the Internet and/or other public data networks, regardless of size and scope of operations.”