The National Association of Insurance Commissioners (NAIC) Cybersecurity Task Force just adopted regulatory guidance on cybersecurity. This guidance for regulators comes in the form of 12 “Principles for Effective Cybersecurity” designed to promote uniformity in an industry regulated by the states. Most of the principles are standard issue stuff: regulators must ensure protection for PII collected, stored, or shared by regulated entities; their regulations should be risk-based and should consider the resources available to the regulated entity; regulatory oversight and enforcement is required; and incident response planning and vendor management are necessary components of cybersecurity efforts.
The Principles were derived from and resemble the Principles for Effective Cybersecurity Regulatory Guidance promulgated by the Securities Industry and Financial Markets Association (SIFMA). Like the SIFMA principles, they call for guidance to be predicated on the National Institute of Standards and Technology’s (NIST’s) framework and to be flexible, scalable, and practical.
An earlier draft had 18 principles. The reduction to 12 involves some consolidation but also drops principles from the earlier draft which provided that sensitive information should be encrypted and that sellers of cyber insurance should be subjected to additional oversight and data collection requirements.