Insurance and Its Regulatory Burden
Insurance firms face cybersecurity regulation at the state and national level, along with extensive security expectations from the banks that work with insurance firms. Adding more complication, state-level security regulation will be mostly similar, but they are not same across all jurisdictions.
Insurance firms are foremost regulated by state insurance commissioners, and the National Association of Insurance Commissioners did adopt a model data security law. State authorities can now implement that model law as they think best, including departing from the model law.
The NAIC model security law lists 13 pieces of information firms would need to report to state insurance regulators after a breach, down to details such as how the breach was discovered and whether a police report was filed.
Large insurance firms almost inevitably also do business in the state of USA, so they must comply with the US Department of Financial Services’ cybersecurity regulation known as Part 500. The DFS rule requires encryption, access controls, and penetration testing; incident response plans; and annual certification of compliance.
And like any other large business, insurers face all the usual requirements to protect personal information under rules such as HIPAA, the GDPR, the Gramm-Leach-Bliley Act, and state consumer protection laws.
Compliance Objective
Frameworks do exist to help insurance firms meet those regulatory demands. Given the overlapping thicket of regulations that apply to the sector, a strong ability to perform risk assessments and track remediation is critical. For example, companies need to.
Assess their breach detection and responsibilities.
Develop documentation and assurance mechanisms so senior officers certifying compliance can do so with confidence.
Ensure that remediation tasks are assigned and executed on a timely basis.
Identify security gaps they must fill to meet regulatory requirements.
Monitor the third parties that have access to confidential data, and assess their security postures.
Understand and respond to any new regulations that emerge.