NAIC’s cyber principles prompt comment on the right road for regulators

By Erin Ayers on April 30, 2015

folder with label insurance

Signaling the importance of the issue, the National Association of Insurance Commissioners (NAIC), within the span of just over a month, drafted cybersecurity principles for all insurers to follow, sought comment on the proposal, and adopted a final version during its recent spring meeting. The actions followed a massive data breach at health insurer Anthem that was announced in January and quickly became the focus of a multi-state regulatory investigation.

Even with the limited time involved, interested stakeholders including insurers, trade groups, consumer advocates, and cyber-focused associations submitted over 100 pages of comments on the NAIC’s list of goals for insurers to aspire to when securing their systems. For some, the principles were far too specific and for others, the regulators didn’t go far enough to ensure that the insurance industry properly safeguards the data they collect and use. The process also offered insurers a chance to point out flaws in the regulators’ thinking on issues such as encryption, joining information sharing networks mainly meant for banks, and evaluating solvency for insurers writing cyber coverage.

Prior to the development of the principles, the NAIC had launched its Cybersecurity Task Force last November. While the task force has additional plans for the future, according to the NAIC’s president, Monica J. Lindeen, the approved principles “will serve as the foundation for protection of sensitive consumer information held by insurers as well as insurance producers and guide regulators who oversee the insurance industry.”

Lindeen, who serves as Montana’s insurance commissioner, noted, “The document identifies types of safeguards regulators expect insurers to have in place to protect consumers from cybersecurity breaches. The 12 principles adopted direct insurers, producers, and other regulated entities to join forces in identifying risks and adopting practical solutions to protect information entrusted to them. The guiding principles are intended to establish insurance regulatory guidance that promotes coordination and protects insurance consumers.”

A supplement to the principles will also seek information on cyber insurance currently being sold in the marketplace. The NAIC had floated the idea of enhancing solvency oversight for insurers writing cyber coverage, but several commenters, including regulators, felt existing solvency tools should suffice.

Evaluating Goals

Some commenters understood the need for the NAIC to formulate a stance on cybersecurity, but questioned the direction of the efforts. Representatives of the Property Casualty Insurers Association of America (PCI), noted, “While cybersecurity is certainly receiving a great deal of scrutiny as of late, it’s important to remember that both regulators and property and casualty insurers have been effectively managing their own cyber risk for quite a long time. What is needed now is not increased oversight of insurers’ own cybersecurity but rather measures designed to facilitate the ability of insurers to satisfy a rapidly increasing demand for cybersecurity insurance.”

According to PCI, a better path for regulators to take would be working with the industry to help develop the cyber insurance market and respond jointly to federal concerns on the issue.

And while speed to market is usually considered a benefit in the insurance world, some questioned the NAIC’s process on cybersecurity.

“Given the recent well-publicized breaches experienced by large companies including insurers it is not surprising to see the NAIC moving assertively in this area. However, the degree to which the NAIC seems to be accelerating efforts to quickly get something done is notable and potentially of concern … While we understand there is a sense of urgency surrounding cyber security issues we nevertheless feel is appropriate to make these observations and ask whether a rushed process could result in faulty policy,” stated Paul Tetrault, state and policy affairs counsel for the National Association of Mutual Insurance Companies (NAMIC).

However, from the perspective of consumer advocates, insurers should be held not only to high standards of safeguarding information, but also explaining the type of data collected.

“How is the consumer to protect themselves and family from the impact of identity theft when the collector (insurance companies) refuses or fails to provide complete and accurate detailed information on what their data files contain?” stated Sonja Larkin-Thorne, an NAIC-funded consumer representative. “The backdoor gathering of a consumer’s personal information by insurers and their business partners, includes but is not limited to credit information, personal health data, (yes, one personal lines auto carrier said this on a disclosure insert), town building permits and records, photos of homes and vehicles, employment information, dates of birth and driving records of the named insured and family members, bank accounts and credit card numbers for online internet payments are just a few examples.”

Some commenters felt the NAIC had taken the wrong tack entirely, with a group called The Council to Reduce Known Cyber Vulnerabilities commenting, “In general, we believe that the current focus by policy makers on post-cyber breach policies, as well as on information sharing misses the broader historical lessons learned by the insurance industry and government when presented with new technology and devices that bring great advancements, but also the potential to cause great harm.”

Citing the historic development and use of building codes and physical firewalls to prevent loss, the group called for leadership from the insurance industry in development research laboratories for cyber risks and added, “The current situation when insurance policies focus on payouts associated with events after the breach – such as notification costs, credit card replacement costs – must give way to insurance policies that insure against the billions of dollars lost from cyber breaches. This means that meaningful data about how to underwrite policies for specific businesses must be in hand, and trusted neutral entities must exist to gather and analyze such data, as well as to make their findings public through ratings or a ‘Cyber Labs’ seal of approval.”

The NAIC’s principles were pared down in some areas from the proposal draft to the final one, but in one case, the group expanded its original language. One principle suggested that cybersecurity efforts should be tailored to the “resources” of the individual insurer, broker, or producer, leading many commenters to suggest that would open the door to businesses bypassing safeguards at all based on cost. The new language affirmed that all insurance entities must have “a minimum set of cybersecurity standards must be in place for all insurers and insurance producers that are physically connected to the Internet and/or other public data networks, regardless of size and scope of operations.”

erin.ayers@zywave.com'

Erin is the managing editor of Advisen’s Front Page News. She has been covering property-casualty insurance since 2000. Previously, Erin served as editor-in-chief of The Standard, New England’s Insurance Weekly. Erin is based in Boston, Mass. Contact Erin at [email protected].