NAIC Releases Regulatory Guidance To Help Protect Consumer Data
April 27, 2015 in News
The National Association of Insurance Commissioners’ Cybersecurity Task Force has adopted 12 principles for effective cybersecurity regulation, indicating that health insurers will face more stringent scrutiny over how they guard consumer data, Modern Healthcare reports.
NAIC issued the principles in response to large data breaches among health insurers — including Anthem and Premera Blue Cross — that affected more than 90 million people (Herman, Modern Healthcare, 4/25).
Details of Principles
The principles state that:
- Cybersecurity regulatory guidance should be flexible and scalable for insurers and insurance producers;
- Cybersecurity risks should be addressed and incorporated during insurers’ enterprise risk management processes;
- Insurers should provide periodic training on cybersecurity issues for employees;
- Insurers should use an information-sharing and analysis organization to share data and remain informed of possible threats and vulnerabilities;
- Internal audit findings regarding IT that could present a material risk to insurers should be reviewed with the company’s board of directors or other appropriate committees;
- Personally identifiable and confidential data that are collected, stored and transferred should be adequately protected;
- Regulatory guidance should be risk-based and consider insurers’ resources;
- State regulators are responsible for making sure personally identifiable consumer data held by insurers are protected;
- State regulators are responsible for protecting personally identifiable and confidential data that are collected, stored and transferred outside of the NAIC or an insurance department;
- State regulators and insurers should have incident response plans;
- State regulators should provide oversight including but not limited to risk-based financial assessments and/or market conduct assessments related to cybersecurity; and
- State regulators and insurers should work to make sure third parties and service providers also have cybersecurity controls in place (NAIC principles, 4/16).
The guidance is intended to:
- Ensure that insurers have the appropriate security features to protect data against cyberattacks; and
- Help state regulators hold insurance companies accountable (Modern Healthcare, 4/25).
Cynthia Borrelli — an attorney at Bressler, Amery Ross — said that the principles could result in additional hurdles for health insurers, as well as higher costs and fines. However, she added that the guidance also could force insurers to take protecting consumer data more seriously.
Meanwhile, other observers said the principles will not prevent cyberattacks.
Daniel Marvin, a cybersecurity lawyer at Stern Montana, said, “There is no way to stop a data breach. Hackers are smart, they are well-funded and they are relentless. You really can’t build a firewall high enough to keep them out” (Modern Healthcare, 4/25).