The NAIC takes on cybersecurity

The subject of cybersecurity risks, which the National Association of Insurance Commissioners' Chief Security and Information Officer Frosty Mohn presented at NAIC's Insurance Summit in Kansas City, MO last week, has taken on greater significance as consumer financial and health information is increasingly being stored in electronic form. Cyber risks include identity theft or inadvertent disclosure; theft of digital assets, such as customer lists and trade secrets; business interruption from a network shutdown; introduction of malware; and damage to a business's reputation. In response to these relatively new risks, insurance regulators have begun urging businesses to secure cyber-liability insurance and pressing insureds to shore up their defenses against cyber attacks.

In April 2015, the NAIC's Cybersecurity (EX) Task Force adopted and issued 12 Principles for Effective Cybersecurity: Insurance Regulatory Guidance. The NAIC Guidance encouraged insurers and regulators to join forces in identifying risks and adopting practical solutions to protect the critical information entrusted to them.

The Task Force also developed the NAIC Roadmap for Cybersecurity Consumer Protections (Roadmap), which was adopted by the NAIC Executive (EX) Committee at the end of 2015. The NAIC Roadmap details what protections the NAIC believes consumers are entitled to expect from insurance companies, agents and other businesses following a data breach.

To gather financial performance information about insurers writing cyber-liability coverage, the Task Force also has worked with the NAIC's Property and Casualty Insurance (C) Committee and Financial Condition (E) Committee to develop a "Cybersecurity and Identify Theft Coverage Supplement" to be included with insurer financial statements.

The NAIC also recommends that businesses secure a cyber-liability policy, noting that most standard commercial policies do not cover many of the cyber risks noted above. But cyber risks remain difficult for underwriters to quantify. The lack of actuarial data requires that insurers qualitatively assess the business's risk management procedures and culture, and insurers writing such coverage will want to know the business's risk-management techniques for protecting its network and assets, its antivirus and anti-malware software, how its employees and others are able to access data systems, and its data breach response plan.

Because cyber risk policies are more customized than many other types of risk that insurers take on, they tend to be more costly. Such policies might include one or more of the following types of coverage: liability for security or privacy breaches; the costs associated with a privacy breach, such as consumer notification, customer support and costs of providing credit monitoring services to affected consumers; and the costs associated with business interruption.

The NAIC, insurance companies and the world at large are becoming increasingly aware of the importance of cybersecurity issues. We will continue to stay at the forefront of these changes and publish updates as they arise.

Contact the author of this article Lisa A. Gilbreath.

ICYMI...

Noteworthy links from the past two weeks

General

  • An environmental advocacy group claimed the insurance industry is overly exposed to energy investments that may be negatively impacted by climate change [Bloomberg]
  • Federal Reserve Governor Turillo discussed upcoming risk based capital rules for Systemically Important Financial Institutions [Law360, Business Insurance, Reactions]

Property and Casualty

  • The Federal Emergency Management Agency announced changes to the National Flood Insurance Program in response to Sandy [Wall Street Journal]
  • The usage-based auto insurance business continued to grow [Insurance Journal]

Life and Health

  • Minnesota sued some life insurers over unclaimed benefits [CBS Minnesota]
  • The Supreme Court punted on its Affordable Care Act contraception case [The New York Times]

The IREG Update is edited by Matt Gaul

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.