NAIC Working Group Exposes Revisions to Incorporate Cybersecurity Considerations into Financial Conditions Examiners Handbook

In an effort to set cybersecurity readiness standards for the insurance industry, the National Association of Insurance Commissioners (NAIC) IT Examination (E) Working Group (“Working Group”) has exposed revisions to incorporate Cybersecurity Considerations (“Considerations”) into the NAIC Financial Conditions Examiners Handbook (“Handbook”).  The Considerations instruct examiners to assess whether an insurer has proper procedures in place to manage cybersecurity risks, including:

• Identification.  Insurers should devote resources to the identification of cybersecurity risks and conduct a cybersecurity risk assessment process that includes some amount of management and/or board involvement, as well as a sufficient level of technical expertise to ensure that issues are well understood and receive an appropriate response. Board members should be aware of how the company monitors, assesses and responds to cybersecurity risks.

• Prevention.  A robust prevention strategy should (a) include a combination of strong policies, system and network access controls, and data security protection; (b) address risks presented by third-party access to network information; and (c) include employee training that details risk-prevention objectives and the importance of an employee’s assigned responsibilities.

• Detection.  Insurers should have a strong set of detective controls that enable timely identification and mitigation of threats, that may include anti-virus and anti-malware software, as well as network monitoring.

• Response and Recovery.  Insurers should have an incident response plan that may leverage concepts from the insurer’s broader disaster recovery plan, but may also require unique considerations since recovering from a cybersecurity incident involves consideration of an IT-specific event.  The plan should include procedures for performing a forensic investigation of a security incident or crime.   It is vital that all personnel that have been assigned disaster recovery duties have the necessary background and training to perform such duties.

Comments about the Considerations are due to Miguel Romero at maromero@naic.org by August 3, 2015.  The Working Group will consider submitted comments during a conference call on August 6, 2015 at 2:00 p.m. ET.  Once the Working Group finalizes the Considerations, they will be adopted into the Handbook.