NAIC Update – Spring 2015

The National Association of Insurance Commissioners (NAIC) held its first national meeting for 2015 in Phoenix, Arizona, from March 26 through March 31. Noteworthy new initiatives include cybersecurity, price optimization and the development of a model law for unclaimed life insurance benefits. Other important topics we follow that continue to receive regulatory attention are life reinsurance captives, Own Risk and Solvency Assessment (ORSA) implementation, principle-based reserving, credit for reinsurance, contingent deferred annuities, private equity, corporate governance and international capital standards.

The following are notable highlights of the meeting, along with a summary of subsequent actions taken by the NAIC following the meeting:

A. New Issues of Note

1. Cybersecurity

The Cybersecurity (EX) Task Force held its first public meeting in Phoenix. Commissioner Adam Hamm (North Dakota), Chair of the Task Force, began the meeting with an overview of the Task Force’s work plan. The plan includes: (i) issuance of a survey to states on cybersecurity measures; (ii) development of a “Consumer Bill of Rights” to inform consumers of their rights when a data breach has occurred; (iii) staying abreast of information-sharing measures; and (iv) working on certain NAIC model laws, such as the Health Information Privacy Model Act (Model 55), the Privacy of Consumer Financial and Health Information Regulation (Model 672), the Standards for Safeguarding Customer Information Model Regulation (Model 673) and the Insurance Fraud Prevention Model Act (Model 680).

Echoing remarks he made earlier this month, Superintendent Benjamin Lawsky (New York) added that the Task Force will look at multifactor authentication and encryption of data at rest. He also noted that the Task Force will look at regulated entities’ vendor practices, commenting that a company’s cybersecurity is only as good as its worst vendor.

Patrick McNaughton (Washington) provided an overview of the IT Examination (E) Working Group of the Examination Oversight (E) Task Force. Mr. McNaughton, who has served as Chair of the Working Group for nine years, noted that the NAIC’s Financial Condition Examiners Handbook has had a section on IT examinations for 20 years. He noted that every state is required to use certified experts in IT to review data control systems during financial examinations, which is an accreditation requirement for multistate examinations. He also explained the differences between what examiners and security consulting firms do: examiners make sure that the regulated companies hire the right kinds of firms to do the right kinds of audits and testing, while the security firms hired by the regulated entity actually audit and engage in penetration testing.

The Task Force concluded its meeting by receiving comments on its proposed Principles for Effective Cyber Security Insurance Regulatory Guidance. Specifically, there was significant discussion regarding whether a principle should be included that provides for cybersecurity regulatory guidance consistent with the National Institute of Standards and Technology (NIST) framework. Several interested persons noted that the NIST should not be the only standard considered, and instead urged consideration of multiple standards.

In an April 16 conference call, the Task Force formally adopted a shortened list of Principles for Effective Cyber Security Insurance Regulatory Guidance (Principles). Despite the comments received regarding the NIST framework, the Principles reference only the NIST framework as a guiding principle for industry compliance. Superintendent Joseph Torti III (Rhode Island) commented that the NIST Framework will be incorporated into the NAIC’s Financial Condition Examiners Handbook.

The adopted Principles recognize the need for incident response planning, vendor and service provider controls, employee training, timely breach notification, information sharing regarding emerging threats and vulnerabilities, and the engagement of the Board of Directors (or a committee thereof) to review any findings of material risk to a company resulting from an internal audit of a company’s information technology. The Principles also call for incorporation of cybersecurity in a company’s Enterprise Risk Management (ERM) process. In addition, the Principles recognize that state insurance regulators have an obligation to protect all confidential information that they or the NAIC collect, store or transfer and that all affected parties should be timely notified in the event of a breach.

View the Full Legal Alert.