Wipfli logo
Insights - Articles, Blogs and on-demand webcasts

Articles & E-Books


How a vCISO can help you meet NAIC rule requirements

Oct 23, 2023

Data security standards in the U.S. insurance industry took a major leap forward with the 2017 release of the National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law. The law serves as a blueprint for state-level laws regulating insurance companies, in response to federal calls for regulatory oversight.

At least 22 states have since enacted a version of the law, which applies to licensees of the state insurance agency. These include insurance industry companies, agencies, agents, public adjusters and brokers.

Under the NAIC model law, the regulations apply to insurers with 10 employees or more, although some states have softened that requirement.

Based on the nature and scope of the licensee’s activities, they must develop, implement and maintain a comprehensive written information security program (ISP) based on a risk assessment that assesses administrative, technical and physical safeguards for the protection of nonpublic information and the licensee’s information system.

Given the complexity of this work, many organizations may be facing challenges with implementation due to budget constraints and the overall shortage of cybersecurity professionals.

The need to assess and manage risk

Risk assessment and risk management processes are foundational parts of any information security program under the law.

Whether it’s handled by one or more employees, an affiliate or an outside vendor designated to act on behalf of the licensee, it’s imperative to identify “reasonably foreseeable internal or external threats that could result in unauthorized access, transmission, disclosure, misuse, alteration or destruction of nonpublic information,” according to the provisions of the model law.

This includes systems and information held by or accessible to third-party service providers.

After completing the risk assessment, a risk management program should identify and adapt appropriate security measures. These include:

  • Placing access controls on information systems to authenticate and permit access only to authorized individuals to protect against the unauthorized acquisition of nonpublic information.
  • Identifying and managing the data, personnel, devices, systems and facilities that enable the organization to balance business objectives and the organization’s risk strategy.
  • Restricting access at physical locations containing nonpublic information to authorized individuals.
  • Protecting by encryption, or other appropriate means, all nonpublic information being transmitted over an external network, laptop or mobile device.

Overseeing third-party provider arrangements

Another key component is overseeing third-party service provider arrangements, which requires licensees to implement appropriate administrative, technical and physical measures to protect and secure information systems and nonpublic information that are accessible to or held by a third-party provider.

  • Take inventory of all of your third-party providers, noting those most central to your mission.
  • Assess the sensitivity of the data that they either maintain for you or have access to.

Incident response plan

Licensees need to be prepared in the event that a data breach or other critical incident occurs. The law calls for a written incident response plan to be in effect to respond promptly to any event that might occur. It is not acceptable to wait until an attack occurs to devise a process.

The plan needs to define clear roles and responsibilities of those in authority and include steps for sharing information through internal and external communications.

The vCISO solution

Compliance with the wide-ranging elements of the law can be challenging for many organizations, especially smaller ones with limited resources.

For organizations without an in-house cybersecurity leader equipped to define, develop and monitor your ISP, the solution may be a fractional arrangement. A virtual chief information security office (vCISO) may be the answer.

A vCISO’s “fractional ownership” model gives you part-time access to senior executive cybersecurity leadership and risk management capabilities. In other words, the CISO position is filled on a part-time basis by a consultant, and this person commits to providing strategic cybersecurity direction and strengthening your compliance capabilities.

The vCISO leads conversations and makes determinations about where your greatest risks and vulnerabilities lay. Your vCISO needs to interact at the executive level and understand your business objectives. This is critical to aligning the cybersecurity program to support your business growth. By definition and structure, the vCISO isn’t a “doing” role. It’s oversight and strategic direction for your cybersecurity program. The vCISO will structure initiatives, track progress and clear roadblocks on initiatives. You’ll still need to dedicate staff time to doing the daily work and making progress on implementing the requirements of your ISP.

How Wipfli can help

Our cybersecurity professionals have deep experience supporting the needs of the insurance industry. A vCISO may be the right choice to address a variety of your information security priorities. We can provide the solutions you need to comply with the laws of your state and the NAIC model law. Contact us to learn more about our services or continue reading on:


Ken Kulawiak
Senior Manager
View Profile
Are you prepared to meet your state's cybersecurity requirements for the insurance industry? 
Learn more