Wipfli logo
Insights - Articles, Blogs and on-demand webcasts

Articles & E-Books


New data security laws for insurers: How to comply with NAIC cybersecurity model law

Nov 02, 2023

Cybersecurity attacks are on the rise — increasing in both frequency and severity. And while any organization is at risk, certain industries are a more attractive target than others. Insurance carriers, for example, hold a treasure trove of sensitive information in their databases.

In response to rising risk, the National Association of Insurance Commissioners (NAIC) developed a data security model rule for states to adopt as law. The NAIC spent almost two years working with cybersecurity experts and insurance participants to draft it. The U.S. Treasury Department has since urged states to adopt a related law or risk a federal mandate.

While each state must separately adopt its own cybersecurity laws — choosing to adopt the NAIC model as is or adapt it as they see fit — two primary components remain consistent: You must have an information security program and an incident response plan.

Below are the highlights. For greater detail, watch our companion webinar: NAIC cybersecurity model rule implementation.

Information security program

First and foremost, the NAIC model rule requires a cybersecurity risk assessment. After all, how can you protect your assets appropriately if you don’t know the risk?

Keep it simple: While the risk assessment is a fundamental component, it’s an area where many organizations struggle. As a general rule, keep your risk assessment simple and focus on foreseeable risks like these:

  • Unauthorized access
  • Information transmission and interception
  • Disclosure (e.g., could someone inadvertently send out a file that would include policyholder information?)
  • Misuse (e.g., could data be viewed, modified or destroyed without proper authorization?)

Build your risk assessment on the most likely risks and resist the temptation to focus on those black swans, like an asteroid taking out your data center. Similarly, you can limit your risk rating to a simple low, medium or high ranking, rather than a larger numerical system.

Test to see if it’s working: As part of the risk assessment, you need to assess whether the safeguards you have in place are effective. That means you need a technical evaluation like a vulnerability assessment, penetration test and other measures.

Keep it current: Business evolves. Technology changes. All sorts of shifts can impact your data security needs. Review your risk assessment regularly to keep your program current.

Stay informed: Subscribe to some kind of threat intelligence service. Two options include the Financial Services Information Sharing and Analysis Center (FS-ISAC), an information-sharing forum for the industry, and InfraGard, a public-private partnership run by the FBI.

Train employees: Provide personnel with cybersecurity awareness training and help build their resistance to social engineering. People are the soft underbelly of every organization. There’s a saying in the security world: “The best hackers don’t hack systems, they hack people.” It’s often much easier to trick someone into inviting you into the network than to break your way in through systems.

Implement security measures: The law does not stipulate exactly what controls are appropriate, but it does provide some examples and starting points. Common controls we’d expect to see in place at insurers include:

  • Access controls: This includes permissions and role-based security.
  • Data management: Manage all elements of your infrastructure that have access to sensitive information, including personnel, devices, systems and facilities.
  • Physical access: Restrict physical access to locations where sensitive information is stored, including hard copies and server rooms.
  • Encryption: Nonpublic information (NPI) needs to be encrypted where it’s stored and in transmission.
  • Multifactor authentication (MFA): Make sure to implement MFA to help prevent unauthorized access to your network.
  • Ability to detect attacks: This includes ongoing, real-time monitoring for attacks and intrusions.
  • Environmental controls: This includes on-premises systems (e.g., climate controls, sprinkler systems) to protect against damage or loss.
  • Audit trails: For example, this can include the ability to track which employee accessed files and the ability to reconstruct material financial transactions.
  • Secure disposal: The includes shredding physical files and hard drives or other secure erasure.

Maintain oversight: If you have a board of directors, cybersecurity needs to be on their agenda. They need to understand your information security program and receive (at least) annual updates from management. Ultimately, they should be responsible for directing implementation. Likewise, you are required to provide oversight of any third-party service providers that handle your customers’ NPI. This means exercising cybersecurity due diligence when selecting vendors and requiring that they have the appropriate controls and safeguards in place, just as you do.

Consider a vCISO: A virtual chief Information security officer (vCISO) can provide the strategic capabilities needed for a sound, effective cybersecurity operation, especially for organizations without the budget or need for a full-time, dedicated security chief.

Incident response plan

Under the NAIC model law, insurers and related licensees are required to have a written incident response plan to promptly respond to and recover from cybersecurity events. Here the model gets pretty specific as to what needs to be included in that plan:

  • Internal processes: Define the who, what and when of an incident response plan.
  • Roles and responsibilities: This includes who can authorize taking a system offline, who communicates with the public, who informs executive management, etc.
  • Communication: What do internal and external stakeholders learn about the event and when?
  • Remediation
  • Documentation and reporting
  • Continuous improvement: Evaluate and revise the information security program and the incident response plan following an event.

Investigation: Your organization needs to act quickly the moment you suspect a cybersecurity event has happened. That means determining whether an event actually occurred, assessing the nature and scope and restoring the security of compromised information systems — to the fullest extent possible.

Notification: Under the model law, you are required to notify your state insurance commissioner no more than 72 hours from the determination that a cybersecurity event has occurred. Notification is required when you believe more than 250 consumers have been impacted or when the event has the material likelihood of harming a consumer or a material part of your normal operations.

Once an event has risen to the notification level, the law gets really granular. Notifications and follow-up reports will need to cover when the event occurred, how information was exposed/lost/stolen, how the breach was discovered, recovery info, source, whether a police report or other government notification was made, the efforts you’re taking to remediate and more.

State-by-state adoption

At least 22 states have enacted some version of the NAIC cybersecurity law, and, and the deadline for initial compliance has already passed in many of them. Read more about what the law entails and state implementation deadlines for the law’s various components.

Meet insurance industry cybersecurity compliance requirements with Wipfli

If you have questions about the insurance cybersecurity requirements in your state or would like assistance in reaching compliance, please reach out to us. Visit our insurance data security compliance center to learn more.

Additional information:


Greg Foster, CPA
Southeast Market Leader
View Profile
Tom Wojcinski
View Profile