NAIC Insurance Data Security Model Law Compliance Services

On October 24, 2017 the NAIC passed the Insurance Data Security Law which establishes standards for data security and for the investigation of and notification to the Commissioner of a Cybersecurity event. The framework of the Insurance Data Security Law is similar to the New York Department of Financial Services Cybersecurity Regulation that went into effect on March 1, 2017. Essentially, insurance companies across the U.S. are now required to perform a Cybersecurity Risk Assessment and to create and maintain a Cybersecurity Program based on the Risk Assessment. Security Compliance Associates have partnered with financial services companies for more than 12 years helping them identify, reduce and manage technology risk. NAIC Insurance Data Security Model Law compliance services include:

Cybersecurity Policies and Procedures (Section 4)

Your existing Cybersecurity Policies, Procedures and Employee Use Guidelines are evaluated for completion against industry best practices and the controls outlined in the NAIC Insurance Data Security Law. Areas of strength are identified along with gaps which need inclusion or improvement. SCA will then revise or re-write your Cybersecurity Policies, Procedures and Employee Use Guidelines to satisfy NAIC requirements and align with your organization’s size, complexity and culture.

Cybersecurity Risk Assessment (Section 4)

Following an established and widely recognized framework, the Cybersecurity Risk Assessment identifies current vulnerabilities, threat sources and discusses planned and recommended countermeasures to mitigate those risks. Information contained in the Cyber Security Risk Assessment will assist management in making informed decisions regarding your cybersecurity posture including actions and controls to meet the elements of the NAIC Insurance Data Security Law.

Cybersecurity Program Review and Penetration Test (Section 4)

The Cybersecurity Program Review measures your organization against the controls outlined in the NAIC and industry best practices. Gaps are assigned a criticality rating along with corrective advice to assist management in planning and executing timely remediation. The executive summary report is ideal for submission to the Board or equivalent committee to fulfill annual reporting requirements.

Both internal and external penetration tests are performed to subject systems to real-world attempts to gain system access and/or escalate access privileges. SCA will attempt to exploit identified vulnerabilities and configuration errors to gain unauthorized system access. Various techniques will be used including, but not limited to, manual techniques and automated tools.

The outcomes of the Cybersecurity Program Review and Penetration Test are establishing a baseline cybersecurity posture, and creating a roadmap to improve your cybersecurity posture and meet requirements of the NAIC Insurance Data Security Law.

Disaster Recovery and Business Continuity Plan (Section 4)

A DR/BC Plan includes measures to protect against destruction, loss or damage of Nonpublic Information due to environmental hazards, catastrophes and technical failures. Your existing BR/BC Plan is evaluated for completion against industry best practices. Areas of strength are identified along with gaps which need inclusion or improvement. SCA will then revise or re-write your DR/BC Plan to satisfy regulatory requirements and to align with your organization’s size, complexity and culture.

Incident Response Program (Section 4)

An Incident Response plan details the plans and procedures to respond to, and recover from, a Cybersecurity Event. Your existing Incident Response Plan is evaluated for completion against industry best practices and the 7 areas identified by the NAIC Insurance Data Model Security Law. Areas of strength are identified along with gaps which need inclusion or improvement. SCA will then revise or re-write your Incident Response Plan to satisfy regulatory requirements and to align with your organization’s size, complexity and culture.

Employee Cybersecurity Awareness Training (Section 4)

Employee Cybersecurity Awareness Training is delivered through our web-based presentation. Training sessions are available on-demand making this format ideal for on-boarding new employees and for annual employee Cybersecurity Awareness Training. Training is a key element for creating awareness and understanding of your Cybersecurity policy and procedures.

Third Party Security: Risk Assessment and Due-Diligence (Section 4(F))

Following the Third Party Security Policy, SCA will perform a risk assessment and due-diligence of third parties that evaluates the adequacy of their cybersecurity practices. SCA reviews whether the third  party’s business processes include appropriate physical, administrative and technical safeguards to protect Non-public Information against unauthorized access or use. Additionally, we review the controls the third party has to ensure any sub-contractor it uses employs appropriate security measures.

To learn more, call 727-571-1141 or click the “Request More Information Now” button above to the right.