Insurance
Insurance firms face cybersecurity regulation at the state and national level, along with extensive security expectations from the banks that work with insurance firms. Adding more complication, state-level security regulation will be mostly similar, but not identical, across all jurisdictions.
GET A DEMOThe Regulatory Burden
Insurers are foremost regulated by state insurance commissioners, and the National Association of Insurance Commissioners did adopt a model data security law at the end of 2017. State authorities can now implement that model law as they think best, including departing from the model law if they choose (for example, to harmonize that law with other consumer data protection laws already on the books).
The NAIC model security law lists 13 pieces of information firms would need to report to state insurance regulators after a breach, down to details such as how the breach was discovered and whether a police report was filed.
Large insurance firms almost inevitably also do business in the state of New York, so they must comply with the New York Department of Financial Services’ cybersecurity regulation known as Part 500. The DFS rule requires encryption, access controls, and penetration testing; incident response plans; and annual certification of compliance.
And like any other large business, insurers face all the usual requirements to protect personal information under rules such as HIPAA, the GDPR, the Gramm-Leach-Bliley Act, and state consumer protection laws.
Compliance Objectives
Frameworks do exist to help insurance firms meet those regulatory demands. Given the overlapping thicket of regulations that apply to the sector, a strong ability to perform risk assessments and track remediation is critical. For example, companies need to:
-
Assess their breach detection and responsibilities.
-
Identify security gaps they must fill to meet regulatory requirements.
-
Develop documentation and assurance mechanisms so senior officers certifying compliance can do so with confidence.
-
Monitor the third parties that have access to confidential data, and assess their security postures.
-
Ensure that remediation tasks are assigned and executed on a timely basis.
-
Understand and respond to any new regulations that emerge.

Guides

Webinars

Articles
The Difference Between Vulnerability Assessment and Vulnerability Management
Read ArticleCCPA Exemptions: The California Consumer Privacy Act and the Gramm-Leach-Bliley Act
Read ArticleHow Big Data Analysis Helps Compliance & Business Leaders Make Better Decisions
Read ArticleCompliance Offers Internal Stakeholder Value: Automation as Transmogrifier
Read ArticleRisk Management Automation and Customer Engagement: Rupees in the Grass
Read Article7 Challenges of Being an IT Compliance Manager: Automation Makes You an American Ninja Warrior
Read ArticleCybersecurity Awareness Training Game to Celebrate Cybersecurity Awareness Month
Read ArticleProtecting Your Corporate Website as an Enterprise Risk Management Strategy
Read ArticleCloud Security Compliance: 11 Steps on the Stairway to Cloud Services Heaven
Read ArticleLegal Liability in Information Security: How Compliance Can Be Used to Protect Assets
Read ArticleWebinar Recording Now Available – 6 Time Saving Steps to Simplify Your GRC Strategy
Read ArticleHow to Conduct a Compliance Self-Assessment – an Excerpt from our GRC Software Buyers’ Guide
Read ArticleWhen to Implement a GRC Tool? – An Excerpt from Reciprocity’s GRC Software Buyer’s Guide
Read ArticleSmarter Compliance, Less Risk – an Excerpt from Reciprocity’s GRC Software Buyer’s Guide
Read ArticleWhat is GRC – an Excerpt from Reciprocity’s GRC Software Buyer’s Guide
Read ArticleZenGRC v2.4 Release Features New Audit and Evidence Request Dashboards, and More
Read Article“Competent Compliance” Webinar Recording Now Available, Learn How to Move Beyond Spreadsheets
Read ArticleJoin Our Live Webinar – Competent Compliance: 3 Ways to Move Beyond Spreadsheets
Read ArticleZenGRC v2.2 Release Features New System of Record Dashboard, Tree View Updates
Read ArticleZenGRC v2.1 Release Features Improved Audit Capabilities, Simplified Customer Support
Read ArticleHow to Tell if it is Time to Start a Compliance Program [Infographic]
Read ArticleA Perfect Nightmare: Compliance and Record Keeping Disaster Waiting to Happen
Read ArticleChanges Are Coming For The Trust Services Principles And Criteria – Are You Ready?
Read ArticleSelecting the Right Service Organization Control Report for Outsourced Operations
Read Article
FAQs
Insurance related Use Cases
Learn how we can fit into your business.
Schedule a demo to learn how we can help guide your organization to confidence in infosec risk and compliance.