Insurance firms face cybersecurity regulation at the state and national level, along with extensive security expectations from the banks that work with insurance firms. Adding more complication, state-level security regulation will be mostly similar, but not identical, across all jurisdictions.


The regulatory burden

Insurers are foremost regulated by state insurance commissioners, and the National Association of Insurance Commissioners did adopt a model data security law at the end of 2017. State authorities can now implement that model law as they think best, including departing from the model law if they choose (for example, to harmonize that law with other consumer data protection laws already on the books).

The NAIC model security law lists 13 pieces of information firms would need to report to state insurance regulators after a breach, down to details such as how the breach was discovered and whether a police report was filed.

Large insurance firms almost inevitably also do business in the state of New York, so they must comply with the New York Department of Financial Services’ cybersecurity regulation known as Part 500. The DFS rule requires encryption, access controls, and penetration testing; incident response plans; and annual certification of compliance.

And like any other large business, insurers face all the usual requirements to protect personal information under rules such as HIPAA, the GDPR, the Gramm-Leach-Bliley Act, and state consumer protection laws.

The compliance objectives:

The compliance objectives:

Frameworks do exist to help insurance firms meet those regulatory demands. Given the overlapping thicket of regulations that apply to the sector, a strong ability to perform risk assessments and track remediation is critical. For example, companies need to:

Assess their breach detection and responsibilities

Identify security gaps they must fill to meet regulatory requirements

Develop documentation and assurance mechanisms so senior officers certifying compliance can do so with confidence

Monitor the third parties that have access to confidential data, and assess their security postures

Ensure that remediation tasks are assigned and executed on a timely basis

Understand and respond to any new regulations that emerge

Click on one of the tabs to learn more about ZenGRC's compliance, risk or reporting features.

Centralized Dashboard

Program Progress

Control Completion

Risk Assessment

Unified Control Management

Map Controls Across Frameworks

ZenGRC risk dashboard

System of record

Streamlined Workflow

Continuous System Monitoring

What can ZenGRC do for you?

As a cloud-based solution, ZenGRC deploys simply and quickly (six to eight weeks) even across a large enterprise. Equally important, ZenGRC is a flexible solution that lets you find the optimal deployment based on your needs — or more specifically, on the security needs your customer has, that you must satisfy.

It also provides a unified platform to manage controls across multiple frameworks, and a dashboard that lets CISOs monitor key performance indicators for compliance and IT security efforts. ZenGRC gives you full visibility into risks and deficient controls so you can coordinate remediation and surprises that affect your customer.

Learn More