Evidence continues to mount for broad acceptance of NIST CSF

Action Item: Executives, General Counsels, Compliance Officers, and Board Members, across industries, should consider these principles.

Last week (April 17, 2015), the National Association of Insurance Commissioners (NAIC) adopted twelve basic principles to provide guidance to insurers, producers, and other regulated entities.

The release prominently discloses that “These principles have been derived from the Securities Industry and Financial Markets Association’s (SIFMA) ‘Principles for Effective Cybersecurity Regulatory Guidance’.” In other words, the financial services industry in many ways has been, and continues to be, a leader on the guidance front.

We believe this release underscores increasing evidence that the acceptance of uniform cybersecurity practices is taking place across industries and the federal standard is gaining a foothold.

The NAIC Cybersecurity Task Force has provided basic guidance for how insurers and related entities should approach information security practices. While there are no earth-shattering new IT security concepts in the release, the Cybersecurity Task Force, which was formed in November of 2014, clearly made an official endorsement of the NIST Framework for Improving Critical Infrastructure Cybersecurity (“NIST CSF”). We would also add that basic principles of the NIST CSF, such as adoption of a risk-based approach and tying cybersecurity concerns to the Enterprise Risk Management program of insurers, are clearly built into the release.

We believe the Cybersecurity Task Force has acted judiciously, taking their time in putting out these basic principles and, intelligently, choosing not to reinvent the wheel. While the principles represent obvious best practices, we still believe such guidance is a helpful form of communication across the enterprise, for Executive Management and the Board of Directors. In effect, what we are looking at is a simplified maturity model which should be considered across industries.

Some of the highlights of the release include:

Principle 4: Cybersecurity regulatory guidance for insurers and insurance producers must be flexible, scalable, practical and consistent with nationally recognized efforts such as those embodied in the National Institute of Standards and Technology (NIST) framework.

Principle 7: Planning for incident response by insurers, insurance producers, other regulated entities and state insurance regulators is an essential component to an effective cybersecurity program.

Principle 9: Cybersecurity risks should be incorporated and addressed as part of an insurer’s or an insurance producer’s enterprise risk management (ERM) process. Cybersecurity transcends the information technology department and must include all facets of an organization.
Principle 10: Information technology internal audit findings that present a material risk to an insurer should be reviewed with the insurer’s board of directors or appropriate committee thereof.

Principle 12: Periodic and timely training, paired with an assessment, for employees of insurers and insurance producers, as well as other regulated entities and other third parties, regarding cybersecurity issues is essential.

As momentum continues for acceptance of the NIST CSF, we would suggest that increasingly the Framework will be viewed as a “standard of care.” This is good news as the NIST CSF is a manageable and cost-effective solution.

Please contact Artemis if you are interested in custom Framework implementation based on the NIST CSF

For Further Informaiton: (links will open in a new window)