Why the Need for the NAIC Model Law 668?
After high profile data breaches involving large insurers rocked the media, it became clear that a uniform set of cybersecurity standards needed to be put into place. The National Association of Insurance Commissioners, partnering with state regulators, adopted the Insurance Data Security Model Law in 2017. Since then, multiple states have adopted this specific law while others, like New York, have taken this as the base for their own standard.
Map courtesy of NAIC State Legislative Brief
What are the expectations for the NAIC Model Law 668?
Information Security Program
Protect the security and integrity of nonpublic information against threats and unauthorized access and minimize risks of harm to the customer.
Risk assessments should be planned regularly to ensure accurate awareness of risk, effectiveness of procedures to safeguard nonpublic information and the security of information systems.
A risk management plan should have policies and procedures in place to control access, maintenance, storage and other elements of the physical and digital security of nonpublic information.
Oversight by Board
The board of directors needs to establish the requirement for executive management to develop, implement and maintain an information security program.
Oversight of Third
A third party policy should outline the process for vetting and monitoring third party vendors, including their level of cybersecurity. Vendors should be inventoried based on risk factors, data shared, type of service, etc.
Incident Response Plan
Best practice is to assume some time of breach will happen at some point. Businesses need to have a plan in place to ensure cyber resiliency with the ability to identify, contain and correct the breach quickly.
The CyberCompass Difference
Without federal guidance governing all areas of cyber security, the result is a plethora of varying regulations, each with unique elements for compliance. A single insurer might have to comply with HIPAA, GDPR, CCPA and NAIC. While traditional tools might make you take 4 different assessments, CyberCompass can combine the assessment questions into 1 assessment while still meeting all compliance requirements.
CyberCompass automates NAIC Model Law 668 compliance with built-in expertise that translates government requirements into layman’s terms. It does most of the heavy lifting to streamline compliance workflow.
It is cloud-based, so it can be accessed anywhere with no software download. Most importantly, you don’t have to be a cybersecurity expert to use CyberCompass.
Our automation can save your firm over 400 hours throughout the twelve-month subscription.
Get and Stay NAIC 668 Compliant
- Answer one set of simple yes/no questions that meets NAIC Model Law 668 requirements
- Flexibility to start and stop – CyberCompass saves your progress
- Compliance gap report – easily see where you need improvements
- Built in step-by-step guide to fix issues
- CyberCompass online vault saves your “body of evidence” in one place
- Monitor your compliance for 12 months with dashboards and reporting
Want to know where your vulnerabilities are? Take our FREE Cyber Quick Check survey.
In 2 minutes you get an overview of where your biggest threats are.