Why the need for the NAIC model law 668?
After high profile data breaches involving large insurers rocked the media, it became clear that a uniform set of cybersecurity standards needed to be put into place. The National Association of Insurance Commissioners, partering with state regulators, adopted the Insurance Data Security Model Law in 2017. Since then, multiple states have adopted this specific law while others, like New York, have taken this as the base for their own standard.
Map courtesy of NAIC State Legislative Brief
What are the expectations for the NAIC Model Law 668?
Information Security Program
Protect the security and integrity of nonpublic information against threats and unauthorized access and minimize risks of harm to the customer.
Risk assessments should be planned regularly to ensure accurate awareness of risk, effectiveness of procedures to safeguard nonpublic information and the security of information systems.
A risk management plan should have policies and procedures in place to control access, maintenance, storage and other elements of the physical and digital security of nonpublic information.
Oversight by Board
The board of directors needs to establish the requirement for executive management to develop, implement and maintain an information security program.
Oversight of Third
A third party policy should outline the process for vetting and monitoring third party vendors, including their level of cybersecurity. Vendors should be inventoried based on risk factors, data shared, type of service, etc.
Incident Response Plan
Best practice is to assume some time of breach will happen at some point. Businesses need to have a plan in place to ensure cyber resiliency with the ability to identify, contain and correct the breach quickly.
The CyberCompass difference
Without federal guidance governing all areas of cyber security, the result is a plethora of varying regulations, each with unique elements for compliance. A single insurer might have to comply with HIPAA, GDPR, CCPA and NAIC. While traditional tools might make you take 4 different assessments, CyberCompass can combine the assessment questions into one survey while still meeting all compliance requirements.
CyberCompass automates NAIC Model Law 668 compliance with built-in expertise that translates government requirements into layman’s terms. It is cloud-based, so it can be accessed anywhere with no software download.
Get and Stay NAIC 668 Compliant
- Answer one set of simple yes/no questions that meets NAIC Model Law 668 requirements
- Start and stop the survey as needed, giving you flexibility within your schedule
- Compliance gap report – easily see where you need improvements
- Built in step-by-step guide to fix issues
- CyberCompass’ encrypted online vault saves important documents in one location
- Train your employees with CyberCompass Academy