Since issuing its Principles of Effective Cybersecurity last July, [1] the National Association of Insurance Commissioners (“NAIC”) has been making progress in the development of cybersecurity examination manuals. NAIC’s regulatory guidance is intended to help state insurance regulators identify cybersecurity risks and communicate a uniform set of control requirements to insurers, insurance producers, and related regulated entities (collectively, “Insurance Companies”).

Given the priority regulators are placing on cybersecurity (including NAIC’s Cybersecurity Task Force) and the continued occurrence of high profile data breaches, we expect that cybersecurity examinations will commence as early as 2016 and will be performed by insurance regulators as part of their standard three-year exam cycle. While NAIC’s examination manuals will act as guidelines for state regulators, actual regulation will vary by state. Thus, Insurance Companies should be tracking state regulatory developments to ensure that their cybersecurity programs are rigorous and all-encompassing.

(more…)