Skip to main content
Microsoft Security

The challenges of adopting a consistent cybersecurity framework in the insurance industry

As hacking events have increased in number and severity, we in the cybersecurity community have united around common strategies that all organizations can implement to reduce their risk. Universal best practices provide organizations with many useful tools to protect their businesses. But what often gets overlooked in these discussions are the unique security challenges that each industry faces, and the tailored solutions required to address those issues. This is an area of interest to me, and lately I’ve been fascinated by the path that the insurance industry is carving out when it comes to cybersecurity. Today, I’ll discuss recent activity by the U.S. insurance industry and the ramifications and impact of these initiatives. In future weeks, I’ll offer my insights into how other industries are confronting rising security and compliance risks.

Before we dive in, let me provide a little context into why I think we should segment out insurance as an area of focus. While in many people’s minds, the insurance industry is considered simply a sub-sector of the financial services sector—nothing could be further from the truth. For those not as familiar with these important nuances, it’s important to point out that the insurance market has its own business needs, technology requirements and adoption cycles, and buyer personas as compared to banking and capital markets. Products (security-related or otherwise) that might resonate with a banker or IT professional in banking may not be relevant to an insurance buyer, just as products that the insurance buyer finds valuable may not appeal to the banking and capital markets. It’s therefore imperative that we take stock of the insurance market’s efforts and endeavors when it comes to protecting insurers, their customers, and their data.

Aligning behind a cybersecurity framework in a fragmented, state-by-state regulatory environment

In the last few years, the U.S. insurance industry has taken several steps to work on cyber issues. The most obvious example is the recent moves by the National Association of Insurance Commissioners (NAIC) to promote their Insurance Data Security Model Law. This model legislation establishes a legal framework to guide state governments as they consider enacting laws to require insurance companies to implement cybersecurity protections. In general, the NAIC has become more outspoken on cybersecurity issues (see, for example, their 2015 Cybersecurity Bill of Rights) and has been working to ensure a consistent approach within the U.S. market.

If we look at these various activities, a few key points emerge that I think are valuable and worth keeping track of in the coming months:

Stay current on the rapidly changing insurance sector security landscape

The state-by-state adoption of laws that are similar to or overlapping with the NAIC Insurance Data Security Model Law will continue at an unpredictable pace. As of this writing, over a half dozen states are debating these rules and determining the best way to apply the NAIC’s law while also weaving in coverage from the 2017 Cybersecurity Regulation from the New York Department of Financial Services (which overlaps significantly with the NAIC law). And as we move into a post-GDPR world and consider the California Consumer Privacy Act from this past June, it will be intriguing to see how insurers and banks take their cues from one another and also continue to promulgate laws unique to their own industry needs. If you are interested in staying current on these issues, you can monitor the NAIC website. And look out for future blogs from me where I’ll discuss other industries dealing with cybersecurity and compliance challenges.