(Image credit: Dollar Photo Club.)
The passage of NAIC’s Insurance Data Security Model Law is an indication of impending cybersecurity regulations. States are expected to begin to adopt the Model Law or close versions thereof in 2018 legislative sessions. There is no better time than now for insurance organizations to ensure that their information Security Program will be well-equipped to consume these new regulatory requirements.
Whether you are seasoned in the cyber security regulatory space or not, a well-run security program will be essential to achieving both compliance, and, more importantly, security. Here are three key points of guidance to prepare you for meeting your compliance objectives:
- Building a Security Program is a Process, Not a Project
Expecting to implement a security program overnight is not realistic. The Model Law gives organizations one year of implementation time (two years for the Third-Party Provider Oversight requirement) from the effective date of the Act passed by each state. Many of these controls will take several months to iron out, so give yourself as much lead time as possible.
If you already deal with a risk-based compliance program like HIPAA or the PCI DSS, you are probably ahead of the game. On the other hand, if you feel like you are starting from ground zero, you likely have security controls in place that will map to NAIC compliance, but they are likely not yet formalized. Either way, there is no better time than now to get started. A good security partner will enable you to jump-start your learning curve.
- Let Risk Be Your Guide
The most fundamental first step to creating a highly effective security program is to create a baseline for risk at your organization and to establish a framework for risk management. Risk assessments are the best way to identify and prioritize the risks to your systems and data. The Model Law requires a risk assessment be conducted no less than annually. You should perform an organization-wide risk assessment on an annual basis that addresses all of your compliance requirements instead of performing a siloed risk assessment for each regulation. A holistic risk assessment will encourage your organization to evaluate risk in terms of the overall business and produce more centralized risk management processes.
Your risk assessments should not be limited to only the Model Law’s scope. There are likely key risks to your business that NAIC compliance will not address. For example, the NAIC Model Law does not address availability of information. If your client data files are inaccessible for a prolonged period of time, that will likely affect your bottom line, but you can have an outage while still remaining compliant. It is a best practice to address all information security risks to your organization in a single assessment so that business requirements can be assessed alongside compliance requirements. Ensure your risk assessment is scoped to encompass all people, processes, and technology that can affect the security of your data.
The risk assessment should produce a risk register, which is an inventory of individual risks with associated risk scores and recommendations. The risk register helps answer the question, “What do we focus our limited resources on next?” When you are sitting in your next management meeting and someone brings up a previously unknown risk such as, “Did you know that we have a lot of legacy documents with sensitive personal information stored across workstations in our network?”, take the opportunity to analyze the risk and add it to the risk register. This process gets leadership thinking in terms of risk and helps provide a clear picture of why or why not the business is or is not going to address any particular risk as its next priority.
- Elevate the Risk Conversation
Organizations that are constantly in a reactive mode, struggling to set priorities and getting little traction on security projects, often make the mistake of assuming security is an IT problem. Security is not an IT problem. It is a business-wide challenge in which everyone plays a role. In organizations that assume security is an IT problem, risk decisions are often made in isolation by IT managers and IT analysts, while the business is left assuming the risk it doesn’t know about or understand. The NAIC Model Law attacks this challenge by requiring the board of directors or appropriate board committee (if one exists) to oversee the information security program. If you do not have a board, consider creating a Security Steering Committee or similar governance board with representation from various business units to oversee the information security program. This effort will elevate the risk decision process to a group who can appreciate how the individual risks impact the business.
With these three guidance points in mind, you will be much better prepared for adapting to the upcoming cybersecurity requirements. As you review these pending requirements, remember the intent of the regulation is ultimately about operational security. Therefore, keep in mind to address the heart of the requirement, security. While compliance does not yield security, security done right does yield compliance.
Geoff Wilson currently serves as a Principal Security Consultant at True Digital Security, a Tulsa, Okla.-based security consulting and services firm specializing in information assurance. Wilson specializes in building security programs, regulatory compliance, penetration testing, and risk assessments. Prior to joining True, Mr. Wilson worked for the University of Oklahoma and the National Security Agency. He holds an M.S. in Information Security Technology and Management from Carnegie Mellon University and a B.S. in Computer Science from the University of Oklahoma. Wilson has taught a graduate level Information Security course at the University of Oklahoma for four years. He holds a Certified Information Systems Security Professional (CISSP) and PCI QSA certifications. Wilson can be reached at [email protected].