SOFE_CDS_NAIC_Principles_for_Effective_Cybersecurity_2016-08-04-2016

©2016 HISPI
The Good, The Bad, The Ugly
of
NAIC Principles for Effective
Cybersecurity: Insurance Regulatory
Guidance
SOFE CDS
August 2016

©2016 HISPI 2
Taiye Lambo CISSP, CISA, CISM, HISP, ISO 27001 Auditor
 Former Chief Information Security Officer (CISO), City of Atlanta, Georgia
 Author Holistic Information Security Practitioner (HISP) Certification Course
 Founder Holistic Information Security Practitioner Institute (HISPI) –
www.hispi.org
 Founder, CloudeAssurance, Inc. – www.CloudeAssurance.com
 President & Founder, eFortresses, Inc. – www.eFortresses.com
 Founder UK HoneyNet Project – www.honeynet.org.uk
 Hybrid technical and business information security practitioner; 25+ years IT
and 19+ years Information Security experience, including:
 Delivered critical BS 7799, ISO 17799, ISO 27002 & ISO 27001, NIST based
management consulting engagements to the United Nations and various clients
in the Manufacturing, Government, Financial Services, Insurance,
Telecommunications, Software and Healthcare sectors across 4 continents.
 Presented at security events including conferences organized by MISTI, ISSA,
InfraGard, ISACA, CPM, SOFE, EDUCAUSE, HITRUST, SECUREWORLD EXPO,
KUWAIT INFO SECURITY CONFERENCE & EXHIBITION, UNITED NATIONS (UN),
EC-Council, TAG and SC Congress.
About Me

©2016 HISPI 3
Global Threat Landscape

©2016 HISPI 4
Compliance ≠ Security
A safety engineer approves the appropriate number
of lifeboats on a new capacity line of cruise ships.
Regulatory Compliance Requirement:
 Passenger and Crew Capacity: 3,600
 Lifeboats: 16
 Occupancy: 1,100
Actual:
 Passengers and Crew: 2,224
 Lifeboats: 20
 Occupancy: 1,178
Determination, “Compliant”
*Compliance + Continual Improvement Process
through ongoing Risk Assessments would have
identified the need for protection against physical
factors such as weather and icebergs!
Maiden
Voyage
April 15,
1912
RMS Titanic
Passengers
and Crew
Lost:
1,514

©2016 HISPI 5
Assess how aware
your employees and
contractors are
regarding how to
handle
a potential cyber-
security threat
Assess how mature
your internal
processes are by
measuring your
processes against
ISO 27001, NIST CSF
etc.
Assess what
technical
vulnerabilities
exists within your
internal and
external facing
information assets
Assess what
sensitive &
confidential data is
potentially being
exposed to
unauthorized access
Assessing Cybersecurity Holistically

©2016 HISPI 6
NAIC Principles for Effective Cybersecurity:
Insurance Regulatory Guidance
Principle 1:
State insurance regulators have a responsibility to
ensure that personally identifiable consumer
information held by insurers, producers and other
regulated entities is protected from cybersecurity
risks. Additionally, state insurance regulators
should mandate that these entities have systems in
place to alert consumers in a timely manner in the
event of a cybersecurity breach. State insurance
regulators should collaborate with insurers,
insurance producers and the federal government to
achieve a consistent, coordinated approach.

©2016 HISPI 7
Principle 1:
ensure that personally identifiable consumer
information held by insurers, producers and other
regulated entities is protected from cybersecurity
risks. Additionally, state insurance regulators
should mandate that these entities have systems in
place to alert consumers in a timely manner in the
event of a cybersecurity breach. State insurance
regulators should collaborate with insurers,
insurance producers and the federal government to
achieve a consistent, coordinated approach.

©2016 HISPI 8
Principle 2:
Confidential and/or personally identifiable
consumer information data that is collected, stored
and transferred inside or outside of an insurer’s,
insurance producer’s or other regulated entity’s
network should be appropriately safeguarded.

©2016 HISPI 9
Principle 2:
Confidential and/or personally identifiable
consumer information data that is collected, stored
and transferred inside or outside of an insurer’s,
insurance producer’s or other regulated entity’s
network infrastructure and assets should be
appropriately safeguarded.

©2016 HISPI 10
Principle 3:
protect information that is collected, stored and
transferred inside or outside of an insurance
department or at the NAIC. This information
includes insurers’ or insurance producers’
confidential information, as well as personally
identifiable consumer information. In the event of a
breach, those affected should be alerted in a timely
manner.

©2016 HISPI 11
Principle 3:
protect information that is collected, stored and
transferred inside or outside of an insurance
department or at the NAIC. This information
includes insurers’ or insurance producers’
confidential information, as well as personally
identifiable consumer information. In the event of a
breach, those affected should be alerted in a timely
manner.

©2016 HISPI 12
Principle 4:
Cybersecurity regulatory guidance for insurers and
insurance producers must be flexible, scalable,
practical and consistent with nationally recognized
efforts such as those embodied in the National
Institute of Standards and Technology (NIST)
framework.

©2016 HISPI 13
Principle 4:
Cybersecurity regulatory guidance for insurers and
insurance producers must be flexible, scalable,
practical and consistent with nationally recognized
efforts such as those embodied in the National
Institute of Standards and Technology (NIST)
cybersecurity framework and ISO/IEC 27000 series
framework.

©2016 HISPI 14
Principle 5:
Regulatory guidance must be risk-based and must
consider the resources of the insurer or insurance
producer, with the caveat that a minimum set of
cybersecurity standards must be in place for all
insurers and insurance producers that are
physically connected to the Internet and/or other
public data networks, regardless of size and scope
of operations.

©2016 HISPI 15
Principle 5:
Regulatory guidance must be risk-based and must
consider the resources of the insurer or insurance
producer, with the caveat that a minimum set of
cybersecurity standards must be in place for all
insurers and insurance producers that are
physically connected to the Internet and/or other
public data networks, regardless of size and scope
of operations.

©2016 HISPI 16
Principle 6:
State insurance regulators should provide
appropriate regulatory oversight, which includes,
but is not limited to, conducting risk-based financial
examinations and/or market conduct examinations
regarding cybersecurity.

©2016 HISPI 17
Principle 6:
State insurance regulators should provide
appropriate regulatory oversight, which includes,
but is not limited to, conducting risk-based financial
examinations and/or market conduct examinations
regarding cybersecurity.

©2016 HISPI 18
Principle 7:
Planning for incident response by insurers,
insurance producers, other regulated entities and
state insurance regulators is an essential
component to an effective cybersecurity program.

©2016 HISPI 19
Principle 7:
Planning for incident response by insurers,
insurance producers, other regulated entities and
state insurance regulators is must be an essential
component to an effective cybersecurity program
put in place by insurers, insurance producers, other
regulated entities and state insurance regulators.

©2016 HISPI 20
Principle 8:
Insurers, insurance producers, other regulated
entities and state insurance regulators should take
appropriate steps to ensure that third parties and
service providers have controls in place to protect
personally identifiable information.

©2016 HISPI 21
Principle 8:
Insurers, insurance producers, other regulated
entities and state insurance regulators should take
appropriate steps to ensure that third parties,
particularly external partners and service providers
have controls in place to protect personally
identifiable information.

©2016 HISPI 22
Principle 9:
Cybersecurity risks should be incorporated and
addressed as part of an insurer’s or an insurance
producer’s enterprise risk management (ERM)
process. Cybersecurity transcends the information
technology department and must include all facets
of an organization.

©2016 HISPI 23
Principle 9:
Cybersecurity risks should be incorporated and
addressed as part of an insurer’s or an insurance
producer’s enterprise risk management (ERM)
process. Cybersecurity transcends the information
technology department and must include all facets
of an organization.

©2016 HISPI 24
Principle 10:
Information technology internal audit findings that
present a material risk to an insurer should be
reviewed with the insurer’s board of directors or
appropriate committee thereof.

©2016 HISPI 25
Principle 10:
Information technology internal audit findings that
present a material risk to an insurer should be
reviewed with the insurer’s board of directors or
appropriate committee thereof.

©2016 HISPI 26
Principle 11:
It is essential for insurers and insurance producers
to use an information-sharing and analysis
organization (ISAO) to share information and stay
informed regarding emerging threats or
vulnerabilities, as well as physical threat
intelligence analysis and sharing.

©2016 HISPI 27
Principle 11:
It is essential for insurers and insurance producers
to use an information-sharing and analysis
organization (ISAO) to share information and stay
informed regarding emerging threats or
vulnerabilities, as well as physical threat
intelligence analysis and sharing.

©2016 HISPI 28
Principle 12:
Periodic and timely training, paired with an
assessment, for employees of insurers and
insurance producers, as well as other regulated
entities and other third parties, regarding
cybersecurity issues is essential.

©2016 HISPI 29
Principle 12:
Periodic and timely cybersecurity training, paired
with an assessment to determine effectiveness, for
employees of insurers and insurance producers, as
well as other regulated entities and other third
parties, regarding cybersecurity issues is essential.

©2016 HISPI 30
To download the latest HISPI Top 20 Mitigating Controls,
Please visit the HISPI downloads section
https://www.hispi.org/memberdownloads.php
To benchmark against NIST 800-53, NIST CSF, ISO & CMMI
or Access our cloud service provider ratings database
Sign up for a FREE 30-Day Trial at
www.CloudeAssurance.com
Please contact me at tlambo@eFortresses.com or
LinkedIn https://www.linkedin.com/in/taiyelambo
Questions?

SOFE_CDS_NAIC_Principles_for_Effective_Cybersecurity_2016-08-04-2016

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to SOFE_CDS_NAIC_Principles_for_Effective_Cybersecurity_2016-08-04-2016

Similar to SOFE_CDS_NAIC_Principles_for_Effective_Cybersecurity_2016-08-04-2016 (20)

SOFE_CDS_NAIC_Principles_for_Effective_Cybersecurity_2016-08-04-2016