The NAIC's Cybersecurity Task Force was formed in November
2014, and is tasked with assisting the NAIC in addressing issues
relating to cybersecurity in the insurance industry.
As stated by NAIC President Monica J. Lindeen, these principles
are intended to "serve as the foundation for protection of
sensitive consumer information held by insurers as well as
insurance producers and guide regulators who oversee the insurance
industry."2 The Principles were derived from
the Securities Industry and Financial Markets Association's
(SIFMA) "Principles for Effective Cybersecurity Regulatory
Guidance" issued in October 2014.
In addition to the Principles, the Task Force is expected in the
future to release a consumer bill of rights for insurance industry
consumers affected by a data breach.
The Principles and Interaction with Canadian
The Principles generally provide high-level guidance on
regulation of cybersecurity in the industry. In particular,
the Principles state that regulators "have a responsibility to
ensure that personally identifiable consumer information held by
insurers, producers and other regulated entities is protected from
cybersecurity risks" (Principle 1). In addition, the
Principles provide that "cybersecurity regulatory guidance for
insurers and insurance producers must be flexible, practical and
consistent with nationally recognized efforts" such as those
embodied in the National Institute of Standards and Technology
(Principle 4) and that "regulatory guidance must be risk-based
and must consider the resources of the insurer or insurance
producer, with the caveat that a minimum set of cybersecurity
standards must be in place" (Principle 5).
Cyber security is not a one-size-fits-all approach.
Organizations have unique risks and different tolerances for loss.
To address the specific circumstances of each organization,
security practices will and should differ between organizations and
over time. There is no agreement about cyber best practices that
should be applied in all situations.
The Principles do provide some specific guidance.
Regulators should require that regulated entities have in place
systems to provide timely alerts to consumers affected by a breach
(Principle 1). Regulated entities should have in place the
appropriate controls (Principle 8) and periodic and timely training
regarding cybersecurity issues (Principle 12). Planning for
incident response (Principle 7) should also be required,
information sharing about emerging threats should occur through an
information-sharing and analysis organization (Principle 11) and
cybersecurity should form part of an insurer's enterprise risk
management process (Principle 9).
In Canada, the Office of the Superintendent of Financial
Institutions ("OSFI") previously issued in 2013 very
detailed Cyber Security Self-Assessment Guidance which
applies to federally regulated insurers, among others. It will be
interesting to see if OSFI and provincial insurance regulators'
cybersecurity regulatory initiatives are influenced by NAIC's
Principles going forward.
1. The NAIC is the U.S. insurance industry's national
standard-setting body, consisting of the chief regulators from the
50 states, the District of Columbia and five U.S.
2. See NAIC Press Release "NAIC Cybersecurity Task
Force Adopts regulatory Principles",
Under B.C.'s former and current Limitation Act, the limitation period for a Plaintiff's claim can be extended on the basis of a Defendant having acknowledged in writing some liability for the cause of action.
Automobile drivers, like fine wine, tend to get better with age. Older drivers can draw on a wealth of experience from their years on the road to assist them when faced by a variety of dangerous conditions.
The insurance industry will be interested in Ledcor Construction Ltd v. Northbridge Indemnity Insurance Co because of principles the Supreme Court of Canada applied to the "faulty workmanship" exclusion in a Builders' Risk policy.
For the first time in BC, a Court has decided that an insured is entitled to special costs, rather than the lower tariff costs, solely because they were successful in a coverage action against their insurer.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).