Request Demo

NIST Cybersecurity Framework, Insurance

Midwest Leads Country In Cybersecurity Standardization


As predicted, 2019 has seen the expansion of more state-specific legislation relating to cybersecurity and data protection. What started with Ohio’s safe harbor law has rapidly spread to more states, especially in the midwest. Some industries are moving faster than others - what we’ve seen in New York with 23 NYCRR 500 and the financial services industry has moved to the midwest and the insurance industry.

Ohio Safe Harbor Law

As we’ve reported on in the past, Ohio passed a bill in 2018 that grants safe harbor to Ohio businesses that suffer a breach despite having implemented an approved list of standards and frameworks. Specifically, this law granted defense against causes of action under Ohio law specifically. However, this law led the way for many states to begin enacting their own forms of data security, protection, and privacy. As we’ve seen with California, Washington, and a host of others, many states are using their faster legislative process to protect their constituents while the federal government looks to a more wide-ranging solution.

Ohio’s Data Protection Act laid the foundation for the next iteration of legislation around cybersecurity and data protection, specifically in the insurance industry.

The Insurance Data Security Model Law

The Insurance Data Security Model Law (shortened to Model Law) was developed in part by the National Association of Insurance Commissioners (NAIC). Following the catastrophic breaches of Anthem, Premera Blue Cross, and others the NAIC realized the criticality of the personal data that insurance companies store.

In October of 2017, the NAIC ratified the Model Law for all insurance companies in the same way that HIPAA protects healthcare information. While more of a framework than a law until an individual state adopts it, the Model Law drew inspiration from the NYDFS 23 NYCRR 500 with some key differences. What is remarkable about the Model Law and its applied embodiments (more on that), is the shift from checkbox compliance to risk-based thinking. Both 23 NYCRR 500 and the Model Law rely heavily on organizations conducting consistent, if not continuous, risk assessments to inform their cybersecurity strategy. What this signals is the recognition that every organization is different, and to think that one list of controls will secure an industry is outdated.

Insurance Data Should Keep The Midwest Up At Night

Just as California has the highest concentration of technology companies, and therefore the highest concern for consumer data privacy, it is a great concern for the midwest what happens to insurance customer data. The midwest territory commands some of the biggest names in insurance and to date regulations around insurance has largely been underdeveloped. Moving forward, we can expect to see states follow Ohio and Michigan’s lead - whether they take the safe-harbor (carrot) approach of Ohio or the more traditional fine (stick) approach of Michigan, we can expect to see more and more states adopting the outline of the Model Law.

Navigating The Crossroads of State and Industry Regulations

The landscape of state- and industry-specific regulations is only going to get more complicated and the reactionary approach is not going to work. What is encouraging, though, is the way these regulations hinge on risk assessments over checkbox compliance. Furthermore, these governing bodies (NAIC and NYDFS) are not designing these regulations in a vacuum - you can expect to see more regulations start to interplay together more and more. In the same way that the Model Law drew from 23 NYCRR 500, you can expect that more and more regulations with use that approach. The common thread though? The NIST CSF. As we explored before, the language of the NYDFS regulation and the Model Law draws from the CSF at its core. While the incident reporting timelines may differ, the approach to risk and compliance management continues to make the NIST CSF the gold standard. If you want to ensure that you’re ready for the next regulation, and want to build for the future, start building on the NIST CSF today.

The CyberStrong platform is the only integrated risk management platform that is built on the NIST CSF and allows you and your team to operationalize any framework while benchmarking against that gold-standard. Alongside the CSF, CyberStrong uses NIST 800-30 methodology to streamline your risk assessments and AI backed remediation plans to show you a clear path to security.

You may also like

The Guide To A CEOs First ...
on May 16, 2019

One of the greatest challenges that CEOs and business-side leaders are faced with when tasked with implementing a cybersecurity program is the board-level reporting that goes on ...

Jerry Layden
What The NIST Privacy Framework ...
on May 14, 2019

On Wednesday May 1, the National Institute of Standards and Technology (NIST) released their latest draft version of the much anticipated NIST Privacy Framework. Following the ...

Padraic O'Reilly
The CEO's Guide To Understanding ...
on May 9, 2019

With high profile data breaches and cyber incidents capturing headlines almost weekly, business leaders are getting a front row seat to the impact that cybersecurity can have on ...

Jerry Layden
The NIST Privacy Framework Is More ...
on May 17, 2019

In recent weeks, the National Institute of Standards and Technology released their latest draft of the new privacy framework. The forthcoming privacy framework will join NIST’s ...

The Road To An Internet Of Things ...
on May 2, 2019

As we’ve seen before, one of the greatest cybersecurity threats facing both consumer- and enterprise-focused organizations is the rise of connected devices - the internet of ...

George Wrenn
Is The NIST CSF Replacing HIPAA In ...
on April 30, 2019

In the recently released Cynergistek report on the state of healthcare sector cybersecurity framework adoption, I noticed an interesting trend - the rise in NIST CSF adoption and ...

George Wrenn