I recently received a report from an international insurance regulatory meeting in which U.S. insurance commissioners were participating. The urgency and assertiveness of our regulators hit me like a ton of bricks.
NAIC president, Eric Cioppa—the Maine director of insurance– opined that cybersecurity regulation cannot be prescriptive, but instead must be principles based because it is too hard for the supervisors to keep pace with industry. First, cybersecurity engagement must come from the very top of the company. A culture that prioritizes cybersecurity is critical due to the weakest link phenomenon. Second, an insurer must focus on total preparedness for when a breach occurs. Without engaging in table topping, a breach could be devastating to the company. The supervisors are not looking to second guess a company’s program, but are trying to focus on broad cybersecurity themes.
As we continue to push forward in implementing the Web of Trust, it’s not for nothing to understand how U.S. regulators are approaching the same problems at an industry level and to recognize that it’s not all that different from the work we have been doing and are prepared to do more of. Given that our members’ claims-paying function is an extension of the insurance industry, what regulators think on the topic should very much matter to us.
In my view the reasoning transfers to NCIGF’s role in making certain that our members are at the most effective level of cyber security; f regulators can require carriers to “open their kimonos” as part of their consumer protection mission when a company is in business, we should be doing the same on security, also for the purpose of protecting policyholders and claimants. Our goals are even more narrow than the regulator’s.
Beyond the cybersecurity piece, the report should provide a flavor for the scope of discussions at the IAIS and the active role U.S. regulators are playing in it. This is a global version of the NAIC (and as Keith Bell reminds us, the NAIC actually created the IAIS). I point this out because while some of our colleagues continue to digest the “international” aspect of insurance regulation and its application to the U.S., this report gives a tiny peek into its tangibility, importance and durability.