← Frameworks / Insurance Regulation

NAIC Insurance Data Security Model Law (#668)

Model law adopted by 24+ US states requiring insurers, agents, and other licensed entities to develop comprehensive information security programs. 24 sections covering information security program requirements, risk assessment, board oversight, CISO designation, access controls, system and data safeguards, secure development practices, incident response, investigation and notification, third-party service provider oversight, and annual compliance certification to the commissioner.

Clauses: 24

Avg Coverage: 72.1%

Publisher: National Association of Insurance Commissioners (NAIC) Version: Model Law #668 (2017)

NAIC Insurance Data Security → SP 800-53 SP 800-53 → NAIC Insurance Data Security Coverage Analysis

Clause	Title	SP 800-53 Controls
3	Definitions	RA-02 PM-05 PM-11 PT-03 PT-04 CM-08 CM-12
4	Information Security Program — Comprehensive Written Program	PM-01 PM-02 PM-03 PM-04 PM-06 PM-09 PM-11 PM-14 PL-01 PL-02 PL-07 PL-08 CA-02 CA-05 CA-07 RA-01 RA-03 SI-04 SC-07 IR-04 CP-02
4-access	Access Controls and Authentication	AC-01 AC-02 AC-03 AC-05 AC-06 AC-07 AC-11 AC-17 AC-19 AC-20 IA-01 IA-02 IA-04 IA-05 IA-08 PS-04 PS-05
4-asset	Asset Management and Data Governance	CM-08 CM-12 CM-13 PM-05 MP-06 SI-12 SA-22 PT-03
4-audit	Audit Trail and Logging	AU-02 AU-03 AU-04 AU-05 AU-06 AU-07 AU-08 AU-09 AU-11 AU-12 SI-04 AC-06 AC-17
4-config	System Configuration and Change Management	CM-01 CM-02 CM-03 CM-04 CM-05 CM-06 CM-07 CM-09 SA-03 SA-08 SA-11 SA-15
4-encryption	Encryption of Nonpublic Information	SC-08 SC-12 SC-13 SC-28 MP-04 MP-05
4-monitoring	Monitoring and Testing	SI-03 SI-04 SI-05 CA-02 CA-07 CA-08 RA-05 RA-07 PM-14 SC-07 SC-44
4-personnel	Personnel Security and Staffing	PM-02 PM-13 PS-01 PS-02 PS-03 PS-04 PS-05 PS-06 PS-07 SA-09
4-training	Security Awareness Training	AT-01 AT-02 AT-03 AT-04 AT-06 PM-13 PM-14 PL-04
4A	Risk Assessment	RA-01 RA-02 RA-03 RA-05 RA-07 RA-09 PM-08 PM-09 PM-16 CA-02 CA-05 CA-07
4B	Risk Management — Security Program Design	PL-02 PL-08 PL-09 AC-01 AC-02 AC-03 AC-04 AC-05 AC-06 IA-01 IA-02 IA-04 IA-05 SC-07 SC-08 SC-12 SC-13 SC-28 CM-02 CM-06 CM-07 SI-02 SI-03 SI-04 SI-07 AU-02 AU-03 AU-06 AU-12 MP-02 MP-04 MP-06 PE-02 PE-03 PE-06 AT-01 AT-02 AT-03 PS-03 PS-04 PS-06
4C	Oversight by Board of Directors	PM-02 PM-01 PM-03 PM-13 PM-29 PL-01 RA-01
4D	Oversight of Third-Party Service Provider Arrangements	SA-04 SA-09 SR-01 SR-02 SR-03 SR-05 SR-06 PS-07 CA-03 PM-30 PM-31 AC-20
4E	Program Adjustments	PM-01 PM-04 PM-06 PM-14 PL-02 PL-03 CA-02 CA-05 CA-07 RA-03 RA-07 CM-03 CM-04
4F-a	Incident Response Plan — Written Plan Requirements	IR-01 IR-02 IR-03 IR-04 IR-05 IR-06 IR-07 IR-08 PM-14
4F-b	Incident Response Plan — Business Continuity and Disaster Recovery	CP-01 CP-02 CP-03 CP-04 CP-06 CP-07 CP-09 CP-10 IR-04
5	Investigation of a Cybersecurity Event	IR-04 IR-05 IR-06 AU-06 AU-07 SI-04 SI-07 CA-07 PM-14
6-a	Notification to Commissioner of Insurance	IR-06 PM-26 AU-06
6-b	Notification to Consumers	IR-06 PT-04 PT-05 PM-20 PM-22
7	Power of Commissioner	CA-02 CA-07 AU-01 AU-09 PM-01
8	Confidentiality	PT-01 PT-03 PT-04 AC-04 AC-21 SI-12
9	Exceptions	PM-01 PM-11 PL-02 PL-10
10	Penalties	PM-01 PS-08 PL-04