By Industry · Insurance

GRC where every state writes its own cyber law

Insurers and agents answer to a cybersecurity law all their own. The NAIC Insurance Data Security Model Law is spreading state by state, each licensee must run a formal information security program and report events to its insurance commissioner, and the banking-side rules still apply on top.

The landscape

Your own regulator, one state at a time

Insurance has its own cybersecurity regime. The NAIC Insurance Data Security Model Law, now adopted in some twenty-five states, requires every licensed insurer and agent to build a documented information security program, investigate cybersecurity events, and notify the state insurance commissioner within 72 hours of a material one. New York's DFS Part 500 applies to insurers there, GLBA protects customer financial data, and SOC 2 and ISO 27001 back it all up.

NAIC Model Law NYDFS Part 500 GLBA SOC 2 ISO 27001 NIST CSF State privacy PCI DSS
25
the number of states that have adopted the NAIC Insurance Data Security Model Law, each expecting a formal security program and prompt breach notice to its own commissioner, a patchwork that keeps growing.

The patchwork is the challenge. Each state's version of the model law is a little different, and an insurer operating across state lines has to satisfy all of them, plus the banking-style regulators, plus new NAIC amendments now targeting artificial intelligence and third-party data. It is the same underlying program, answered many ways.

Why it is hard

One program, many commissioners

A multi-state insurer can owe an information security program, event investigation, and 72-hour notification to a dozen different insurance commissioners, each on its own terms, while also meeting NYDFS, GLBA, and the security questionnaires that carriers and reinsurers send. It is one security posture proven over and over.

Managed separately, that is duplicated evidence, a different filing for every state, and a program that struggles to keep up as more states adopt the model and amend it.

How SimpleRisk fits

One control library, every obligation

SimpleRisk treats insurance GRC the way it should be treated: as one connected set of controls, mapped once and proven to whichever commissioner, regulator, or carrier is asking.

  • Map once, satisfy many. Through the Secure Controls Framework, one control maps across the NAIC Model Law, NYDFS, GLBA, SOC 2, and 250-plus frameworks, so you test once and satisfy many at the same time.
  • Cover every state from one program. Map the same controls to each state's version of the law, so multi-state compliance is one effort, not many.
  • Report events fast. Keep the evidence and mapping ready, so a 72-hour notification to a commissioner is straightforward, not a scramble.
  • Prove it on demand. Define tests, run audits, and produce what any commissioner, auditor, or carrier asks for.

Satisfy every commissioner from one platform

Start a free trial or book a demo, and see how SimpleRisk maps your controls across every framework an insurer has to meet.

Start a free trial