NAIC Cybersecurity Model Law Academy
Stay at the forefront of cybersecurity compliance by attending the NAIC Cybersecurity Model Law Academy. This comprehensive program equips insurance professionals and IT security specialists with the expertise needed to implement effective cybersecurity risk management strategies. With 12 CPE credits on offer, this course provides the tools and insights you need to excel in managing regulatory demands while safeguarding sensitive data.
Why Join the NAIC Cybersecurity Model Law Academy?
1. Gain Expertise in NAIC Cybersecurity Regulations
- Understand the NAIC Insurance Data Security Model Law, including its goals, requirements, and how it compares to New York's Section 500 regulations.
- Learn the critical components of an effective Information Security Program (ISP), from risk assessments to breach response strategies.
2. Build a Strong Cybersecurity Framework
- Deep-dive into creating and enhancing cybersecurity controls in your organization.
- Implement best practices for securing sensitive customer data, managing third-party risks, and ensuring compliance with NAIC standards.
3. Enhance Professional Credibility
- Demonstrate your commitment to professional growth and cybersecurity excellence by earning 12 NASBA-certified CPE credits.
What You’ll Learn
This engaging two-day live webinar, led by seasoned experts, combines theoretical knowledge with actionable strategies to help you build a robust cybersecurity risk management program.
Key Topics Include:
1. Understanding NAIC Cybersecurity Standards
- Explore the purpose and scope of the NAIC Insurance Data Security Model Law and how it applies to insurance organizations.
- Compare NAIC requirements to New York’s Section 500 standards for cybersecurity.
2. Designing Effective Cybersecurity Programs
- Learn the essential elements of an ISP, including data classification, breach notification plans, and continuous monitoring.
- Get practical guidance on conducting cybersecurity risk assessments and implementing strong internal controls.
3. Optimizing Governance and Leadership
- Discover how board oversight, risk tolerance, and cybersecurity frameworks enhance organizational decision-making and compliance.
- Understand the board’s role in maintaining cybersecurity maturity and resilience.
4. Incident Response and Preparedness
- Master the essential steps to develop and execute an incident response plan, from preparation to post-event evaluation.
- Learn how to create a "world-class" response team that mitigates risks and ensures operational continuity.
5. Preparing for Annual Certifications
- Learn how to meet the annual certification requirements outlined in the NAIC regulations and effectively communicate compliance achievements to regulators.
Course Details
- Schedule: Two six-hour online sessions held every eight weeks (Wednesday-Thursday, 9 a.m.–3 p.m. CST) with a 30-minute lunch break each day.
- Delivery Format: Live, interactive virtual training with group discussions and Q&A opportunities.
- Fee: $825 per attendee.
- Custom Options: Private training sessions available for groups of two or more.
Bonus: Attendees will receive 35 valuable documents used in the creation of the academy, offering templates and resources to support your cybersecurity framework.
Who Should Attend?
This course is ideal for:
- Insurance Professionals looking to strengthen their understanding of cybersecurity regulations.
- IT Security Specialists aiming to enhance their skills in developing and managing cybersecurity programs.
- Risk Managers and Compliance Officers responsible for ensuring organizational compliance with NAIC standards.
- Project Leaders and Directors seeking actionable strategies for protecting sensitive data.
No prior cybersecurity experience is required, making this academy accessible to professionals with varied backgrounds.
Why Cybersecurity Matters for the Insurance Industry
The insurance sector faces rising threats from cyberattacks, making robust cybersecurity measures vital. Effective implementation of the NAIC Model Law helps organizations:
- Safeguard Sensitive Information: Protect nonpublic customer data from breaches and unauthorized access.
- Meet Regulatory Demands: Achieve compliance with stringent standards enforced at state and federal levels.
- Improve Organizational Trust: Build stronger relationships with stakeholders by demonstrating a commitment to data security and compliance.
Register Today to Lead in Cybersecurity
Don’t miss your chance to gain the insights and credentials that set you apart in the evolving field of insurance cybersecurity. The NAIC Cybersecurity Model Law Academy provides the tools you need to manage risks effectively and ensure compliance with confidence.
Reserve your spot now to earn 12 CPE credits, access actionable knowledge, and protect your organization's data in today’s challenging cybersecurity landscape!
Details on Event Presentation
Offered on Wednesday-Thursday once every eight weeks in two six hour sessions for 12 CPE credits.
The sessions will run from 9:00 a.m. to 3:00 p.m. Central Time Zone.
There will be a lunch break from 12:00 noon to 12:30 p.m. each day.
We can schedule private events on your timetable for two or more attendees.
CPE Event Highlights
We will cover the elements of an effective cybersecurity program:
-
What are the NAIC goals with this Act?
-
How does this Act compare to New York State Regulation Section 500?
-
Which organizations fall under the Act's provisions?
-
What is the definition of "cybersecurity event".
-
What is contained in an "Information Security Program".
-
What is nonpublic information under an information security program?
-
What is "publicly available information"?
-
How do you approach creating a cybersecurity risk assessment?
-
What are the eleven enumerated security measures?
-
What does continuous monitoring mean?
-
What Board of Director's oversight is required?
-
What certification is required?
-
Learning Objectives
Attendees will:
- See how cybersecurity is an evolving art.
- Understand cybersecurity risk assessment
- Have examples for the minimum standards
- Know the components of an effective program
- Have an approach to controls at third party providers
- Have a example incident reporting and notification plan
Key Issues on the Agenda
Introduction and Overview
- Cyber Risk Standards
Concepts and Definitions
- What is "Information Technology"?
- Risk Appetite
- Risk Tolerance
- What is an "Information Security Program"?
- What is "Non-Public Information"?
- The NAIC's 12 Principles of Cybersecurity
- SIFMA Principles of cybersecurity Regulation
- Insurance Data Security Model Law by Section
- New York State Section 500
- Comparison of NAIC to Section 500
Initiating the Improvement of an Information Security Program (ISP)
- NAIC Model Law Section 4a - Implementation of an ISP
- SLCA - Creating the Appropriate Environment
- Where did the "Current State" come from?
- How good is our Risk Assessment?
- NAIC Model Law Section 4b - Objectives of an ISP
- What questions do you start with?
- Cyber Threats by the Numbers
- NAIC Model Law Section 4e - Oversight by the Board of Directors
- Key Principles of Cyber Risk Oversight per the NACD
- NAIC Model Law Section 4f - Oversight of Third-Party Service Providers
- NAIC Model Law Section 4h - Incident Response Plan
Define the Problems and Opportunities
- The Effects of "Moore's Laws"
- SDLC - Program Management
- The Usual Suspects - cybersecurity Issues . Measuring the Maturity of Internal Controls
- Internal Breaches
- External Breaches
- Business Alignment Issues
- Governance and Leadership Issues
- Extended Ecosystem Issues
Deep Dive into The Issues
- Oversight by the Board of Directors
- Mission Statement - Explicit Values - Business Model . Ethics
- Authorized Individuals
- User Access and Passwords
- Desktop Management
- Email Management
- Mobile Device Management
- "WiFi"
- Cyber Attacks
The Effective Information Security Program Management
- NAIC Model Law Section 4g - Program Adjustments
- How do we manage the Program?
- Project Scoping
- Governance
- Cybersecurity Domains
- Resources
The Information Security Program
- NAIC Model Law Section 4d - Risk Management
- Strategic Management Elements
- Tactical Management Elements
- Operational Management Elements
- Data Assets
- Security Policies
- Physical Security Items
- Personnel Security Items
- System & Application Items
- NIST System Security Plan Standards
- System & Software Life Cycle
- Configuration Management
- Training & Awareness Program
- System Documentation
- Disaster Recovery & Business Continuity
Review The Effectiveness
- Business Objective - Risks - Controls . NAIC Model Law Section 4g - Program Adjustments
- NAIC Model Law Section 4i - Annual Certification
- What is Effectiveness?
- The InfoSec Maturity Model
- FFIEC Cybersecurity Assessment Tool
- Maturity Levels of the Internal Controls
- Inherent Risk Profile
- Technologies & Connection Types
- Online & Mobile Products & Technology Services
- Organizational Characteristics
- Inherent Risk Profile
- The Five Risk Response Domains
- How is your Cybersecurity IC Maturity?
- Cyber Risk Management & Oversight Domain
- Threat Intelligence & Collaboration Domain
- Cybersecurity Controls Domain
- External Dependency Management Domain
- Cyber Incident Management & Resilience Domain
- Innovative - Advanced - Intermediate - Evolving - Baseline Levels
- Cybersecurity Inherent Risk & IC Maturity Relationship
- Management Assessment Results
- Certification & Accreditation Program
Incident Response to a Cybersecurity Event
- NAIC Model Law Section 4h - Incident Response Plan
- Who is on the "Team"?
- Key Layers of Management's Response
- What are the "Goals" for the Team?
- The Skills - The World Class Response Team
- Preparation
- The Observe - Orient - Decide - Act (O.O.D.A.) Methodology in Detail
- Incident Response Procedures
- SANS Institute "Jumpbag" Recommendations
- Post-Event Recommendations
SOC for Cybersecurity - AICPA Standards and Guidance
- AICPA's Three Key Components
- AICPA - SOC for Cybersecurity Resources
- Difference Between Cybersecurity and Information Security
- AICPA Objectives
- Three Reporting Levels - Entity - Service Provider - Supply Chain
- Two Sets of Criteria
- Cybersecurity Program Descriptive Criteria
- Cybersecurity Program Control Criteria
- Trust Services Approach to COSO 2103
- Trust Services Additional Points of Focus within COSO 2103Trust Services Supplemental Criteria
- Components of the Cybersecurity Report
- Management's Description
- Management's Assertion
- The Practitioner's Opinion
Summary and Wrap-Up
NASBA Program Disclosure
Program Level of Understanding: Basic
Prerequisites: None
Advance Preparation: None
Delivery Format: Group Internet Based
NASBA Field(s) of Study: Auditing, Information Technology
CPE Credits: 12, based on 50 minutes of instruction per hourSummary of the Subject Matter
The insurance industry is subject to various regulations and laws that require them to protect sensitive customer information and maintain the confidentiality, integrity, and availability of their systems and data. To meet these requirements, many insurance companies have implemented information security and cybersecurity programs. These programs typically include measures such as risk assessments, incident response plans, security awareness training for employees, and regular security audits and testing. Additionally, many insurance companies have implemented advanced security technologies such as firewalls, intrusion detection systems, and encryption to protect their networks and data from cyber threats.