top of page
NAIC Cybersecurity Model Law Academy

NAIC Cybersecurity Model Law Academy

New cybersecurity risk management regulations for insurance companies are here.


The National Association of Insurance Commissioners (NAIC) approved the Insurance Data Security Model Law and the State of New York in March 2017 placed into effect Section 500 of Title 23 of the Official Compilation of Codes.


"Computers, software, programming and algorithms are all parts of a cybersecurity risk program, but it is the interaction with 'humans' that makes all the difference in the world."


NAIC's model law requires insurance organizations to have everything from information security program policies to incident response plans to specific breach notification procedures. Insurance organizations will now have to certify compliance to state insurance commissioners annually. Now that NAIC's model law is heading for adoption, it is crucial to understand how it might apply to your organization. It is also imperative to learn is also imperative to learn what you can do now to start preparing for compliance.


This event focuses on describing the effective components of a modern cybersecurity risk management program. Participants will be prepared to start the evaluation of an existing program. They will then be able to discuss with senior management, the audit committee, and the board of directors how to proceed with improving cybersecurity risk management. We consider five main components of an effective risk management program: data, control implementation, verification, breach preparedness and risk management.


This comprehensive training course is for anyone who wants to have a strong base of knowledge and understanding of the essentials of a cybersecurity risk management program.


This timely CPE virtual training is for project directors, project leaders, and all other individuals responsible for creating an effective cybersecurity program and its associated documents. This is for an insurance organization. Each attendee will be sent home with a set of 35 documents that were used to create the academy.


This internal control training course will provide each attendee with 12 CPE Event Hours (YB). A certificate of completion will be provided.

  • Details on Event Presentation

    Offered on Wednesday-Thursday once every six weeks in two six hour sessions for 12 CPE credits.

    The sessions will run from 9:00 a.m. to 3:00 p.m. Central Time Zone. There will be a lunch break from 12:00 noon to 12:30 p.m. each day.

    We can schedule private events on your timetable for two or more attendees.

  • CPE Event Highlights

    We will cover the elements of an effective cybersecurity program:

    • What are the NAIC goals with this Act?

    • How does this Act compare to New York State Regulation Section 500?

    • Which organizations fall under the Act's provisions?

    • What is the definition of "cybersecurity event".

    • What is contained in an "Information Security Program".

    • What is nonpublic information under an information security program?

    • What is "publicly available information"?

    • How do you approach creating a cybersecurity risk assessment?

    • What are the eleven enumerated security measures?

    • What does continuous monitoring mean?

    • What Board of Director's oversight is required?

    • What certification is required?

  • Learning Objectives

    Attendees will:

    • See how cybersecurity is an evolving art.
    • Understand cybersecurity risk assessment
    • Have examples for the minimum standards
    • Know the components of an effective program
    • Have an approach to controls at third party providers
    • Have a example incident reporting and notification plan
  • Key Issues on the Agenda

    Introduction and Overview

    • Cyber Risk Standards

    Concepts and Definitions

    • What is "Information Technology"?
    • Risk Appetite
    • Risk Tolerance
    • What is an "Information Security Program"?
    • What is "Non-Public Information"?
    • The NAIC's 12 Principles of Cybersecurity
    • SIFMA Principles of cybersecurity Regulation
    • Insurance Data Security Model Law by Section
    • New York State Section 500
    • Comparison of NAIC to Section 500

    Initiating the Improvement of an Information Security Program (ISP)

    • NAIC Model Law Section 4a - Implementation of an ISP
    • SLCA - Creating the Appropriate Environment
    • Where did the "Current State" come from?
    • How good is our Risk Assessment?
    • NAIC Model Law Section 4b - Objectives of an ISP
    • What questions do you start with?
    • Cyber Threats by the Numbers
    • NAIC Model Law Section 4e - Oversight by the Board of Directors
    • Key Principles of Cyber Risk Oversight per the NACD
    • NAIC Model Law Section 4f - Oversight of Third-Party Service Providers
    • NAIC Model Law Section 4h - Incident Response Plan

    Define the Problems and Opportunities

    • The Effects of "Moore's Laws"
    • SDLC - Program Management
    • The Usual Suspects - cybersecurity Issues . Measuring the Maturity of Internal Controls
    • Internal Breaches
    • External Breaches
    • Business Alignment Issues
    • Governance and Leadership Issues
    • Extended Ecosystem Issues

    Deep Dive into The Issues

    • Oversight by the Board of Directors
    • Mission Statement - Explicit Values - Business Model . Ethics
    • Authorized Individuals
    • User Access and Passwords
    • Desktop Management
    • Email Management
    • Mobile Device Management
    • "WiFi"
    • Cyber Attacks

    The Effective Information Security Program Management

    • NAIC Model Law Section 4g - Program Adjustments
    • How do we manage the Program?
    • Project Scoping
    • Governance
    • Cybersecurity Domains
    • Resources

    The Information Security Program

    • NAIC Model Law Section 4d - Risk Management
    • Strategic Management Elements
    • Tactical Management Elements
    • Operational Management Elements
    • Data Assets
    • Security Policies
    • Physical Security Items
    • Personnel Security Items
    • System & Application Items
    • NIST System Security Plan Standards
    • System & Software Life Cycle
    • Configuration Management
    • Training & Awareness Program
    • System Documentation
    • Disaster Recovery & Business Continuity

    Review The Effectiveness

    • Business Objective - Risks - Controls . NAIC Model Law Section 4g - Program Adjustments
    • NAIC Model Law Section 4i - Annual Certification
    • What is Effectiveness?
    • The InfoSec Maturity Model
    • FFIEC Cybersecurity Assessment Tool
    • Maturity Levels of the Internal Controls
    • Inherent Risk Profile
    • Technologies & Connection Types
    • Online & Mobile Products & Technology Services
    • Organizational Characteristics
    • Inherent Risk Profile
    • The Five Risk Response Domains
    • How is your Cybersecurity IC Maturity?
    • Cyber Risk Management & Oversight Domain
    • Threat Intelligence & Collaboration Domain
    • Cybersecurity Controls Domain
    • External Dependency Management Domain
    • Cyber Incident Management & Resilience Domain
    • Innovative - Advanced - Intermediate - Evolving - Baseline Levels
    • Cybersecurity Inherent Risk & IC Maturity Relationship
    • Management Assessment Results
    • Certification & Accreditation Program

    Incident Response to a Cybersecurity Event

    • NAIC Model Law Section 4h - Incident Response Plan
    • Who is on the "Team"?
    • Key Layers of Management's Response
    • What are the "Goals" for the Team?
    • The Skills - The World Class Response Team
    • Preparation
    • The Observe - Orient - Decide - Act (O.O.D.A.) Methodology in Detail
    • Incident Response Procedures
    • SANS Institute "Jumpbag" Recommendations
    • Post-Event Recommendations

    SOC for Cybersecurity - AICPA Standards and Guidance

    • AICPA's Three Key Components
    • AICPA - SOC for Cybersecurity Resources
    • Difference Between Cybersecurity and Information Security
    • AICPA Objectives
    • Three Reporting Levels - Entity - Service Provider - Supply Chain
    • Two Sets of Criteria
    • Cybersecurity Program Descriptive Criteria
    • Cybersecurity Program Control Criteria
    • Trust Services Approach to COSO 2103
    • Trust Services Additional Points of Focus within COSO 2103Trust Services Supplemental Criteria
    • Components of the Cybersecurity Report
    • Management's Description
    • Management's Assertion
    • The Practitioner's Opinion

    Summary and Wrap-Up

  • NASBA Program Disclosure

    Program Level of Understanding: Basic
    Prerequisites: None
    Advance Preparation: None
    Delivery Format: Group Internet Based
    NASBA Field(s) of Study: Auditing, Information Technology
    CPE Credits: 12, based on 50 minutes of instruction per hour

  • Summary of the Subject Matter

    The insurance industry is subject to various regulations and laws that require them to protect sensitive customer information and maintain the confidentiality, integrity, and availability of their systems and data. To meet these requirements, many insurance companies have implemented information security and cybersecurity programs. These programs typically include measures such as risk assessments, incident response plans, security awareness training for employees, and regular security audits and testing. Additionally, many insurance companies have implemented advanced security technologies such as firewalls, intrusion detection systems, and encryption to protect their networks and data from cyber threats.

bottom of page