NIST CSF 2.0 assessments: a strategic tool for insurance organizations

 article summary

• Insurance organizations face heightened cybersecurity and regulatory pressure, making a structured, defensible security program increasingly important. 
• NIST CSF 2.0 provides a practical framework for insurers and aligns closely with NAIC Model Law #668, while also supporting NYDFS 23 NYCRR 500 compliance efforts. 
• Larson & Company helps insurers assess their current state, identify gaps, prioritize remediation, strengthen third-party risk oversight, and support board-level reporting and required documentation. 
• With Model Law #668 expanding across states and ransomware threats continuing to rise, a NIST CSF 2.0 assessment helps insurers improve readiness before regulatory or security issues escalate. 

Satisfy regulators. Protect policyholders. Build a defensible security program.

The Cybersecurity Challenge for Insurers

Insurance organizations occupy a uniquely high-risk position in the cybersecurity landscape. You hold sensitive personal, financial, and health data on millions of individuals, making you a prime target. At the same time, you face a layered and growing regulatory environment that holds you accountable for how you protect that data.

The good news: the NIST Cybersecurity Framework 2.0 is one of the most effective tools available to meet these challenges head-on. It provides a structured, risk-based approach that maps directly onto what insurance regulators are asking of you.

The NAIC's Endorsement of NIST CSF

The National Association of Insurance Commissioners (NAIC) has explicitly endorsed the NIST Cybersecurity Framework as a recognized approach for satisfying cybersecurity program requirements. The NAIC's Insurance Data Security Model Law (Model Law #668), now adopted in a growing number of states, does not prescribe a specific technical standard, but NIST CSF 2.0 is widely recognized as a leading framework for meeting its requirements.

A NIST CSF 2.0 assessment from Larson & Company is designed specifically to support your compliance posture under Model Law #668 and state-level implementing regulations.

Understanding NAIC Model Law #668

The Insurance Data Security Model Law (#668), developed by the NAIC, establishes baseline data security requirements for insurance licensees. Its key obligations include:

• Developing and maintaining a comprehensive written Information Security Program based on risk assessment.
• Conducting regular risk assessments to identify reasonably foreseeable internal and external threats.
• Implementing administrative, technical, and physical safeguards commensurate with identified risks.
• Overseeing the security practices of third-party service providers with access to nonpublic information.
• Establishing an Incident Response Plan to respond to cybersecurity events.
• Notifying the Insurance Commissioner of cybersecurity events within required timeframes.
• Providing an annual certification of compliance by the board or a senior officer.
• Current-State Assessment across all six CSF 2.0 functions — with findings presented in terms regulators understand.
• Regulatory Cross-Reference: We can map your CSF findings to Model Law #668 articles and, where applicable, NYDFS 500 requirements, so you know exactly where you stand.
• Gap Analysis & Risk-Prioritized Roadmap: Remediation recommendations are prioritized by risk and regulatory urgency, not just technical severity.
• Board & Executive Reporting: We translate findings into materials your leadership team can act on and use for annual certification purposes.
• Third-Party/Vendor Risk Review: We assess your oversight program for third-party service providers, a specific requirement under Model Law #668 Article VI.
• Documentation Support: We help you build and strengthen the written Information Security Program documentation required under Model Law #668 Article III.

Model Law #668 has been adopted by over 20 states and continues to expand. If you operate across state lines, there is a strong likelihood that at least some of your operations are already subject to its requirements.

How NIST CSF 2.0 Maps to Model Law #668

Every major obligation under Model Law #668 has a clear counterpart in NIST CSF 2.0. A CSF assessment does not just improve your security posture — it builds a documented, auditable record of compliance.

Beyond the NAIC: NYDFS 23 NYCRR 500

For insurers operating in New York, the New York Department of Financial Services (NYDFS) Cybersecurity Regulation — 23 NYCRR 500 — imposes some of the most stringent requirements in the country, including mandatory annual certifications, penetration testing, and multi-factor authentication requirements.

NIST CSF 2.0 is broadly compatible with NYDFS 500's risk-based approach, and a thorough CSF assessment creates substantial documentation value for your NYDFS compliance program. Larson & Company can help you understand where your NIST CSF work translates directly to NYDFS obligations and where additional, specific steps may be needed.

What Larson & Company Delivers for Insurers

Our insurance-focused NIST CSF 2.0 assessment is built to serve both your security program and your regulatory obligations simultaneously:

• Current-State Assessment across all six CSF 2.0 functions — with findings presented in terms regulators understand.

• Regulatory Cross-Reference: We can map your CSF findings to Model Law #668 articles and, where applicable, NYDFS 500 requirements, so you know exactly where you stand.

• Gap Analysis & Risk-Prioritized Roadmap: Remediation recommendations are prioritized by risk and regulatory urgency, not just technical severity.

• Board & Executive Reporting: We translate findings into materials your leadership team can act on and use for annual certification purposes.

• Third-Party/Vendor Risk Review: We assess your oversight program for third-party service providers, a specific requirement under Model Law #668 Article VI.

• Documentation Support: We help you build and strengthen the written Information Security Program documentation required under Model Law #668 Article III.

Why Act Now?

State adoption of NAIC Model Law #668 continues to expand. Enforcement activity is increasing. And ransomware and data extortion attacks targeting the insurance sector reached record levels in 2023 and 2024. A NIST CSF 2.0 assessment positions you ahead of both the threat landscape and the regulatory curve — not scrambling to catch up.

Let's talk about your program. Contact Greg Marks for more information.

Frequently Asked Questions About NIST CSF 2.0

How does NIST CSF 2.0 align with insurance regulations?
The framework supports compliance with the NAIC Insurance Data Security Model Law #668, as well as other regulations like GLBA and NYDFS 23 NYCRR 500. A formal CSF 2.0 assessment demonstrates that insurers have a documented, defensible cybersecurity program, which is increasingly expected during state regulatory exams.

Why should insurers conduct a formal CSF 2.0 assessment instead of just reading the framework?
A formal assessment establishes a baseline of current cybersecurity posture, uncovers blind spots, prioritizes critical improvements, and documents controls for regulatory review. Unlike reading the framework, assessments provide actionable insights and a roadmap for continuous improvement.

What benefits does the Govern function provide to insurance companies?
The Govern function highlights board and executive accountability, ensures supply chain and third-party risk management, and supports strategic decision-making. It allows insurers to proactively identify vulnerabilities in vendors and internal processes, improving overall cyber resilience.

What are the risks of delaying a NIST CSF 2.0 assessment?
Delaying an assessment increases exposure to cyberattacks, regulatory penalties, and reputational damage. Insurers may face higher capital or reinsurance costs and struggle to demonstrate preparedness to regulators, boards, and policyholders during an incident. Conducting an assessment now reduces these risks and strengthens the organization’s cybersecurity foundation.