article summary
- Insurance organizations face heightened cybersecurity and regulatory pressure, making a structured, defensible security program increasingly important.
- NIST CSF 2.0 provides a practical framework for insurers and aligns closely with NAIC Model Law #668, while also supporting NYDFS 23 NYCRR 500 compliance efforts.
- Larson & Company helps insurers assess their current state, identify gaps, prioritize remediation, strengthen third-party risk oversight, and support board-level reporting and required documentation.
- With Model Law #668 expanding across states and ransomware threats continuing to rise, a NIST CSF 2.0 assessment helps insurers improve readiness before regulatory or security issues escalate.
Satisfy regulators. Protect policyholders. Build a defensible security program.
The Cybersecurity Challenge for Insurers
Insurance organizations occupy a uniquely high-risk position in the cybersecurity landscape. You hold sensitive personal, financial, and health data on millions of individuals, making you a prime target. At the same time, you face a layered and growing regulatory environment that holds you accountable for how you protect that data.
The good news: the NIST Cybersecurity Framework 2.0 is one of the most effective tools available to meet these challenges head-on. It provides a structured, risk-based approach that maps directly onto what insurance regulators are asking of you.
The NAIC's Endorsement of NIST CSF
The National Association of Insurance Commissioners (NAIC) has explicitly endorsed the NIST Cybersecurity Framework as a recognized approach for satisfying cybersecurity program requirements. Due to the complex nature of the Data Security Model Law (Model Law #688), many of our clients find it much easier to ensure compliance by using an industry recognized standard like NIST CSF.
A NIST CSF 2.0 assessment from Larson & Company is designed specifically to support your compliance posture under Model Law #668 and state-level implementing regulations.
Understanding NAIC Model Law #668
The Insurance Data Security Model Law (#668), developed by the NAIC, establishes baseline data security requirements for insurance licensees. Its key obligations include:
- Developing and maintaining a comprehensive written Information Security Program based on risk assessment.
- Conducting regular risk assessments to identify reasonably foreseeable internal and external threats.
- Implementing administrative, technical, and physical safeguards commensurate with identified risks.
- Overseeing the security practices of third-party service providers with access to nonpublic information.
- Establishing an Incident Response Plan to respond to cybersecurity events.
- Notifying the Insurance Commissioner of cybersecurity events within required timeframes.
Model Law #668 has been adopted by over 20 states and continues to expand. If you operate across state lines, there is a strong likelihood that at least some of your operations are already subject to its requirements.
How NIST CSF 2.0 Maps to Model Law #668
Every major obligation under Model Law #668 has a clear counterpart in NIST CSF 2.0. With a NIST CSF 2.0 assessment, you can improve your security posture and build a defensible, documented record of compliance that can take days off of your compliance team's workload.
|
NAIC Model Law #668 Article |
NIST CSF 2.0 Function(s) |
Description |
|
Article III – Information Security Program |
GOVERN, IDENTIFY, PROTECT |
Requires a comprehensive written information security program; CSF 2.0 Govern and Identify provide the structure. |
|
Article IV – Risk Assessment |
IDENTIFY |
Mandates regular risk assessments; directly maps to the IDENTIFY function's risk management categories. |
|
Article V – Risk Management |
GOVERN, PROTECT, DETECT |
Requires controls commensurate with risk; PROTECT and DETECT categories fulfill this requirement. |
|
Article VI – Oversight of Third-Party Providers |
GOVERN, IDENTIFY |
Vendor and third-party risk oversight aligns with supply chain risk management subcategories. |
|
Article VII – Incident Response Plan |
RESPOND, RECOVER |
Formal IR plan requirement maps directly to the RESPOND and RECOVER functions. |
|
Article VIII – Annual Certification |
GOVERN |
Board/leadership accountability and annual reporting align with NIST CSF 2.0's new Govern function. |
Beyond the NAIC: NYDFS 23 NYCRR 500
For insurers operating in New York, the New York Department of Financial Services (NYDFS) Cybersecurity Regulation, 23 NYCRR 500, imposes some of the most stringent requirements in the country, including mandatory annual certifications, penetration testing, and multi-factor authentication requirements.
NIST CSF 2.0 is broadly compatible with NYDFS 500's risk-based approach, and a thorough assessment creates substantial documentation value for your NYDFS compliance program. Larson & Company can help you understand where your NIST CSF work translates directly to NYDFS obligations and where additional, specific steps may be needed.
What Larson & Company Delivers for Insurers
Our insurance-focused NIST CSF 2.0 assessment is built to serve both your security program and your regulatory obligations simultaneously:
-
Current-State Assessment across all six NIST CSF 2.0 functions — with findings presented in terms regulators understand.
-
Regulatory Cross-Reference: We can map your NIST CSF findings to Model Law #668 articles and, where applicable, NYDFS 500 requirements, so you know exactly where you stand.
-
Gap Analysis & Risk-Prioritized Roadmap: Remediation recommendations are prioritized by risk and regulatory urgency, not just technical severity.
-
Board & Executive Reporting: We translate findings into materials your leadership team can act on and use for annual certification purposes.
-
Third-Party/Vendor Risk Review: We assess your oversight program for third-party service providers, a specific requirement under Model Law #668 Article VI.
-
Documentation Support: We help you build and strengthen the written Information Security Program documentation required under Model Law #668 Article III.
Why Act Now?
State adoption of NAIC Model Law #668 continues to expand. Enforcement activity is increasing. And ransomware and data extortion attacks targeting the insurance sector reached record levels in 2023 and 2024. A NIST CSF 2.0 assessment positions you ahead of both the threat landscape and the regulatory curve.
Let's talk about your program. Contact Greg Marks for more information.
Frequently Asked Questions About NIST CSF 2.0
How does NIST CSF 2.0 align with insurance regulations?
The framework supports compliance with the NAIC Insurance Data Security Model Law #668, as well as other regulations like GLBA and NYDFS 23 NYCRR 500. A formal NIST CSF 2.0 assessment demonstrates that insurers have a documented, defensible cybersecurity program, which is increasingly expected during state regulatory exams.
Why should insurers conduct a formal NIST CSF 2.0 assessment instead of just reading the framework?
A formal assessment establishes a baseline of current cybersecurity posture, uncovers blind spots, prioritizes critical improvements, and documents controls for regulatory review. Unlike reading the framework, assessments provide actionable insights and a roadmap for continuous improvement.
What are the risks of delaying a NIST CSF 2.0 assessment?
Delaying an assessment increases exposure to cyberattacks, regulatory penalties, and reputational damage. Insurers may face higher capital or reinsurance costs and struggle to demonstrate preparedness to regulators, boards, and policyholders during an incident. Conducting an assessment now reduces these risks and strengthens the organization’s cybersecurity foundation.
Greg Marks is a Risk Assurance Manager at Larson & Company. He specializes in cybersecurity, SOC, and IT audits for insurance companies and other industries.
LinkedIn.png){kind=logo}
.png)
