March 23, 2026
If there is one industry that knows the value of managing risk, it’s insurance. Yet when it comes to cybersecurity, many insurers find themselves in the uncomfortable position of helping their clients prepare for the very threats they have not fully addressed within their own four walls.
The numbers tell the story. The insurance industry handles some of the most sensitive personal information in existence — Social Security numbers, medical histories, financial records, and beneficiary details. That data makes insurers a prime target, which is especially dangerous as cyberattacks against financial services firms, including insurers, have grown steadily in both frequency and cost, with ransomware, business email compromise, and third-party vendor breaches topping the list of concerns.
At the same time, regulators are paying closer attention than ever before. State insurance commissioners, informed by the National Association of Insurance Commissioners (NAIC), are pushing for more structured, defensible approaches to cybersecurity risk management. And the good news is that a clear, credible framework exists to help insurers rise to that challenge: the NIST Cybersecurity Framework 2.0.
This article explores what NIST CSF 2.0 is, why it matters for the insurance industry specifically, and most importantly, why now is the right time to invest in a formal assessment.
The National Institute of Standards and Technology (NIST) first published its Cybersecurity Framework (CSF)in 2014 in response to a Presidential Executive Order aimed at improving the cybersecurity posture of critical infrastructure. It was updated in 2018 (version 1.1) and then significantly expanded and refreshed in February 2024 with the release of CSF 2.0.
The framework is built around six core functions that together describe a complete lifecycle approach to managing cybersecurity risk:
One of CSF 2.0's greatest strengths is its flexibility. That flexibility allows users to adapt the framework to different sizes of organizations and different levels of risk tolerance. NIST CSF 2.0 provides a structured, adaptable vocabulary and roadmap that organizations of any size or sector can use to assess where they are and chart a course toward where they need to be. That is especially valuable for the insurance industry, where organizations range from small regional carriers to large, globally diversified groups with complex IT ecosystems.
Insurance companies do not operate in a regulatory vacuum, and cybersecurity is no exception. The NAIC has been actively working on cybersecurity policy for over a decade, and its public cybersecurity resources explicitly reference NIST's framework as the standard for improving critical infrastructure cybersecurity — including within the insurance sector.
The NAIC's Insurance Data Security Model Law (#668), which has now been adopted by more than 20 states (and counting), requires licensed insurers to develop, implement, and maintain a comprehensive information security program; investigate cybersecurity events; and notify state commissioners when breaches occur. While the Model Law does not mandate NIST CSF specifically, the NAIC has referenced NIST CSF 2.0 as a tool in to ensure that insurance companies are “effectively managing their cyber risks.” An insurer that has conducted a thorough CSF 2.0 assessment will be well-positioned to demonstrate compliance with the Model Law's requirements.
Beyond the NAIC's Model Law, the NIST CSF 2.0 framework aligns well with other regulatory and legal obligations insurers may face, including the Gramm-Leach-Bliley Act (GLBA) and the New York State Department of Financial Services (NYDFS) 23 NYCRR 500 cybersecurity regulation.
The direction of travel is clear. Regulators are moving toward expecting insurers to have a structured, documented, and tested information security program, and with the threat landscape as it is, we can see why. NIST CSF 2.0 provides the language and structure to meet that expectation, and conducting a formal assessment is how you demonstrate it.
There is an important distinction worth drawing here. Reading the NIST CSF 2.0 framework document is valuable, but often insufficient. Conducting a formal assessment against it can provide organizations with the opportunity to battle-test their processes and see where areas for improvement lie.
Here is what a formal assessment typically delivers:
In other words, knowing the framework is a good start, but enacting a formal assessment is what brings actual value to your organization.
While NIST CSF 2.0 was designed to be broadly applicable, several of its benefits are especially relevant to the insurance industry.
Regulatory Readiness
State insurance examiners are increasingly asking about cybersecurity programs during financial condition and market conduct examinations. Insurers who have completed a CSF 2.0 assessment can point to a structured program with documented controls, gaps they are actively addressing, and a roadmap for improvement. That is a very different conversation than scrambling to pull together evidence after an examiner starts asking questions.
Third-Party and Vendor Risk
The new Govern function in CSF 2.0 places particular emphasis on cybersecurity supply chain risk management. For insurers, who rely on a large ecosystem of third-party administrators, claims processors, data vendors, and technology platforms, this is not a theoretical concern. Some of the most significant breaches in recent years have entered through vendor relationships. An assessment that honestly examines third-party risk will often surface vulnerabilities that internal-only reviews miss entirely.
Board and Executive Accountability
CSF 2.0's Govern function is a direct acknowledgment that cybersecurity is no longer purely an IT concern, but rather a governance issue. Assessment results give boards and senior leadership concrete, risk-informed metrics to work with, making it possible to have productive conversations about investment priorities, risk appetite, and accountability. For publicly traded or mutual insurance companies facing increased scrutiny from boards and regulators alike, that kind of structured reporting is invaluable.
Incident Response Preparedness
A formal assessment will shine a light on the Detect, Respond, and Recover functions — areas where many organizations discover significant gaps. The difference between identifying those gaps now versus during an actual incident is enormous. Insurers who have tested their incident response plans, ensured their communication protocols are in place, and confirmed their recovery capabilities are in a fundamentally better position when the inevitable happens.
It can be tempting to defer a cybersecurity assessment in the face of competing priorities and budget pressures. That calculus deserves a hard look.
Regulatory penalties for failing to comply with the NAIC Model Law and state-specific cybersecurity requirements are real and growing. More significantly, the reputational and financial consequences of a major data breach, particularly one involving policyholder health or financial data, can be severe and lasting. Litigation, credit monitoring costs, regulatory investigations, and customer attrition all add up very quickly.
There is also a market dynamic at play. As regulators, rating agencies, and reinsurers increasingly factor cybersecurity maturity into their assessments, insurers who cannot demonstrate a structured program may face consequences beyond fines, such as higher capital requirements, reinsurance pricing adjustments, or limitations on writing certain lines of business.
The real bottom line is that it’s not whether a cyber incident will affect your organization, it’s when, and how prepared you will be. Will you be able to demonstrate, to regulators, to your board, and to your policyholders, that you took reasonable and documented steps to prevent it and respond to it effectively.
For those who have not been through a CSF assessment before, the process can feel daunting. In practice, it is far more approachable than many organizations expect.
Scoping
The first step is deciding what to assess. Enterprise-wide assessments provide the most comprehensive picture, but some organizations choose to start with a targeted scope — a critical business unit, the claims processing environment, or the systems that handle the most sensitive policyholder data. A phased approach can be practical for larger organizations.
The Assessment Process
A structured CSF 2.0 assessment typically flows through four phases: current state documentation, target state definition, gap analysis, and prioritized action planning. Interviews with business and IT stakeholders, review of existing policies and procedures, and technical testing (where appropriate) all feed into the current state picture. The target state reflects the organization's risk appetite and regulatory obligations. The gap between the two becomes the roadmap. These phases can be done quickly and informally, or they can be focused on specifically and in-depth, depending on an organization’s size, complexity, and risk tolerance.
Internal vs. Third-Party Assessors
Organizations can conduct CSF assessments internally, using their own cybersecurity staff, or engage an independent third party. Internal assessments are cost-effective and leverage institutional knowledge, but they can suffer from blind spots and confirmation bias. Third-party assessors bring fresh eyes, benchmarking data from peer organizations, and an independent perspective that tends to carry more weight with regulators and boards. For a first assessment, or one intended to support regulatory or audit purposes, external assessment is generally the stronger choice.
NIST CSF 2.0 is quickly becoming more than just a federal framework for critical infrastructure in the abstract. Today it is the de facto standard against which insurance regulators, examiners, and oversight bodies will measure cybersecurity programs in the years ahead. The NAIC's active promotion of the framework, combined with the growing alignment between CSF 2.0 and state-level regulatory requirements, means that those who use this framework now will reap the benefits today and into the future.
The insurance industry has always understood that preparation is the antidote to uncertainty. Cyber risk is no different. Insurers who conduct a NIST CSF 2.0 assessment today are not just getting ahead of the regulatory curve, they are building the kind of structured, defensible cybersecurity program that will serve them, their employees, and their policyholders for years to come.
The best time to start was yesterday. The second-best time is now.
How does NIST CSF 2.0 align with insurance regulations?
The framework supports compliance with the NAIC Insurance Data Security Model Law #668, as well as other regulations like GLBA and NYDFS 23 NYCRR 500. A formal CSF 2.0 assessment demonstrates that insurers have a documented, defensible cybersecurity program, which is increasingly expected during state regulatory exams.
Why should insurers conduct a formal CSF 2.0 assessment instead of just reading the framework?
A formal assessment establishes a baseline of current cybersecurity posture, uncovers blind spots, prioritizes critical improvements, and documents controls for regulatory review. Unlike reading the framework, assessments provide actionable insights and a roadmap for continuous improvement.
What benefits does the Govern function provide to insurance companies?
The Govern function highlights board and executive accountability, ensures supply chain and third-party risk management, and supports strategic decision-making. It allows insurers to proactively identify vulnerabilities in vendors and internal processes, improving overall cyber resilience.
What are the risks of delaying a NIST CSF 2.0 assessment?
Delaying an assessment increases exposure to cyberattacks, regulatory penalties, and reputational damage. Insurers may face higher capital or reinsurance costs and struggle to demonstrate preparedness to regulators, boards, and policyholders during an incident. Conducting an assessment now reduces these risks and strengthens the organization’s cybersecurity foundation.
Published for the insurance industry. References: NIST Cybersecurity Framework 2.0 (February 2024); NAIC Insurance Data Security Model Law #668; NAIC Cybersecurity Insurance Topic Page (content.naic.org).