NAIC Model Law 668 v2024
NAIC Insurance Data Security Model Law
Framework data extracted from the Secure Controls Framework (SCF) v2025.4 Set Theory Relationship Mapping (STRM) files, licensed under CC BY-ND 4.0 . Attribution required per license terms.
126 All
1 — Title (1 requirements)
2 — Purpose and Scope (3 requirements)
3 — Definitions (1 requirements)
4 — Information Security Program (54 requirements)
4Information Security Program
4.AWritten Information Security Program
4.BProgram Design Objectives
4.B(1)Protect Security and Confidentiality
4.B(2)Protect Against Threats
4.B(3)Protect Against Unauthorized Access
4.B(4)Retention and Destruction Schedule
4.CLicensee Requirements
4.C(1)Designate Responsible Employees
4.C(2)Identify Foreseeable Threats
4.C(3)Assess Threat Likelihood and Damage
4.C(4)Assess Sufficiency of Safeguards
4.C(4)(a)Employee Training and Management
4.C(4)(b)Information Systems
4.C(4)(c)Detection, Prevention and Response
4.C(5)Implement and Assess Safeguards
4.DRisk-Based Requirements
4.D(1)Program Design Based on Risk
4.D(2)Security Measures
4.D(2)(a)Access Controls
4.D(2)(b)Asset Identification and Management
4.D(2)(c)Physical Access Restrictions
4.D(2)(d)Encryption of Nonpublic Information
4.D(2)(e)Secure Development Practices
4.D(2)(f)Information System Modifications
4.D(2)(g)Multi-Factor Authentication
4.D(2)(h)Testing and Monitoring
4.D(2)(i)Audit Trails
4.D(2)(j)Environmental Protection
4.D(2)(k)Secure Disposal Procedures
4.D(3)Enterprise Risk Management
4.D(4)Emerging Threats Awareness
4.D(5)Cybersecurity Awareness Training
4.EBoard of Directors Oversight
4.E(1)Executive Management Responsibility
4.E(2)Annual Written Report
4.E(2)(a)Program Status and Compliance
4.E(2)(b)Material Matters Reporting
4.E(3)Delegation Oversight
4.FThird-Party Service Provider Oversight
4.F(1)Due Diligence in Selection
4.F(2)Third-Party Security Measures
4.GProgram Monitoring and Adjustment
4.HIncident Response Plan
4.H(1)Written Incident Response Plan
4.H(2)Incident Response Plan Areas
4.H(2)(a)Internal Response Process
4.H(2)(b)Incident Response Goals
4.H(2)(c)Roles, Responsibilities and Authority
4.H(2)(d)Communications and Information Sharing
4.H(2)(e)Weakness Remediation Requirements
4.H(2)(f)Documentation and Reporting
4.H(2)(g)Plan Evaluation and Revision
4.IAnnual Compliance Certification
5 — Investigation of a Cybersecurity Event (9 requirements)
6 — Notification of a Cybersecurity Event (35 requirements)
6Notification of a Cybersecurity Event
6.ACommissioner Notification (72 Hours)
6.A(1)State of Domicile
6.A(2)Consumer Threshold (250+)
6.A(2)(a)Government Notification Required
6.A(2)(b)Material Harm Likelihood
6.A(2)(b)(i)Consumer Harm
6.A(2)(b)(ii)Business Operations Harm
6.BNotification Information Requirements
6.B(1)Event Date
6.B(2)Exposure Description
6.B(3)Discovery Method
6.B(4)Information Recovery
6.B(5)Source Identity
6.B(6)Law Enforcement Notification
6.B(7)Information Types Acquired
6.B(8)Compromise Period
6.B(9)Affected Consumer Count
6.B(10)Internal Review Results
6.B(11)Remediation Efforts
6.B(12)Privacy Policy and Consumer Steps
6.B(13)Contact Person
6.CConsumer Notification
6.DThird-Party Service Provider Notification
6.D(1)Third-Party Event Treatment
6.D(2)Deadline Computation
6.D(3)Agreements for Investigation and Notice
6.EReinsurer Notification
6.E(1)Assuming Insurer Events
6.E(1)(a)Assuming Insurer Notification
6.E(1)(b)Ceding Insurer Consumer Notification
6.E(2)Third-Party Provider of Assuming Insurer
6.E(2)(a)Third-Party Event Notification
6.E(2)(b)Ceding Insurer Obligations
6.FProducer Notification
7 — Power of Commissioner (3 requirements)
8 — Confidentiality (10 requirements)
8Confidentiality
8.AConfidentiality of Documents
8.BTestimony Restrictions
8.CInformation Sharing Authority
8.C(1)Share with Regulatory Agencies
8.C(2)Receive from Other Jurisdictions
8.C(3)Share with Third-Party Providers
8.C(4)Information Sharing Agreements
8.DNo Waiver of Privilege
8.EPublic Adjudicated Actions