Video Game

Effective NAIC Cybersecurity Programs

Offered in-person in various cites each month on Thursday-Fridays in two eight hour CPE events

Cybersecurity is perhaps one of the most important topics for the insurance industry today.

Insurers and insurance producers must protect the highly sensitive consumer financial and health information collected as part of the underwriting and claims processes. This personally identifiable information (PII) is entrusted to the insurance industry by the public.

We will provide guidance on having a program that will address the NAIC cybersecurity activities including:
- Principles for Effective Cybersecurity: Insurance Regulatory Guidance,
- NAIC Roadmap for Cybersecurity Consumer Protections,
- Updates to the Financial Condition Examiners Handbook concerning cybersecurity risks and protocols,
- Insurance Data Security Model Law.

The in-person event will include a review of the The National Institute of Standards and Technology (NIST) framework for improving critical infrastructure cybersecurity. The framework provides a structure of standards, guidelines and practices to aid organizations, regulators and customers with critical infrastructures in effectively managing cyber risks.

This course is designed for professionals experienced in working with internal controls and ERM programs.

The cost of this internal audit training seminar is $1,395.00 for the first attendee from a single organization.


Each attendee will receive 16 Auditing CPE Hours (YB). A certificate of completion will be provided.

The retail cost of this CPE event is $1,395.00 for each attendee.

Program Level of Understanding: Intermediate
Prerequisites: Participants should come with a knowledge of information technology.
Advance Preparation: A number of documents will be provided in advance.
Delivery Format: On-site Training (Group-Live); Seminar (Group-Live)
NASBA Field(s) of Study: Auditing
CPE Credits: 16, based on 50 minutes of instruction per hour

Who should attend?

This two day in-person CPE event is designed for the project director, project leader and individuals who have to create effective cybersecurity program and the related documents for an insurance organization. Each attendee will go home with a set of 35 documents that were used to create the academy.

CPE Event Highlights

We will cover the elements of an effective cybersecurity program:

  • Having a formal, well documented cybersecurity program.

  • Conducting prudent risk assessments.

  • Having a reliable audit of security controls.

  • Having clearly define and assign information security roles and responsibilities.

  • Creating strong access control procedures.

  • Ensuring that any assets or data stored in a cloud or managed by a third party service provider are subject to appropriate security reviews and independent security assessments.

  • Conducting periodic cybersecurity awareness training.

  • Implementing and managing a secure system development life cycle (SDLC) program.

  • Having an effective business resiliency program addressing business continuity, disaster recovery, and incident response.

  • Encrypting sensitive data, stored and in transit.

  • Implementing strong technical controls in accordance with best security practices.

  • Responding properly to any past cybersecurity incidents.


Learning Objectives

Attendees will:

  • Understand how the cybersecurity program must have the capability to prepare for, protect from, and respond to cyber attacks' potential effects.

  • Learn the overall strategic decisions that need to be made to improve and enhance a cybersecurity program.

  • Gain knowledge of how information sharing relationships and communications paths are necessary for collecting and disseminating cyber incident situational awareness, response and recovery information.

  • Understand that the cybersecurity program will have to embrace a continuous improvement mode of operation.


Key Issues on the Agenda


Section 1 The NIST Framework
Section 2 Documenting an effective cybersecurity program
Section 3 Example of Cybersecurity Risk Assessment
Section 4 What is your perimeter?
Section 5 Understanding Your Data
Section 6 Controlling Access to the Data
Section 7 Training the People
Section 8 Auditing the data protection
Section 9 Summary and Wrap-Up