Video Game

NAIC Model Audit Rule Programs

Offered bi-monthly on Monday-Fridays in five four hour CPE events


This CPE event is focused on how to address Model Audit Rule (MAR) annual ICFR assessment and triennial enterprise risk management evaluation using the COSO frameworks (COSO 2013 and COSO ERM) and COBIT.

This five session CPE course is designed for compliance managers, controllers, CFOs and others who have the responsibility for the insurance organization's internal control framework used in the NAIC Model Audit Rule compliance efforts.

Examples are used which tie to the seventeen COSO principles. Reference is made to the various exhibits in the Financial Condition Examiners Handbook which drive the examination of compliance activities.

Learn how to comply using a cost effective approach to address your compliance needs under the NAIC Model Audit Rule (MAR) requirements. These requirements concern both the annual filings but also the Insurance Commissioner's approach using the Financial Condition Examiners Handbook for the triennial exams.


Each attendee will have access to a set of 55 documents that were used to create the workshop.

This comprehensive training course is for anyone who wants to have a strong base of knowledge and understanding of the essentials of cybersecurity risk management program.

Each attendee will receive 20 CPE Hours (YB). A certificate of completion will be provided.

Program Level of Understanding: Basic
Prerequisites: None
Advance Preparation: None
Delivery Format: Group Internet Based
NASBA Field(s) of Study: Auditing, Business Law, Business Management & Organization, Behavioral Ethics, Information Technology
CPE Credits: 20, based on 50 minutes of instruction per hour

Who should attend?

This timely, three morning CPE virtual training is designed for the project director, project leader and individuals who have to create effective cybersecurity program and the related documents for an insurance organization. Each attendee will go home with a set of 35 documents that were used to create the academy.

CPE Event Highlights

  • What are the NAIC goals with this Act?

  • How does this Act compare to New York State Regulation Section 500?

  • Which organizations fall under the Act's provisions?

  • What is the definition of "cybersecurity event".

  • What is contained in an "Information Security Program".

  • What is nonpublic information under an information security program?

  • What is "publicly available information"?

  • How do you approach creating a cybersecurity risk assessment?

  • What are the eleven enumerated security measures?

  • What does continuous monitoring mean?

  • What Board of Director's oversight is required?

  • What certification is required?

Learning Objectives

  • Attendees will see how cybersecurity is an evolving art.

  • Attendees will understand risk assessment from the cybersecurity viewpoint.

  • Attendees will have examples for the minimum standards.

  • Attendees will know the components in an effective information security program.

  • Attendees will have an approach to controls at third party providers.

  • Attendees will have an example incident reporting and notification plan.

Key Issues on the Agenda

Introduction and Overview

  • About Us and About Your Instructors

  • Who are You?

  • What are Your Needs?

  • What is "Cybersecurity"?

  • This is War!

  • Myths!

  • Key Players in Cyber Risk Standards

Section 1 - Concepts and Definitions
What is "Information Technology"?

  • Risk Appetite

  • Risk Tolerance

  • What is an "Information Security Program"?

  • What is "Non-Public Information"?

  • The NAIC's 12 Principles of Cybersecurity

  • SIFMA Principles of cybersecurity Regulation

  • Insurance Data Security Model Law by Section

  • New York State Section 500

  • Comparison of NAIC to Section 500

Section 2 - Initiating the Improvement of an Information Security Program (ISP)

  • NAIC Model Law Section 4a - Implementation of an ISP

  • LCA - Creating the Appropriate Environment

  • Where did the "Current State" come from?

  • How good is our Risk Assessment?

  • NAIC Model Law Section 4b - Objectives of an ISP

  • What questions do you start with?

  • Cyber Threats by the Numbers

  • NAIC Model Law Section 4e - Oversight by the Board of Directors

  • Key Principles of Cyber Risk Oversight per the NACD

  • NAIC Model Law Section 4f - Oversight of Third-Party Service Providers

  • NAIC Model Law Section 4h - Incident Response Plan

Section 3 - Define the Problems and Opportunities

  • The Effects of "Moore's Laws"

  • SLCA - Program Management

  • The Usual Suspects - Cyber Security Issues . Measuring the Maturity of Internal Controls

  • Internal Breaches

  • External Breaches

  • Business Alignment Issues

  • Governance and Leadership Issues

  • Extended Ecosystem Issues

Section 4 - Deep Dive into The Issues

  • NAIC Model Law Section 4e - Oversight by the Board of Directors

  • Mission Statement - Explicit Values - Business Model . Ethics

  • Authorized Individuals

  • User Access and Passwords

  • Desktop Management

  • Email Management

  • Mobile Device Management

  • "WiFi"

  • Cyber Attacks

Section 5 - The Effective Information Security Program Management

  • NAIC Model Law Section 4g - Program Adjustments

  • How do we manage the Program?

  • Project Scoping

  • Governance

  • Cybersecurity Domains

  • Resources

Section 6 - The Information Security Program

  • NAIC Model Law Section 4d - Risk Management

  • Strategic Management Elements

  • Tactical Management Elements

  • Operational Management Elements

  • Data Assets

  • Security Policies

  • Physical Security Items

  • Personnel Security Items

  • System & Application Items

  • NIST System Security Plan Standards

  • System & Software Life Cycle

  • Configuration Management

  • Training & Awareness Program

  • System Documentation

  • Disaster Recovery & Business Continuity

Section 7 - Review The Effectiveness

  • Business Objective - Risks - Controls . NAIC Model Law Section 4g - Program Adjustments

  • NAIC Model Law Section 4i - Annual Certification

  • What is Effectiveness?

  • The InfoSec Maturity Model

  • FFIEC Cybersecurity Assessment Tool

  • Maturity Levels of the Internal Controls

  • Inherent Risk Profile

  • Technologies & Connection Types

  • Online & Mobile Products & Technology Services

  • Organizational Characteristics

  • Inherent Risk Profile

  • The Five Risk Response Domains

  • How is your Cybersecurity IC Maturity?

  • Cyber Risk Management & Oversight Domain

  • Threat Intelligence & Collaboration Domain

  • Cybersecurity Controls Domain

  • External Dependency Management Domain

  • Cyber Incident Management & Resilience Domain

  • Innovative - Advanced - Intermediate - Evolving - Baseline Levels

  • Cybersecurity Inherent Risk & IC Maturity Relationship

  • Management Assessment Results

  • Certification & Accreditation Program

Section 8 - Incident Response to a Cybersecurity Event

  • NAIC Model Law Section 4h - Incident Response Plan

  • Who is on the "Team"?

  • Key Layers of Management's Response

  • What are the "Goals" for the Team?

  • The Skills - The World Class Response Team

  • Preparation

  • The Observe - Orient - Decide - Act (O.O.D.A.) Methodology in Detail

  • Incident Response Procedures

  • SANS Institute "Jumpbag" Recommendations

  • Post-Event Recommendations

Section 9 - SOC for Cybersecurity - AICPA Standards and Guidance

  • AICPA's Three Key Components

  • AICPA - SOC for Cybersecurity Resources

  • Difference Between Cybersecurity and Information Security

  • AICPA Objectives

  • Three Reporting Levels - Entity - Service Provider - Supply Chain

  • Two Sets of Criteria

  • Cybersecurity Program Descriptive Criteria

  • Cybersecurity Program Control Criteria

  • Trust Services Approach to COSO 2103

  • Trust Services Additional Points of Focus within COSO 2103

  • Trust Services Supplemental Criteria

  • Components of the Cybersecurity Report

  • Management's Description

  • Management's Assertion

  • The Practitioner's Opinion

Section 10 - Summary and Wrap-Up

  • "Information Security Program" Defined

  • "Reactive" or "Proactive"

  • Your Keys to Success!