NAIC Insurance Data Security Model Law (MDL-668)

Why it Matters

The NAIC Insurance Data Security Model Law establishes consistentstandards to help insurers safeguard consumer data and reduceevolving cybersecurity risks.

Key benefits include:

• Strengthen information security governance

Drive adoption ofdocumented cybersecurity programs, oversight, and risk managementacross insurance organizations and their third-party serviceproviders.

• Enhance regulatory compliance

Facilitateadherence to state-level data security obligations, reducingregulatory risk and streamlining compliance reporting to insuranceregulators.

• Improve breach response capabilities

Establishincident response practices and notification procedures, enablingprompt detection, containment, and reporting of security breaches.

• Protect consumer information

Mandate securitycontrols that reduce the risk of data compromise, helping safeguardsensitive personal and financial data entrusted to insurers.

• Increase audit and readiness

Require regularrisk assessments and documentation, supporting better audit outcomesand organizational readiness for evolving cybersecurity threats.

How it Works

The NAIC Insurance Data Security Model Law (MDL-668) establishes astructured approach for safeguarding sensitive insurance data througha set of regulatory requirements and security safeguards. It outlinesrequirements for risk assessment, development of comprehensiveinformation security programs, and implementation of administrative,technical, and physical security controls. The framework also setsout governance responsibilities, incident response procedures,ongoing monitoring, and regulator notification obligations, providinga lifecycle-based structure for ongoing data protection andcompliance.

In operational practice, insurance companies and relatedorganizations conduct risk assessments to identify threats tononpublic information and then implement security controls alignedwith the Model Law’s provisions. They regularly review and updatetheir cybersecurity policies, provide employee training, monitorsystems for unauthorized activity, and prepare incident responseplans. Periodic compliance assessments and required notifications tostate insurance regulators ensure that governance and compliancestandards are maintained.

Using SmartSuite, organizations can operationalize the NAIC Model Lawby leveraging integrated control libraries, maintaining a riskregister, and tracking policy governance across business units.SmartSuite supports evidence collection, compliance monitoring, auditreadiness, and remediation workflows. Reporting dashboards providereal-time visibility into control effectiveness and regulatorycompliance for ongoing data security management.

Key Elements

• Information Security Program Requirements

Specifiescriteria for comprehensive, written cybersecurity programs tailoredto the organization’s business and risk environment.

• Risk Assessment Processes

Describesprocedures for evaluating internal and external cyber threats,vulnerabilities, and business impact.

• Third-Party Service Provider Oversight

Outlinesexpectations for managing and reviewing the security practices ofexternal vendors and business partners.

• Incident Response Planning

Definesstructural requirements for preparing, detecting, and responding tocybersecurity incidents that affect sensitive information.

• Ongoing Compliance and Reporting

Establishesobligations for routine monitoring, staff training, and reporting ofcyber events to regulatory authorities.

• Access and Data Controls

Organizescontrols around restricting access, managing authentication, andsafeguarding protected data assets.

Framework Scope

The NAIC Insurance Data Security Model Law (MDL-668) is adopted byinsurance companies, agents, and third-party service providersmanaging consumer information. It governs information securityprograms, breach response processes, and oversight of data systems,typically when organizations are meeting state-level regulatoryrequirements and strengthening cybersecurity risk management andongoing compliance programs.

Framework Objectives

The NAIC Insurance Data Security Model Law (MDL-668) establishesfoundational requirements to advance cybersecurity, risk management,and regulatory compliance in the insurance industry.

Safeguard sensitive consumer data through robust security controlsand oversight

Strengthen cybersecurity risk management and reduce exposure toemerging threats

Promote effective governance across insurance organizations andlicensed entities

Support ongoing regulatory compliance and readiness for auditprocesses

Enhance operational resilience and incident response capabilities

Ensure comprehensive oversight of third-party service providersecurity practices The NAIC Insurance Data Security Model Law(MDL-668) aligns closely with frameworks like NIST CybersecurityFramework, GLBA, and the FFIEC IT Examination Handbook. Insuranceorganizations typically implement this model law to meet regulatorydata protection obligations, ensure robust cybersecurity practices,and harmonize risk management efforts with broader industrystandards.

Framework in Context

The NAIC InsuranceData Security Model Law (MDL-668) aligns closely with frameworks likeNIST Cybersecurity Framework, GLBA, and the FFIEC IT ExaminationHandbook. Insurance organizations typically implement this model lawto meet regulatory data protection obligations, ensure robustcybersecurity practices, and harmonize risk management efforts withbroader industry standards.

Common Framework Mappings

NAIC Insurance Data Security Model Law is often mapped to otherwell-established cybersecurity and data protection frameworks tosupport regulatory harmonization, facilitate risk management, andstreamline audit processes across jurisdictions.

Mapped frameworks include:

CIS Critical Security Controls

Digital Operational Resilience Act (DORA)

FFIEC IT Examination Handbook

Gramm-Leach-Bliley Act (GLBA)

ISO/IEC 27001

NIST Cybersecurity Framework

NIST SP 800-53

SOC 2 / AICPA Trust Services Criteria