NAIC Insurance Data Security Model Law (MDL-668)

Overview

The NAICInsurance Data Security Model Law (MDL-668) is a regulatory frameworkthat establishes data security requirements for insurance companiesand related entities to protect consumer information and reducecybersecurity risks. Its purpose is to drive adoption of effectivecybersecurity programs and incident response processes within theinsurance sector.

Published by theNational Association of Insurance Commissioners (NAIC), this modellaw is adopted by U.S. state insurance regulators seeking to enhancedata protection, risk management, and regulatory compliance acrossinsurers, agents, and other licensees. The law addresses areasincluding cybersecurity controls, risk assessments, oversight ofthird-party service providers, breach notification, and ongoingcompliance obligations.

Insuranceorganizations implement the NAIC Model Law by developing writteninformation security programs, conducting regular risk assessments,monitoring internal controls, training staff, and reporting securityincidents when required. The law aligns with broader U.S. dataprotection and cybersecurity frameworks, helping insurers strengthencompliance, reduce regulatory risk, and build customer trust.

Why it Matters

The NAICInsurance Data Security Model Law establishes consistent standards tohelp insurers safeguard consumer data and reduce evolvingcybersecurity risks.

Key benefitsinclude:

•  Strengthen information security governance

Drive adoptionof documented cybersecurity programs, oversight, and risk managementacross insurance organizations and their third-party serviceproviders.

•  Enhance regulatory compliance

Facilitateadherence to state-level data security obligations, reducingregulatory risk and streamlining compliance reporting to insuranceregulators.

•  Improve breach response capabilities

Establishincident response practices and notification procedures, enablingprompt detection, containment, and reporting of security breaches.

•  Protect consumer information

Mandate securitycontrols that reduce the risk of data compromise, helping safeguardsensitive personal and financial data entrusted to insurers.

•  Increase audit and readiness

Require regularrisk assessments and documentation, supporting better audit outcomesand organizational readiness for evolving cybersecurity threats.

How it Works

The NAICInsurance Data Security Model Law (MDL-668) establishes a structuredapproach for safeguarding sensitive insurance data through a set ofregulatory requirements and security safeguards. It outlinesrequirements for risk assessment, development of comprehensiveinformation security programs, and implementation of administrative,technical, and physical security controls. The framework also setsout governance responsibilities, incident response procedures,ongoing monitoring, and regulator notification obligations, providinga lifecycle-based structure for ongoing data protection andcompliance.

In operationalpractice, insurance companies and related organizations conduct riskassessments to identify threats to nonpublic information and thenimplement security controls aligned with the Model Law’sprovisions. They regularly review and update their cybersecuritypolicies, provide employee training, monitor systems for unauthorizedactivity, and prepare incident response plans. Periodic complianceassessments and required notifications to state insurance regulatorsensure that governance and compliance standards are maintained.

UsingSmartSuite, organizations can operationalize the NAIC Model Law byleveraging integrated control libraries, maintaining a risk register,and tracking policy governance across business units. SmartSuitesupports evidence collection, compliance monitoring, audit readiness,and remediation workflows. Reporting dashboards provide real-timevisibility into control effectiveness and regulatory compliance forongoing data security management.

Key Elements

•  Information Security Program Requirements

Specifiescriteria for comprehensive, written cybersecurity programs tailoredto the organization’s business and risk environment.

•  Risk Assessment Processes

Describesprocedures for evaluating internal and external cyber threats,vulnerabilities, and business impact.

•  Third-Party Service Provider Oversight

Outlinesexpectations for managing and reviewing the security practices ofexternal vendors and business partners.

•  Incident Response Planning

Definesstructural requirements for preparing, detecting, and responding tocybersecurity incidents that affect sensitive information.

•  Ongoing Compliance and Reporting

Establishesobligations for routine monitoring, staff training, and reporting ofcyber events to regulatory authorities.

•  Access and Data Controls

Organizescontrols around restricting access, managing authentication, andsafeguarding protected data assets.

Framework Scope

The NAICInsurance Data Security Model Law (MDL-668) is adopted by insurancecompanies, agents, and third-party service providers managingconsumer information. It governs information security programs,breach response processes, and oversight of data systems, typicallywhen organizations are meeting state-level regulatory requirementsand strengthening cybersecurity risk management and ongoingcompliance programs.

Framework Objectives

The NAICInsurance Data Security Model Law (MDL-668) establishes foundationalrequirements to advance cybersecurity, risk management, andregulatory compliance in the insurance industry.

•  Safeguard sensitive consumer data through robust securitycontrols and oversight

•  Strengthen cybersecurity risk management and reduce exposure toemerging threats

•  Promote effective governance across insurance organizations andlicensed entities

•  Support ongoing regulatory compliance and readiness for auditprocesses

•  Enhance operational resilience and incident responsecapabilities

•  Ensure comprehensive oversight of third-party service providersecurity practices The NAIC Insurance Data Security Model Law(MDL-668) aligns closely with frameworks like NIST CybersecurityFramework, GLBA, and the FFIEC IT Examination Handbook. Insuranceorganizations typically implement this model law to meet regulatorydata protection obligations, ensure robust cybersecurity practices,and harmonize risk management efforts with broader industrystandards.

Common Framework Mappings

NAIC InsuranceData Security Model Law is often mapped to other well-establishedcybersecurity and data protection frameworks to support regulatoryharmonization, facilitate risk management, and streamline auditprocesses across jurisdictions.

Mappedframeworks include:

CIS CriticalSecurity Controls

DigitalOperational Resilience Act (DORA)

FFIEC ITExamination Handbook

Gramm-Leach-BlileyAct (GLBA)

ISO/IEC 27001

NISTCybersecurity Framework

NIST SP 800-53

SOC 2 / AICPATrust Services Criteria