The global cyber insurance market reached $15.3 billion USD in 2024 and is expected to more than double by 2030. As this market grows, regulators are tightening rules, expecting insurers to prove their controls and risk management practices are up to the task. Insurance cybersecurity regulations in the United States exist primarily at the state level, which creates overlapping obligations. At the center of this sits the NAIC Insurance Data Security Model Law (NAIC MDL‑668), a model law that states can adopt to provide consistency across jurisdictions. As of mid‑2023, 23 states have adopted legislation based on the Insurance Data Security Model Law.

Beyond the NAIC law, individual states implement their own regulations, and New York’s 23 NYCRR Part 500 is one of the most comprehensive and stringent. It requires insurers to maintain a risk-based cybersecurity program, appoint a Chief Information Security Officer (or equivalent), and submit annual certifications of compliance. The regulation also requires extensive program documentation and continuous proof of compliance.

Most regulations also mandate breach notification requirements. Insurers must notify state insurance commissioners of material cybersecurity events, generally within 72 hours, particularly when breaches affect more than 250 consumers, and provide timely notification to affected consumers when breaches occur. These regulations also establish privacy requirements that govern how insurers collect, use, and protect consumer data.

Insurance cybersecurity regulations can differ by state. However, they generally focus on three core areas: identifying and evaluating cybersecurity risks through regular documented assessments, implementing security controls that match those risks, and maintaining thorough documentation that proves controls are effective, which is why regulators insist insurers go beyond having policies to actually demonstrating program effectiveness.

Logging and monitoring

Insurers should maintain comprehensive logs of system activities, including user actions, configuration changes, authentication events, and access to sensitive data. For compliance, insurers must show they monitor these logs and retain records according to regulatory timelines. Huntress Managed SIEM helps insurers handle large volumes of log data, detect security events, and maintain compliance records.

Access management and identity controls

Insurers need to know who has access to systems and data, why they have access, and enforce appropriate controls. Consider implementing multi-factor authentication (MFA), strong identity governance, privileged access management (PAM), and regular reviews to remove access when employees leave or change roles. Huntress Managed ITDR can help identify identity risks in your environment.

Incident response plans

Insurers must document incident response plans, outlining procedures for detecting, investigating, containing, and recovering from cybersecurity incidents. Plans should address notification requirements to state insurance commissioners, and generally within 72 hours for material events, as well as timely consumer notification when breaches affect personal data. Regular tabletop exercises test readiness and validate response processes.

Third-party vendor management

Insurers must manage third-party vendors who access their systems or data. You remain responsible for ensuring that vendors maintain appropriate data security standards. Include vendor security requirements in contracts, conduct periodic assessments, and retain the right to audit vendor practices.

Security awareness training

Regulators expect insurers to maintain ongoing security awareness training programs. Employees must understand security policies, recognize social engineering attempts, and follow proper data handling procedures. Training records proving staff awareness and adherence to security policies are essential compliance artifacts that examiners routinely request.

Key elements include:

• Written policies and procedures that accurately reflect current practice
• Evidence that staff follow policies, visible through logs, reports, tickets, and audit trails
• Periodic updates as part of a continuous improvement cycle
• Board reporting demonstrating oversight of cybersecurity
• Independent third-party assessments

For many insurers, compliance relies as much on record-keeping as on technical security. In fact, a recent Munich Re analysis found that 87% of C-level executives believe their organization’s protection is inadequate. This stat highlights the importance of organized program documentation, enforced file naming conventions, and implemented version control and retention policies to streamline examinations.

And when you need expert oversight, the Huntress 24/7 SOC, Managed EDR, and Managed Security Awareness Training plug into your operations so you can continuously justify your policies, evidence, and training to auditors.

When regulators examine your program, insurers must provide evidence of cybersecurity compliance. Common examiner requests include:

• Centralized, accessible logs (user access, authentication, sensitive data access) retained for three to five years
• Incident response documentation showing how you handled security events
• Training records proving staff awareness of and adherence to security policies
• Risk assessment reports, including supporting analysis and risk remediation steps
• Testing evidence, including tabletop exercises and vulnerability assessments

Top-performing insurers build evidence collection into everyday operations rather than scrambling to compile documents at the last minute. Bake documentation into daily practices to make compliance natural.

Insurance cybersecurity regulations reflect the fact that insurers manage some of the most sensitive data and face highly lucrative cybercriminal targets. Compliance doesn’t require a huge budget. It requires an organized, methodical approach that maps security controls to regulatory requirements, maintains proper records, and treats compliance as ongoing rather than annual.

Huntress solutions, like Managed SIEM for evidence and dashboards, Managed ITDR for identity controls, Managed EDR for incident response, and Managed SAT for employee training, help insurers continuously demonstrate compliance and maintain operational security.

If you’re building or refining a compliance program, get in touch with us and see how our platform aligns controls, documentation, and reporting with what regulators demand. Book a demo today.