Securiti AI Launches Context-Aware LLM Firewalls to Secure GenAI Applications


US NAIC 668 – Insurance Data Security Model Law

Operationalize US NAIC 668 compliance with the most comprehensive PrivacyOps platform

Last Updated on May 13, 2024

Privacy Center
Fully Functional In Minutes

Elegant Consumer Frontend, Fully Automated Backend, Privacy Regulation Intelligent Everywhere.


The "Insurance Data Security Model Law," or NAIC Model Regulation 668, was developed by the National Association of Insurance Commissioners (NAIC) in the United States. This model law establishes cybersecurity standards and requirements for insurance companies to protect nonpublic information's confidentiality, integrity, and availability.

The NAIC Model 668 applies to licensees who are defined as persons licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of the state but shall not include a purchasing group or risk retention group chartered and licensed in a state other than this state or a licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction.

The NAIC Model Regulation 668 acts as a model or template that other U.S. states can use as a starting point for developing their own regulatory frameworks. As a result, each state may vary in terms of specific requirements and details of the regulation.

The NAIC Model Regulation 668 is one of the four primary model NAIC Laws. The other three laws are the model Insurance Information and Privacy Protection Act (#670), the model Privacy of Consumer Financial and Health Information Regulation (#672), and the model Standards for Safeguarding Customer Information Regulation (#673). These standards govern the collection, use, and disclosure of information in relation to insurance transactions made by insurance institutions, agents, or insurance support organizations. The NAIC Model Regulation 668 imposes cybersecurity obligations concerning personally identifiable information.

The NAIC Model 668 has been adopted by several US states, including Alabama, Connecticut, Delaware, Indiana, Iowa, Louisiana, Maine, Maryland, Michigan, Minnesota, Mississippi, New Hampshire, New York, North Dakota, South Carolina, Tennessee, Virginia, Wisconsin, and Ohio.

The Solution

Securiti enables organizations to comply with US NAIC 668 – Insurance Data Security Model Law through AI-driven PI data discovery, DSR automation, documented accountability, enhanced visibility into data processing activities, and AI-driven process automation.

Securiti supports enterprises' journey toward compliance with US NAIC 668 – Insurance Data Security Model Law through automation, enhanced data visibility, and identity linking.


US California CCPA

Request a demo to learn how Securiti can aid you and your organization's compliance efforts today.

Assess US NAIC 668 Readiness

US NAIC 668 Section: 2

Utilize Securiti's collaborative readiness assessment template to assess your organization's compliance with NAIC 668 requirements, assess compliance gaps, and mitigate risks. Seamlessly expand assessment capabilities across your vendor ecosystem to maintain compliance against this standard.

New South Wales Assess GDPR readiness
New South Wales breach response notification

Implement Automated Breach Management and Notifications

US NAIC 668 Sections: 4(H), 6

Securiti's Breach Management enables organizations to create an incident response plan to respond effectively to security incidents that compromise the confidentiality, integrity, or availability of information. It assists organizations in making breach notifications to relevant stakeholders as per the requirements of the industry law and applicable laws.

Assess Breach Risk Severity

US NAIC 668 Section: 5

Securiti's Assessment Automation allows organizations to assess the nature and scope of security incidents with the help of breach and breach risk severity assessments. The assessments facilitate organizations to identify what information has been breached, restore security, take reasonable measures in order to protect any unauthorized acquisition or disclosure of information and identify which parties are required to be notified of the breach.

New South Wales PPIPA
New South Wales vendor risk management

Automate Risk Assessment and Vendor Risk Management

US NAIC 668 Sections: 4(C), 4(F)

Securiti's Assessment Automation enables organizations to assess safeguards in place for protecting data and associated risks and assess and mitigate third-party risks.

Assess Data Security Posture

US NAIC 668 Sections: 4(C)(5), 4(D)

Securiti's Data Security Posture Management module allows organizations to identify and implement appropriate security controls.

New South Wales Data Security Posture assessment

Key Facts about US NAIC 668 – Insurance Data Security Model Law


Data Security Program: Insurance companies must create, implement, and maintain a thorough written information security program to protect nonpublic information. This program should include administrative, technical, and physical safeguards.


Risk Assessment: Insurers must regularly review their risks to identify potential vulnerabilities and threats to nonpublic information by conducting risk assessments. The Information Security Program must be designed to mitigate identified risks as per the sensitivity of the non-public information. Third-party service providers are required to be included in the risk management process.


Security measures: Access controls, encryption, multi-factor authentication, regular testing, audit trails, protection against breaches, and secure disposal of information are some of the security measures highlighted in the NAIC 668 standard.


Incident Response Plan: To address and quickly minimize the effects of cybersecurity occurrences, insurance companies must have an incident response plan in place.


Employee Training: Employees must receive appropriate cybersecurity awareness training.


Notification of Cybersecurity Events: The licensee must notify the Commissioner and consumers in the case of a cybersecurity event. The notification to the Commissioner must be made as promptly as possible but no later than 72 hours from a determination that a cybersecurity event has occurred.


Annual Certification: Insurance regulators in each state may require insurers to certify compliance with the regulation annually.


Records Retention: After the date of each cybersecurity event, the Licensee must keep records pertaining to those events for at least five years. The Commissioner may request those data at any time.

IDC MarketScape

Securiti named a Leader in the IDC MarketScape for Data Privacy Compliance Software

Read the Report