How to Map Digital Underwriting Controls to NIST Cybersecurity Framework
A detailed guide on mapping digital underwriting controls to the NIST Cybersecurity Framework, including the new Govern function in NIST CSF 2.0.
The rapid digitization of insurance underwriting has introduced a complex set of new risks for carriers to manage. As underwriters increasingly rely on algorithms, data analytics, and third-party platforms to assess risk and price policies, the cybersecurity posture of these systems becomes a critical component of regulatory compliance and operational resilience. For chief medical officers and reinsurance medical directors, demonstrating robust data protection and system integrity to regulators and partners is no longer optional. The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) provides a comprehensive, risk-based approach for carriers to structure their digital underwriting controls and communicate their security posture effectively.
"The financial sector experienced the highest average cost of a data breach worldwide for 12 consecutive years, and in 2023, finance surpassed healthcare as the most breached industry, accounting for 27% of breaches handled by Kroll."
Mapping digital underwriting controls to the NIST cybersecurity framework
The NIST Cybersecurity Framework is a voluntary set of standards and best practices designed to help organizations manage cybersecurity risk. Its five core functions, Identify, Protect, Detect, Respond, and Recover, offer a strategic lens for organizing and prioritizing security activities. With the release of NIST CSF 2.0 in February 2024, a new "Govern" function was added, emphasizing the importance of cybersecurity governance as a foundational element of an organization's risk management strategy. For insurance carriers, mapping their digital underwriting controls nist cybersecurity framework functions provides a clear, defensible methodology for managing regulatory scrutiny and ensuring the trustworthiness of their underwriting processes.
The "Govern" function is particularly relevant for the insurance industry, as it directly addresses how cybersecurity strategy is established, communicated, and monitored from an enterprise-wide perspective. This function provides a formal structure for senior leadership to oversee cybersecurity risk alongside other strategic risks. For underwriting departments, this means integrating cybersecurity considerations directly into the development and deployment of new technologies and data sources.
| NIST CSF 2.0 Function | Description | Digital Underwriting Control Examples |
|---|---|---|
| Govern | Establish and oversee the organization's cybersecurity risk management strategy, expectations, and policy. | - Board-level approval of data governance policies.- Formal designation of a Chief Information Security Officer (CISO).- Regular review of vendor and third-party risk assessments. |
| Identify | Understand the cybersecurity risks to systems, assets, data, and capabilities. | - Asset management for all underwriting platforms.- Data classification for sensitive health information.- Risk assessment of algorithmic underwriting models. |
| Protect | Implement safeguards to ensure delivery of critical infrastructure services. | - Access control for underwriting and claims systems.- Encryption of data at rest and in transit.- Security awareness training for all employees. |
| Detect | Implement activities to identify the occurrence of a cybersecurity event. | - Continuous monitoring of network and system activity.- Anomaly detection for unusual underwriting decisions.- Regular penetration testing and vulnerability scans. |
| Respond | Implement activities to take action regarding a detected cybersecurity incident. | - Incident response plan for data breaches.- Communication plan for notifying regulators and consumers.- Forensic analysis of security incidents. |
| Recover | Implement activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident. | - System backup and recovery procedures.- Business continuity plan for underwriting operations.- Re-evaluation of underwriting decisions post-incident. |
Industry Applications
The application of the NIST Cybersecurity Framework extends across all lines of insurance that are incorporating digital underwriting techniques. The principles of the framework can be adapted to the specific risks and regulatory requirements of each product area.
Life Insurance
In life insurance, where underwriting often involves the collection and analysis of sensitive health data, the "Protect" and "Govern" functions are critical. Carriers must demonstrate that they have robust controls in place to prevent unauthorized access to applicant data, both from internal and external threats. The "Govern" function ensures that these protections are not just technical solutions, but are part of a comprehensive, board-level risk management strategy.
Health Insurance
For health insurers, the Health Insurance Portability and Accountability Act (HIPAA) provides a baseline for data protection. The NIST CSF provides a broader framework for managing cybersecurity risk beyond the specific requirements of HIPAA. Mapping HIPAA security rule controls to the NIST CSF can help health insurers streamline their compliance efforts and provide a more holistic view of their security posture.
Cyber Insurance
The irony for cyber insurance underwriters is that they are applying these same digital underwriting techniques to assess the cybersecurity posture of their own potential clients. A growing number of cyber insurers are now explicitly requiring their clients to demonstrate alignment with the NIST Cybersecurity Framework as a condition of coverage. This creates a virtuous cycle, where the adoption of the NIST CSF by other industries is driving a more standardized and rigorous approach to cyber risk underwriting.
Current research and evidence
The National Association of Insurance Commissioners (NAIC) has formally endorsed the NIST Cybersecurity Framework as a valuable tool for the insurance sector. In a 2017 report, the NAIC's Cybersecurity (EX) Task Force recommended that state insurance regulators use the NIST CSF as the basis for their examinations of insurance company cybersecurity programs. This endorsement has been a significant driver of NIST CSF adoption within the industry.
More recent research from the International Monetary Fund (IMF) in 2024 has highlighted the systemic risk that cybersecurity threats pose to the financial services sector as a whole. The IMF report notes that cyberattacks have more than doubled since the start of the pandemic, with the potential for extreme losses from a single event quadrupling since 2017 to $2.5 billion. This escalating threat environment highlights the importance of a robust, standardized approach to cybersecurity, as embodied by the NIST framework.
The future of digital underwriting controls
The future of digital underwriting controls nist cybersecurity framework mapping will be shaped by the increasing sophistication of both cyber threats and underwriting technologies. As carriers incorporate more artificial intelligence and machine learning into their underwriting models, the "Identify" and "Detect" functions of the NIST CSF will become even more critical. Carriers will need to develop new techniques for identifying and detecting bias, discrimination, and other potential harms that can arise from algorithmic decision-making.
Furthermore, the "Govern" function will continue to grow in importance as regulators and other stakeholders demand greater transparency and accountability from insurance companies in their use of customer data. Demonstrating strong governance over digital underwriting will be essential for maintaining public trust and navigating an increasingly complex regulatory landscape.
Frequently asked questions
What is the NIST Cybersecurity Framework?
The NIST Cybersecurity Framework (CSF) is a set of voluntary guidelines, standards, and best practices to help organizations manage and reduce cybersecurity risk. It was developed by the National Institute of Standards and Technology (NIST) and is widely used by organizations in a variety of industries, including financial services and insurance.
Why is the NIST Cybersecurity Framework important for insurance underwriting?
The NIST CSF provides a structured and comprehensive approach for insurance carriers to manage the cybersecurity risks associated with their digital underwriting platforms. It helps carriers demonstrate to regulators, partners, and customers that they have a robust and defensible security program in place.
What is the new "Govern" function in NIST CSF 2.0?
The "Govern" function, introduced in NIST CSF 2.0 in February 2024, focuses on how an organization's cybersecurity risk management strategy is established, monitored, and communicated. It emphasizes the importance of senior leadership involvement and integrating cybersecurity into the organization's overall enterprise risk management framework.
The insights and frameworks discussed in this article are central to the mission of Circadify. We are dedicated to providing the tools and expertise necessary for navigating the complex regulatory environment of digital underwriting. To learn more about how to build a compliance-first approach, explore our compliance guides and regulatory insights.