NAIC
The National Association of Insurance Commissioners develops model insurance laws and regulations adopted by US states — the de facto standard-setter for insurance technology compliance across 50 different state regulatory regimes.
The National Association of Insurance Commissioners (NAIC) is a US standard-setting and regulatory support organization whose members are the chief insurance regulatory officials of all 50 states, the District of Columbia, and US territories. The NAIC develops model laws and regulations that individual states adopt — creating a patchwork of insurance regulation where the NAIC model provides consistency, but state-by-state adoption creates variation. For insurance technology vendors, NAIC model adoption status by state is a critical compliance variable.
Several NAIC models have significant technology implications. The NAIC Insurance Data Security Model Law (MDL-668) — modeled on the NYDFS cybersecurity regulation — requires insurers to implement comprehensive information security programs with specific technical controls, conduct annual risk assessments, and maintain incident response plans. The NAIC Model Audit Rule (MDL-205) creates IT general control requirements similar to SOX for publicly traded companies. The NAIC Privacy Protections Model (MDL-670) updates GLBA's privacy requirements for the insurance context.
NAIC's model regulations on AI and automated decision-making are increasingly relevant for insurance technology. The NAIC's model bulletin on the use of AI systems in insurance (adopted 2024) requires insurers to ensure that AI systems used in underwriting and claims decisions do not produce unfair discrimination — with documentation and testing requirements for AI models. States adopting the bulletin require insurers to implement model governance programs that demonstrate ongoing fairness monitoring, creating new engineering obligations for ML systems in insurance.
We build insurance technology systems compliant with NAIC model laws — implementing MDL-668 cybersecurity controls, designing IT general controls that satisfy MDL-205 audit requirements, building AI governance programs that meet emerging NAIC AI model bulletin requirements, and navigating the state-by-state adoption landscape to determine which requirements apply in each jurisdiction where the client operates.
Compliance-Native Architecture Guide
Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.