NAIC MDL-668
NAIC Insurance Data Security Model Law (MDL-668), 4Q2017 with 2025 technical edit.
Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.
Framework Domains (8)
Board Oversight
| Code | Title |
|---|---|
| Section 4(E) | Oversight by Board of Directors |
Incident Investigation
| Code | Title |
|---|---|
| Section 5 | Investigation of a Cybersecurity Event |
Information Security Program
| Code | Title |
|---|---|
| Section 4(A) | Implementation of a Comprehensive Written Information Security Program |
| Section 4(B) | Objectives of the Information Security Program |
| Section 4(G) | Program Adjustments for Changes in Technology, Threats, and Business |
| Section 4(H) | Written Incident Response Plan |
| Section 4(I) | Annual Certification to Commissioner of Domiciliary State |
Notification
| Code | Title |
|---|---|
| Section 6(A)-(B) | Notification to Commissioner Within 72 Hours; Required Content Elements |
| Section 6(C) | Notification to Consumers and Copy to Commissioner |
| Section 6(D) | Notice Regarding Cybersecurity Events of Third-Party Service Providers |
| Section 6(E)-(F) | Notice Regarding Reinsurer-to-Insurer Events and Insurer-to-Producer Notification |
Other
| Code | Title |
|---|---|
| Section 2 | Purpose and Intent; No Private Right of Action |
Risk Assessment
| Code | Title |
|---|---|
| Section 4(C)(1) | Designation of Responsible Individual or Vendor for the ISP |
| Section 4(C)(2) | Identification of Reasonably Foreseeable Internal and External Threats |
| Section 4(C)(3) | Likelihood and Damage Assessment of Identified Threats |
| Section 4(C)(4) | Sufficiency Assessment of Policies, Procedures, and Safeguards |
| Section 4(C)(5) | Implementation and Annual Effectiveness Assessment of Safeguards |
Risk Management
| Code | Title |
|---|---|
| Section 4(D)(1) | Design of ISP to Mitigate Identified Risks |
| Section 4(D)(2) | Selection and Implementation of Enumerated Security Measures |
| Section 4(D)(3) | Inclusion of Cybersecurity Risks in Enterprise Risk Management |
| Section 4(D)(4) | Awareness of Emerging Threats and Secure Information Sharing |
| Section 4(D)(5) | Cybersecurity Awareness Training for Personnel |
Third-Party
| Code | Title |
|---|---|
| Section 4(F) | Oversight of Third-Party Service Provider Arrangements |
Frequently Asked Questions
What is NAIC MDL-668?
NAIC MDL-668 is a compliance framework from United States with 8 domains and 23 controls. NAIC Insurance Data Security Model Law (MDL-668), 4Q2017 with 2025 technical edit. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.
How many controls does NAIC MDL-668 have?
NAIC MDL-668 has 23 controls organised across 8 domains. The largest domains are Information Security Program (5 controls), Risk Assessment (5 controls), Risk Management (5 controls). Each control defines specific requirements that organisations must implement to achieve compliance.
What frameworks does NAIC MDL-668 map to?
NAIC MDL-668 does not currently have cross-framework mappings in our system. Check back as we continuously expand our mapping database.
How do I get started with NAIC MDL-668 compliance?
Start your NAIC MDL-668 compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about NAIC MDL-668 requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 23 controls and track your progress.
Start Your Compliance Journey
Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 769 frameworks.
Get Started Free →Free forever — no credit card required