The National Association of Insurance Commissioners (“NAIC”) will convene next month in Phoenix, Arizona, for its Spring National Meeting. The Innovation, Cybersecurity, and Technology (H) Committee (the “H Committee”) and its working groups are ratcheting up their work in anticipation of next month’s national meeting. Earlier this week the NAIC announced that issues pertaining to the use of AI by insurers and cyber risk are among its 2024 Strategic Priorities while two H Committee working groups exposed separate technology related deliverables for public comment periods closing next month before the Spring National Meeting.

Public Exposures

Among the specific 2024 Strategic Priorities identified is completion of the Cybersecurity Event Response Plan (“CERP”). The purpose of the CERP is to support state insurance regulators following receipt of notice of a cybersecurity event[1] by an insurance licensee, including a draft notification form, which if embraced by states could significantly simplify cybersecurity event reporting. The biggest changes in the current exposed draft from the prior draft is the deletion of lead state language which was determined to be inconsistent with the requirements of the Insurance Data Security Model Law (#668) (“Model 668”). The purpose behind the previously proposed lead state regulator provisions was to address the ‎challenges licensees face as they must provide functionally simultaneous notice to multiple state ‎regulators as required under Section 6B of Model 668.[2] The Cybersecurity (H) Working Group has exposed the revised CERP for a public comment period ending Tuesday ‎March 5 in the hope that it may be adopted at the Spring National Meeting. ‎

Separately, the E-Commerce (H) Working Group has exposed for a public comment period ‎ending Thursday March 14, 2014, a revised E-Commerce Modernization Guide. This working ‎group has been working on this item for a couple years now. In fact, part of the impetus for this ‎project was to examine exceptions granted during the pandemic for consideration as permanent ‎reforms, such as electronic signatures and electronic notices. Industry commenters are generally ‎supportive of the draft guide though multiple commenters ‎expressed a preference for a formal ‎bulletin or guidance. ‎

Strategic Priorities

As reported above, finalizing the CERP is an H Committee priority for 2024. Among other ‎priorities are monitoring and supporting adoption of the Model Bulletin on the Use of Artificial ‎Intelligence Systems by Insurers, adopted last December. ‎In line with this goal, is the creation of a new task force, the Third-Party Data and Models (H) Task Force, which has 25 members, is chaired by Colorado, and will meet at the Spring National Meeting. The Cybersecurity and Big Data & Artificial Intelligence working groups will also meet at the Spring National Meeting. The E-Commerce (H) Working Group, Technology, Innovation, and InsurTech (H) Working Group, and the Privacy Protections (H) Working Group are not scheduled to meet at the Spring National Meeting. The latter working group spent last year working on a proposed unitary privacy model, which would essentially merge and update two separate preexisting privacy models which would apply across insurance business lines. The future of the proposed unitary privacy model is uncertain at this time.

Locke Lord will continue to monitor developments across the H Committee and its task forces and working groups. ‎If you have any questions, please reach out to the author or your Locke Lord ‎partner.‎

[1] “Cybersecurity Event” means an event resulting in unauthorized access to, distribution or misuse of, an Information System or information stored on such Information System.

The term “Cybersecurity Event” does not include the unauthorized acquisition of Encrypted Nonpublic Information if the encryption, process or key is not also acquired, released or used without authorization.

Cybersecurity Event does not include an event with regard to which the Licensee has determined that the Nonpublic Information accessed by an unauthorized person has not been used or released and has been returned or destroyed.

Model 668 Section 3D.

[2] The NAIC is considering alternative means of lessening the reporting burden on ‎licensees while ‎protecting confidentiality. One option under consideration is a process for ‎licensees to report to the ‎NAIC which would then distribute to the state regulators. This process ‎would be conceptually ‎similar to the manner in which insurance carriers currently submit annual ‎statements and RBC ‎statements to the NAIC as a central resource for state regulators. ‎