Over the last few years, the work of the Cybersecurity (H) Working Group of the National Association of Insurance Commissioners (“NAIC”) has focused on cybersecurity risk to insurance licensees such as insurance carriers, insurance intermediaries,[1] and third-party service providers to insurance licensees. This year the working group’s work will consist of two parallel tracks: the traditional cybersecurity risk, and a new emphasis on cyber insurance coverage. In her discussion of proposed topics for the 2024 work plan, the Chair highlighted cyber coverage questions specific to ransomware, D&O, and whether or not cyber insurance products are providing the coverage that policyholders expect.

The working group approved the twice revised Cybersecurity Event Response Plan (“CERP”), a voluntary guide that state insurance regulators may utilize following a cybersecurity event, such as a breach notification by an insurance licensee. The CERP was subsequently approved by the working group’s parent committee, the Innovation, Cybersecurity & Technology (H) Committee.

As mentioned above, the working group is working on a 2024 work plan addressing both the cyber risk and cyber coverage parallel tracks, notable proposed issues include:

  • new cyber blank working its way through Financial (E) Committee subgroups,
  • referral to the Information Technology Examination (E) Working Group regarding examination standards/protocols,
  • impact of hardware and software legacy systems,
  • one-to-many reporting,[2]
  • XBRL[3]? Should we or shouldn’t we? and
  • data modernization & standardization.

In line with many other NAIC working groups and task forces the Cybersecurity (E) Working Group will continue and expand its work pertaining to third-party vendors, broadly defined.

As part of its continuing education charge, the working group heard presentations from the American Academy of Actuaries about the Cyber Risk Toolkit developed by the Committee on Cyber Risk of the Casualty Practice Council. The working group also heard a presentation from CyberAcuView regarding its work and specifically the results of a data-call focused on 2019-2023 third-quarter data.

Locke Lord will continue to monitor cybersecurity developments at the NAIC. If you have any questions, please reach out to the author or your Locke Lord partner.‎

[1] For example, insurance producers, managing general agents, reinsurance intermediaries, and third-party administrators.

[2] One-to-many references the complications inherent in reporting to multiple regulatory stakeholders pertaining to widespread incidents that cross jurisdictional borders. For instance, in an earlier iteration of the CERP, the working group considered utilizing the lead state concept as a way to reduce the reporting burden on licensees in the midst of investigating a cybersecurity event.

[3] XBRL stands for eXtensible Business Reporting Language. It is a global framework for the digital exchange of financial, performance, risk, and compliance information.