Over the previous few years, the work of the Cybersecurity (H) Working Group of the Nationwide Affiliation of Insurance coverage Commissioners (“NAIC”) has targeted on cybersecurity threat to insurance coverage licensees reminiscent of insurance coverage carriers, insurance coverage intermediaries,[1] and third-party service suppliers to insurance coverage licensees. This yr the working group’s work will encompass two parallel tracks: the standard cybersecurity threat, and a brand new emphasis on cyber insurance coverage protection. In her dialogue of proposed matters for the 2024 work plan, the Chair highlighted cyber protection questions particular to ransomware, D&O, and whether or not or not cyber insurance coverage merchandise are offering the protection that policyholders count on.
The working group authorised the twice revised Cybersecurity Occasion Response Plan (“CERP”), a voluntary information that state insurance coverage regulators could make the most of following a cybersecurity occasion, reminiscent of a breach notification by an insurance coverage licensee. The CERP was subsequently authorised by the working group’s father or mother committee, the Innovation, Cybersecurity & Expertise (H) Committee.
As talked about above, the working group is engaged on a 2024 work plan addressing each the cyber threat and cyber protection parallel tracks, notable proposed points embrace:
- new cyber clean working its method by means of Monetary (E) Committee subgroups,
- referral to the Info Expertise Examination (E) Working Group relating to examination requirements/protocols,
- influence of {hardware} and software program legacy techniques,
- one-to-many reporting,[2]
- XBRL[3]? Ought to we or shouldn’t we? and
- information modernization & standardization.
In keeping with many different NAIC working teams and process forces the Cybersecurity (E) Working Group will proceed and increase its work pertaining to third-party distributors, broadly outlined.
As a part of its persevering with schooling cost, the working group heard displays from the American Academy of Actuaries in regards to the Cyber Danger Toolkit developed by the Committee on Cyber Danger of the Casualty Observe Council. The working group additionally heard a presentation from CyberAcuView relating to its work and particularly the outcomes of a data-call targeted on 2019-2023 third-quarter information.
Locke Lord will proceed to watch cybersecurity developments on the NAIC. When you have any questions, please attain out to the writer or your Locke Lord associate.
[1] For instance, insurance coverage producers, managing common brokers, reinsurance intermediaries, and third-party directors.
[2] One-to-many references the issues inherent in reporting to a number of regulatory stakeholders pertaining to widespread incidents that cross jurisdictional borders. As an example, in an earlier iteration of the CERP, the working group thought of using the lead state idea as a option to scale back the reporting burden on licensees within the midst of investigating a cybersecurity occasion.
[3] XBRL stands for eXtensible Enterprise Reporting Language. It’s a international framework for the digital change of monetary, efficiency, threat, and compliance info.
