The Nationwide Affiliation of Insurance coverage Commissioners (“NAIC”) will convene subsequent month in Phoenix, Arizona, for its Spring Nationwide Assembly. The Innovation, Cybersecurity, and Know-how (H) Committee (the “H Committee”) and its working teams are ratcheting up their work in anticipation of subsequent month’s nationwide assembly. Earlier this week the NAIC introduced that points pertaining to the usage of AI by insurers and cyber threat are amongst its 2024 Strategic Priorities whereas two H Committee working teams uncovered separate know-how associated deliverables for public remark durations closing subsequent month earlier than the Spring Nationwide Assembly.
Public Exposures
Among the many particular 2024 Strategic Priorities recognized is completion of the Cybersecurity Event Response Plan (“CERP”). The aim of the CERP is to help state insurance coverage regulators following receipt of discover of a cybersecurity occasion[1] by an insurance coverage licensee, together with a draft notification kind, which if embraced by states may considerably simplify cybersecurity occasion reporting. The most important modifications within the present uncovered draft from the prior draft is the deletion of lead state language which was decided to be inconsistent with the necessities of the Insurance Data Security Model Law (#668) (“Mannequin 668”). The aim behind the beforehand proposed lead state regulator provisions was to deal with the challenges licensees face as they need to present functionally simultaneous discover to a number of state regulators as required below Part 6B of Mannequin 668.[2] The Cybersecurity (H) Working Group has uncovered the revised CERP for a public remark interval ending Tuesday March 5 within the hope that it could be adopted on the Spring Nationwide Assembly.
Individually, the E-Commerce (H) Working Group has uncovered for a public remark interval ending Thursday March 14, 2014, a revised E-Commerce Modernization Guide. This working group has been engaged on this merchandise for a pair years now. In reality, a part of the impetus for this mission was to look at exceptions granted through the pandemic for consideration as everlasting reforms, corresponding to digital signatures and digital notices. Business commenters are typically supportive of the draft information although a number of commenters expressed a choice for a proper bulletin or steering.
Strategic Priorities
As reported above, finalizing the CERP is an H Committee precedence for 2024. Amongst different priorities are monitoring and supporting adoption of the Model Bulletin on the Use of Artificial Intelligence Systems by Insurers, adopted final December. Consistent with this objective, is the creation of a brand new job power, the Third-Celebration Knowledge and Fashions (H) Activity Drive, which has 25 members, is chaired by Colorado, and can meet on the Spring Nationwide Assembly. The Cybersecurity and Large Knowledge & Synthetic Intelligence working teams will even meet on the Spring Nationwide Assembly. The E-Commerce (H) Working Group, Know-how, Innovation, and InsurTech (H) Working Group, and the Privateness Protections (H) Working Group will not be scheduled to satisfy on the Spring Nationwide Assembly. The latter working group spent final yr engaged on a proposed unitary privateness mannequin, which might basically merge and replace two separate preexisting privateness fashions which might apply throughout insurance coverage enterprise strains. The way forward for the proposed unitary privateness mannequin is unsure presently.
Locke Lord will proceed to watch developments throughout the H Committee and its job forces and dealing teams. In case you have any questions, please attain out to the creator or your Locke Lord companion.
[1] “Cybersecurity Occasion” means an occasion leading to unauthorized entry to, distribution or misuse of, an Data System or info saved on such Data System.
The time period “Cybersecurity Occasion” doesn’t embrace the unauthorized acquisition of Encrypted Nonpublic Data if the encryption, course of or key shouldn’t be additionally acquired, launched or used with out authorization.
Cybersecurity Occasion doesn’t embrace an occasion with regard to which the Licensee has decided that the Nonpublic Data accessed by an unauthorized particular person has not been used or launched and has been returned or destroyed.
Mannequin 668 Part 3D.
[2] The NAIC is contemplating various technique of lessening the reporting burden on licensees whereas defending confidentiality. One choice into consideration is a course of for licensees to report back to the NAIC which might then distribute to the state regulators. This course of can be conceptually just like the style during which insurance coverage carriers presently submit annual statements and RBC statements to the NAIC as a central useful resource for state regulators.
