Over the previous few years, the work of the Cybersecurity (H) Working Group of the Nationwide Affiliation of Insurance coverage Commissioners (“NAIC”) has targeted on cybersecurity threat to insurance coverage licensees corresponding to insurance coverage carriers, insurance coverage intermediaries,[1] and third-party service suppliers to insurance coverage licensees. This yr the working group’s work will encompass two parallel tracks: the standard cybersecurity threat, and a brand new emphasis on cyber insurance coverage protection. In her dialogue of proposed subjects for the 2024 work plan, the Chair highlighted cyber protection questions particular to ransomware, D&O, and whether or not or not cyber insurance coverage merchandise are offering the protection that policyholders count on.
The working group authorised the twice revised Cybersecurity Occasion Response Plan (“CERP”), a voluntary information that state insurance coverage regulators might make the most of following a cybersecurity occasion, corresponding to a breach notification by an insurance coverage licensee. The CERP was subsequently authorised by the working group’s mother or father committee, the Innovation, Cybersecurity & Expertise (H) Committee.
As talked about above, the working group is engaged on a 2024 work plan addressing each the cyber threat and cyber protection parallel tracks, notable proposed points embody:
- new cyber clean working its approach by means of Monetary (E) Committee subgroups,
- referral to the Info Expertise Examination (E) Working Group concerning examination requirements/protocols,
- affect of {hardware} and software program legacy programs,
- one-to-many reporting,[2]
- XBRL[3]? Ought to we or shouldn’t we? and
- knowledge modernization & standardization.
Consistent with many different NAIC working teams and job forces the Cybersecurity (E) Working Group will proceed and increase its work pertaining to third-party distributors, broadly outlined.
As a part of its persevering with training cost, the working group heard displays from the American Academy of Actuaries concerning the Cyber Danger Toolkit developed by the Committee on Cyber Danger of the Casualty Apply Council. The working group additionally heard a presentation from CyberAcuView concerning its work and particularly the outcomes of a data-call targeted on 2019-2023 third-quarter knowledge.
Locke Lord will proceed to watch cybersecurity developments on the NAIC. You probably have any questions, please attain out to the writer or your Locke Lord associate.
[1] For instance, insurance coverage producers, managing basic brokers, reinsurance intermediaries, and third-party directors.
[2] One-to-many references the problems inherent in reporting to a number of regulatory stakeholders pertaining to widespread incidents that cross jurisdictional borders. For example, in an earlier iteration of the CERP, the working group thought-about using the lead state idea as a solution to cut back the reporting burden on licensees within the midst of investigating a cybersecurity occasion.
[3] XBRL stands for eXtensible Enterprise Reporting Language. It’s a international framework for the digital trade of monetary, efficiency, threat, and compliance info.
