The Nationwide Affiliation of Insurance coverage Commissioners (“NAIC”) will convene subsequent month in Phoenix, Arizona, for its Spring Nationwide Assembly. The Innovation, Cybersecurity, and Know-how (H) Committee (the “H Committee”) and its working teams are ratcheting up their work in anticipation of subsequent month’s nationwide assembly. Earlier this week the NAIC introduced that points pertaining to the usage of AI by insurers and cyber danger are amongst its 2024 Strategic Priorities whereas two H Committee working teams uncovered separate expertise associated deliverables for public remark durations closing subsequent month earlier than the Spring Nationwide Assembly.
Public Exposures
Among the many particular 2024 Strategic Priorities recognized is completion of the Cybersecurity Event Response Plan (“CERP”). The aim of the CERP is to help state insurance coverage regulators following receipt of discover of a cybersecurity occasion[1] by an insurance coverage licensee, together with a draft notification kind, which if embraced by states may considerably simplify cybersecurity occasion reporting. The most important adjustments within the present uncovered draft from the prior draft is the deletion of lead state language which was decided to be inconsistent with the necessities of the Insurance Data Security Model Law (#668) (“Mannequin 668”). The aim behind the beforehand proposed lead state regulator provisions was to deal with the challenges licensees face as they have to present functionally simultaneous discover to a number of state regulators as required beneath Part 6B of Mannequin 668.[2] The Cybersecurity (H) Working Group has uncovered the revised CERP for a public remark interval ending Tuesday March 5 within the hope that it might be adopted on the Spring Nationwide Assembly.
Individually, the E-Commerce (H) Working Group has uncovered for a public remark interval ending Thursday March 14, 2014, a revised E-Commerce Modernization Guide. This working group has been engaged on this merchandise for a pair years now. Actually, a part of the impetus for this undertaking was to look at exceptions granted in the course of the pandemic for consideration as everlasting reforms, similar to digital signatures and digital notices. Business commenters are typically supportive of the draft information although a number of commenters expressed a choice for a proper bulletin or steering.
Strategic Priorities
As reported above, finalizing the CERP is an H Committee precedence for 2024. Amongst different priorities are monitoring and supporting adoption of the Model Bulletin on the Use of Artificial Intelligence Systems by Insurers, adopted final December. In step with this purpose, is the creation of a brand new process pressure, the Third-Get together Information and Fashions (H) Process Drive, which has 25 members, is chaired by Colorado, and can meet on the Spring Nationwide Assembly. The Cybersecurity and Massive Information & Synthetic Intelligence working teams can even meet on the Spring Nationwide Assembly. The E-Commerce (H) Working Group, Know-how, Innovation, and InsurTech (H) Working Group, and the Privateness Protections (H) Working Group are usually not scheduled to fulfill on the Spring Nationwide Assembly. The latter working group spent final yr engaged on a proposed unitary privateness mannequin, which might primarily merge and replace two separate preexisting privateness fashions which might apply throughout insurance coverage enterprise strains. The way forward for the proposed unitary privateness mannequin is unsure presently.
Locke Lord will proceed to observe developments throughout the H Committee and its process forces and dealing teams. When you’ve got any questions, please attain out to the writer or your Locke Lord associate.
[1] “Cybersecurity Occasion” means an occasion leading to unauthorized entry to, distribution or misuse of, an Info System or data saved on such Info System.
The time period “Cybersecurity Occasion” doesn’t embody the unauthorized acquisition of Encrypted Nonpublic Info if the encryption, course of or key just isn’t additionally acquired, launched or used with out authorization.
Cybersecurity Occasion doesn’t embody an occasion with regard to which the Licensee has decided that the Nonpublic Info accessed by an unauthorized particular person has not been used or launched and has been returned or destroyed.
Mannequin 668 Part 3D.
[2] The NAIC is contemplating different technique of lessening the reporting burden on licensees whereas defending confidentiality. One possibility into account is a course of for licensees to report back to the NAIC which might then distribute to the state regulators. This course of could be conceptually much like the way wherein insurance coverage carriers presently submit annual statements and RBC statements to the NAIC as a central useful resource for state regulators.