NAIC Cybersecurity Working Group Adds Cyber Coverage to its Focus

Daniel Barry
Locke Lord LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Over the last few years, the work of the Cybersecurity (H) Working Group of the National Association of Insurance Commissioners (“NAIC”) has focused on cybersecurity risk to insurance licensees such as insurance carriers, insurance intermediaries,[1] and third-party service providers to insurance licensees. This year the working group’s work will consist of two parallel tracks: the traditional cybersecurity risk, and a new emphasis on cyber insurance coverage. In her discussion of proposed topics for the 2024 work plan, the Chair highlighted cyber coverage questions specific to ransomware, D&O, and whether or not cyber insurance products are providing the coverage that policyholders expect.

The working group approved the twice revised Cybersecurity Event Response Plan (“CERP”), a voluntary guide that state insurance regulators may utilize following a cybersecurity event, such as a breach notification by an insurance licensee. The CERP was subsequently approved by the working group’s parent committee, the Innovation, Cybersecurity & Technology (H) Committee.

As mentioned above, the working group is working on a 2024 work plan addressing both the cyber risk and cyber coverage parallel tracks, notable proposed issues include:

  • new cyber blank working its way through Financial (E) Committee subgroups,
  • referral to the Information Technology Examination (E) Working Group regarding examination standards/protocols,
  • impact of hardware and software legacy systems,
  • one-to-many reporting,[2]
  • XBRL[3]? Should we or shouldn’t we? and
  • data modernization & standardization.

In line with many other NAIC working groups and task forces the Cybersecurity (E) Working Group will continue and expand its work pertaining to third-party vendors, broadly defined.

As part of its continuing education charge, the working group heard presentations from the American Academy of Actuaries about the Cyber Risk Toolkit developed by the Committee on Cyber Risk of the Casualty Practice Council. The working group also heard a presentation from CyberAcuView regarding its work and specifically the results of a data-call focused on 2019-2023 third-quarter data.

---

[1] For example, insurance producers, managing general agents, reinsurance intermediaries, and third-party administrators.

[2] One-to-many references the complications inherent in reporting to multiple regulatory stakeholders pertaining to widespread incidents that cross jurisdictional borders. For instance, in an earlier iteration of the CERP, the working group considered utilizing the lead state concept as a way to reduce the reporting burden on licensees in the midst of investigating a cybersecurity event.

[3] XBRL stands for eXtensible Business Reporting Language. It is a global framework for the digital exchange of financial, performance, risk, and compliance information. 

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Locke Lord LLP | Attorney Advertising

Written by:

Locke Lord LLP
Locke Lord LLP
Contact
more
less

Locke Lord LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide