b'CYBERSECURITY & DATA PRIVACYRegulationRegulators Continue to Adopt and Expand Cybersecurity RegulationCybersecurity continues to be a major area of concern for the insurance industry and insurance regulators. In 2021, we continued to see data breaches of insurance companies and brokerages. Additionally, the very nature of cybersecurity attacks has evolved as 2021 saw a marked increase in ransomware attacks. NAIC Model Law Implementation ProgressesIn October 2017, the National Association of Insurance Commissioners (NAIC) adopted an Insurance Data Security Model Law (Model Law), which imposed extensive cybersecurity requirements on top of the existing data privacy and consumer breach notification obligations that apply to insurance licensees. The Model Law requires every insurance licensee in an adopting state (unless they qualify for an exemption) to maintain a written cybersecurity policy and implement a risk-based cybersecurity program. The Model Law also requires a licensee to satisfy specific requirements related to:Risk assessment and management;Oversight of third-party service providers;Incident reporting, investigation and notification;Annual certification; andExceptions (if eligible).Initial adoption of the Model Law was somewhat slow, with only three states adopting it prior to 2019. Those states were South Carolina, Ohio, and Michigan. Also, it is widely recognized that the Model Law is based in large part on the New York Department of Financial Services (NYDFS) cybersecurity regulation, which applies to insurance licensees in New York and has been in effect since 2017. 134|Global Insurance Industry Year in Review 2021'