b'TABLE OF CONTENTSadvise on the cybersecurity insurance market,laws, including several NAIC model laws, the including rating, underwriting, claims, productHealth Insurance Portability and Accountability development, and loss control. Report on theAct (HIPAA), General Data Protection cyber insurance market, including data reportedRegulation (GDPR) and recently passed state within the Cybersecurity Insurance and Identityconsumer privacy protection laws. Then, in an Theft Coverage Supplement. attached privacy policy statement, the report Coordinate with various subject matter expertaddresses at a high-level the following five (SME) groups on insurer and producer internalconsumer data privacy protections:cybersecurity. Discuss emerging developments;1.Transparency: best practices for risk management, internalinsurance licensees should provide control, and governance; and how stateconsumers with a clear and conspicuous insurance regulators can best address industrynotice of their privacy policies and practices cyber risks and challenges. Work with CIPR towhen they first request personal information analyze cybersecurity-related information fromabout the consumer; various data sources.Consider best practices related to cybersecurityinsurance licensees should provide an annual event tracking and coordination among statestatement of their privacy policies and insurance regulators, and produce guidancepractices; andrelated to regulatory response to cybersecurityif an insurance licensee makes an adverse events to promote consistent response effortsdecision based on third-party data, the across state insurance departments. licensee should provide the consumer with specific reasons for the adverse decision.Whats Ahead 2.Consumer Control:Cybersecurity will continue to be a key concern forinsurance licensees should provide consumers insurance regulators in 2022. With increasingwith the opportunity to prohibit the sharing of cybersecurity regulation coming into effect, we shalltheir non-public personal information with see how insurance regulators actually implementthird parties, except for specific purposes that framework established under the Model Law.required or specifically permitted by law; andNAIC Issues Report on Consumer Datainsurance licensees should obtain affirmative Privacy Protections consent from consumers before sharing In December 2021, the NAIC Privacy Protectionsnon-public personal health information with (D) Working Group released its final report onany other entity, including affiliates.consumer data privacy protections. The report summarizes existing consumer privacy protection MAYER BROWN |139'