On November 16, 2023 the Cybersecurity (H) Working Group (the “Working Group”) of the National Association of Insurance Commissioners (“NAIC”) met virtually to discuss the following topics:
Cybersecurity Event Response Plan
The Working Group indicated that it will be circulating a revised draft of its Cybersecurity Event Response Plan (“CERP”), which is intended to govern multi-state coordination when multiple states are investigating a significant cyber incident occurring at an insurer. Notable revisions to the CERP which have been made by the Working Group include:
- Introduction of a lead state concept: The Working Group noted that a lead state concept “may be an appropriate means of creating efficiency while still allowing states to gather information needed to support regulatory responses to cybersecurity events,” and encouraged state departments of insurance (“DOIs”) to use the lead state concept “where possible and appropriate.”
- Guidance regarding notifications: The Working Group acknowledged that it will take time for a licensee to provide all the information set forth in Section 6 of the NAIC Insurance Data Security Model Law, and that some information may be available earlier than other information. Accordingly, the Working Group advised that the “licensee who notified the DOI of a breach has a responsibility to update and supplement previous notifications . . . regarding material changes to previously provided information.” Further, “DOIs should establish clear and reasonable communication expectations with the licensee to ensure material updates provided are timely.”
The draft CERP also states that if a DOI determines that it is appropriate to investigate an insurers response to a cyber incident, it can use a wide range of “tools,” from ad-hoc inquiry to examination process to information demands.
The draft CERP also states that DOIs should apply the principle of “data minimization,” and collect only information about cyber events that is adequate, necessary, and relevant, and limit “collection of sensitive information such as vulnerable fields and configurations.” The draft CERP also states that DOIs should treat information related to a cybersecurity event as “confidential and privileged under MDL-668 [the NAIC Insurance Data Security Model Law], relevant examination/analysis laws, privileges, and other authority.”
Update on the National Institute of Standards and Technology Cybersecurity Framework
John Boyens of the National Institute of Standards and Technology (“NIST”) gave an update regarding NIST’s progress on the development of Cybersecurity Framework (“CSF”) 2.0, which is expected to be adopted in 2024. The purpose of the presentation was to inform both the NAIC and state DOIs of certain substantive changes to CSF 1.0 which will be incorporated in the new version, because, among other reasons, the NAIC Financial Condition Examiner’s Handbook includes NIST concepts, and the NAIC will be borrowing heavily from NIST to make recommendations with respect to its various cybersecurity initiatives.
Update on Federal Activities Related to Cybersecurity
Shana Oppenheim of the NAIC staff gave an update on federal activities relating to cybersecurity, which noted the following developments:
- Earlier this year, senators John Hickenlooper (D-CO) and Shelley Moore Capito (R-WV) introduced a bill (S. 513) to enact the Insure Cybersecurity Act of 2023. The proposed legislation aims to better insure small businesses against cyberattacks, and would direct the National Telecommunications and Information Administration to create a dedicated working group to develop recommendations for insurers, agents, brokers, and customers to improve communications regarding cybersecurity insurance coverage. Although the bill has been referred to the Senate Committee on Commerce, Science, and Transportation, action on the bill has been postponed indefinitely. The Working Group underscored the importance for insurance regulators to follow this effort, and to find a way to provide input on federal developments.
- In July of this year, the Office of the National Cyber Director issued a request for public comment on harmonizing cybersecurity regulations. The comment deadline was October 31, 2023.
- Also in July the Securities and Exchange Commission finalized its Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies for registered entities and foreign private issuers that include cybersecurity incident disclosures and annual cybersecurity risk management related disclosures. The rules require registrants to disclose material cybersecurity incidents and to disclose certain information about their cybersecurity risk management processes and oversight annually.
- In September the Government Accountability Office (“GAO”) issued a Cybersecurity Program Audit Guide. The guide provides auditors with the methodologies, techniques, and audit procedures needed to evaluate the components of the cybersecurity programs and systems of government agencies, as well as providing recommendations regarding risk management and incident response. In the same month, the GAO also released a report, “Critical Infrastructure Protection: National Cybersecurity Strategy Needs to Address Information Sharing Performance Measures and Methods.” The report articulates a strategy for the protection of critical infrastructure, such as water and electricity, from cyberattacks.
To view additional updates from the US NAIC Fall 2023 National Meeting, visit our meeting highlights page.