Skip to main content
Trending Topics
Featured Insights
View All Services
View All Industries
About Us Overview
    • Home
    • Insights
    • US NAIC Spring 2024 National Meeting Highlights: Cybersecurity (H) Working Group
      April 02, 2024

      US NAIC Spring 2024 National Meeting Highlights: Cybersecurity (H) Working Group

      Authors:
      Generate PDF
      Share

      The US National Association of Insurance Commissioners (“NAIC”) held its Spring 2024 National Meeting, during which the Cybersecurity (H) Working Group (the “Working Group”) adopted the Cybersecurity Event Response Plan (“CERP”), which is based on the NAIC Insurance Data Security Model Law (MDL-668), specifically the process detailed in Section 6, “Notification of a Cybersecurity Event.”

      The CERP serves as voluntary guidance for state departments of insurance (“DOIs”) to effectively manage and respond to cyber events reported by regulated insurance entities. The CERP outlines several critical steps and considerations for DOIs in the wake of a cyber event:

      • Initial Engagement: Upon receiving notification of a cyber event, the DOI is expected to promptly engage with the affected licensee. This initial contact is crucial for establishing communication channels and setting the stage for effective collaboration throughout the incident response process.
      • Information Gathering: The CERP specifies the types of information that the licensee should provide to the DOI. This includes details about the nature and scope of the cyber event, the data and systems impacted, and the measures taken by the licensee to address the incident. The CERP states that DOIs should be “mindful” that only partial information may be available early in an investigation and that new information may be developed as an investigation proceeds. The CERP also encourages DOIs to use their respective authorities to protect the confidentiality of sensitive information.
      • Ongoing Communication: The CERP emphasizes the importance of maintaining open lines of communication among all stakeholders. This includes not only the DOI and the licensee, but also consumers who may be affected by the cyber event, law enforcement agencies, and other regulatory bodies.
      • Consumer Protection: Protecting consumers is a central objective of the CERP. The guide provides direction on how to inform and assist consumers who may be impacted by a cyber event, including guidance on identity protection and fraud prevention measures.

      Insurance companies and intermediaries are encouraged to familiarize themselves with the CERP and consider how it may be integrated into their own cybersecurity frameworks. While the CERP is voluntary, its adoption by state DOIs may influence regulatory expectations and industry best practices.

      To view additional updates from the US NAIC Spring 2024 National Meeting, visit our meeting highlights page.

      Authors

      Related Content

      Related Services & Industries

      Stay Up To Date With Our Insights

      See how we use a multidisciplinary, integrated approach to meet our clients' needs.
      Subscribe

      Follow us

      © 2024 Mayer Brown

       

       

      Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the “Mayer Brown Practices”). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC (“PKWN”) is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website.

      “Mayer Brown” and the Mayer Brown logo are trademarks of Mayer Brown.

      Attorney Advertising. Prior results do not guarantee a similar outcome.