April 02, 2024

US NAIC Spring 2024 National Meeting Highlights: Cybersecurity (H) Working Group


The US National Association of Insurance Commissioners (“NAIC”) held its Spring 2024 National Meeting, during which the Cybersecurity (H) Working Group (the “Working Group”) adopted the Cybersecurity Event Response Plan (“CERP”), which is based on the NAIC Insurance Data Security Model Law (MDL-668), specifically the process detailed in Section 6, “Notification of a Cybersecurity Event.”

The CERP serves as voluntary guidance for state departments of insurance (“DOIs”) to effectively manage and respond to cyber events reported by regulated insurance entities. The CERP outlines several critical steps and considerations for DOIs in the wake of a cyber event:

  • Initial Engagement: Upon receiving notification of a cyber event, the DOI is expected to promptly engage with the affected licensee. This initial contact is crucial for establishing communication channels and setting the stage for effective collaboration throughout the incident response process.
  • Information Gathering: The CERP specifies the types of information that the licensee should provide to the DOI. This includes details about the nature and scope of the cyber event, the data and systems impacted, and the measures taken by the licensee to address the incident. The CERP states that DOIs should be “mindful” that only partial information may be available early in an investigation and that new information may be developed as an investigation proceeds. The CERP also encourages DOIs to use their respective authorities to protect the confidentiality of sensitive information.
  • Ongoing Communication: The CERP emphasizes the importance of maintaining open lines of communication among all stakeholders. This includes not only the DOI and the licensee, but also consumers who may be affected by the cyber event, law enforcement agencies, and other regulatory bodies.
  • Consumer Protection: Protecting consumers is a central objective of the CERP. The guide provides direction on how to inform and assist consumers who may be impacted by a cyber event, including guidance on identity protection and fraud prevention measures.

Insurance companies and intermediaries are encouraged to familiarize themselves with the CERP and consider how it may be integrated into their own cybersecurity frameworks. While the CERP is voluntary, its adoption by state DOIs may influence regulatory expectations and industry best practices.

To view additional updates from the US NAIC Spring 2024 National Meeting, visit our meeting highlights page.

Stay Up To Date With Our Insights

See how we use a multidisciplinary, integrated approach to meet our clients' needs.