Skip to main content
Temas actuales
Featured Insights
Servicios / Ver Todo
Industrias / Ver Todo
About Us Overview
  • Home
  • Perspectivas
  • US NAIC Fall 2024 National Meeting Highlights: Cybersecurity (H) Working Group
diciembre 09 2024

US NAIC Fall 2024 National Meeting Highlights: Cybersecurity (H) Working Group

Authors:
Descargar PDF
Share

On November 18, 2024, the Cybersecurity (H) Working Group (“CWG”) of the Innovation, Cybersecurity and Technology (H) Committee met at the Fall 2024 National Meeting of the US National Association of Insurance Commissioners (“NAIC”). In addition to routine matters, such as the adoption of the CWG’s October 30 meeting minutes, the meeting covered the following matters.

Comments on the Confidential Cybersecurity Event Repository and Portal

Cynthia Amann, chair of the CWG and NAIC executive liaison at the Missouri Department of Commerce and Insurance, and Michael Peterson, vice chair of the CWG and senior actuarial examiner at the Virginia State Corporation Commission, solicited comments from regulators and interested parties on a proposed initiative to develop a confidential cybersecurity event repository and portal (“Portal”) to be maintained by the NAIC. The Portal initiative is aimed at enhancing the cybersecurity notification process within the US insurance sector and satisfying commitments described in the Cybersecurity Event Response Plan (“CERP”) adopted by the CWG during the Spring 2024 National Meeting. As previously reported, the CERP is based on Section 6 of the NAIC Insurance Data Security Model Law (MDL-668) and serves as voluntary guidance for state departments of insurance to effectively manage and respond to cyber events reported by regulated insurance entities.

During the discussion, several CWG members noted that the written comments received from industry members prior to the meeting were generally supportive of the Portal.

Lindsey Klarkowski, director of Data Science & AI/ML Policy at the National Association of Mutual Insurance Companies (“NAMIC”), explained that NAMIC supports the effort to streamline reporting cyber events given that, without a reasonable efficiency solution for the future, the regulatory and administration burden will likely only continue to grow as the number of these events continues to increase. However, Klarkowski also described NAMIC’s concern that centralizing data about cyber events in one NAIC repository would create a “treasure trove” for cyber criminals and therefore pose a greater risk to the insurance industry than continuing to keep cyber event information dispersed across separate repositories maintained by individual US states. To mitigate this concentration risk, NAMIC has recommended that (i) the Portal be used as a centralized procedural mechanism for reporting that a cyber incident has occurred, (ii) the most sensitive data associated with the incident be excluded from collection and inclusion in any centralized data platform, and (iii) state insurance regulators be required to contact the reporting company directly to obtain that sensitive data. Responding to a CWG member who expressed the view that the “descriptions of fixes” that would be collected via the Portal are not particularly sensitive information and would not be that useful to hackers, Klarkowski explained that “there are only a certain number of vendors and fixes that can be put in place as cyber events occur” and that just because one company experienced a breach and put a fix in place does not mean that all companies have implemented that fix; meaning that, a cyber criminal could use a centralized NAIC repository of descriptions of fixes to identify vulnerabilities that some companies have corrected but others have not. In Klarkowski’s view, the risk of breach of such an NAIC repository would therefore be a systemic risk.

Most CWG members who responded to the concerns raised by NAMIC were sympathetic to those concerns but disagreed with the conclusion that the concentration risk created by the Portal and NAIC repository would be an unacceptable, systemic vulnerability. Klarkowski reiterated NAMIC’s position that, while a centralized repository would increase efficiency, the concentration risk would be too great to justify a repository unless it stored very limited information.

Other comments by regulators and interested parties generally supported the idea of a uniform notification method for state regulators. At the conclusion of the discussion, a motion was adopted to direct NAIC staff to work with regulators to create a “test portal” to be rolled out in 2025, to explore and test the Portal’s security and confidentiality with efficient documentation, and then to prepare a proposal to CWG members to vote on before putting the Portal into use.

Presentation on Incident Response Management and Lifecycle

A representative of Alvarez & Marsal, a consulting firm, gave a presentation on best practices for dealing with a cyber incident and some trends in recent years. Phishing, in particular, was flagged as an Achilles’ heel for most organizations. The full presentation deck is available beginning on page 21 of this PDF.

Updates on CWG Workstreams

Shane Mead, a CWG member representing the Kansas Insurance Department, reported that the Information Technology (IT) Examination (E) Working Group/Exhibit C Drafting Group had finished reviewing and suggesting edits to Exhibit C – Evaluation of Controls in Information Technology within the Financial Condition Examiners Handbook and that the group would next identify where cybersecurity and IT general controls overlap and where cybersecurity should be examined separately.

Amann concluded the meeting with a note that the CWG’s charges for 2025 will look very similar to its charges for 2024. The CWG’s 2025 charges were adopted on November 19, 2024, by the Innovation, Cybersecurity and Technology (H) Committee.

To view additional updates from the US NAIC Fall 2024 National Meeting, visit our meeting highlights page.

Authors

Related Content

Stay Up To Date With Our Insights

See how we use a multidisciplinary, integrated approach to meet our clients' needs.
Subscribe

Follow us

© 2024 Mayer Brown

 

 

Mayer Brown is a global legal services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown Hong Kong LLP (a Hong Kong limited liability partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) (collectively, the “Mayer Brown Practices”). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC (“PKWN”) is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Mayer Brown Hong Kong LLP operates in temporary association with Johnson Stokes & Master (“JSM”). More information about the individual Mayer Brown Practices, PKWN and the association between Mayer Brown Hong Kong LLP and JSM (including how information may be shared) can be found in the Legal Notices section of our website.

“Mayer Brown” and the Mayer Brown logo are trademarks of Mayer Brown.

Attorney Advertising. Prior results do not guarantee a similar outcome.