US NAIC Fall 2024 National Meeting Highlights: Cybersecurity (H) Working Group
On November 18, 2024, the Cybersecurity (H) Working Group (“CWG”) of the Innovation, Cybersecurity and Technology (H) Committee met at the Fall 2024 National Meeting of the US National Association of Insurance Commissioners (“NAIC”). In addition to routine matters, such as the adoption of the CWG’s October 30 meeting minutes, the meeting covered the following matters.
Comments on the Confidential Cybersecurity Event Repository and Portal
Cynthia Amann, chair of the CWG and NAIC executive liaison at the Missouri Department of Commerce and Insurance, and Michael Peterson, vice chair of the CWG and senior actuarial examiner at the Virginia State Corporation Commission, solicited comments from regulators and interested parties on a proposed initiative to develop a confidential cybersecurity event repository and portal (“Portal”) to be maintained by the NAIC. The Portal initiative is aimed at enhancing the cybersecurity notification process within the US insurance sector and satisfying commitments described in the Cybersecurity Event Response Plan (“CERP”) adopted by the CWG during the Spring 2024 National Meeting. As previously reported, the CERP is based on Section 6 of the NAIC Insurance Data Security Model Law (MDL-668) and serves as voluntary guidance for state departments of insurance to effectively manage and respond to cyber events reported by regulated insurance entities.
During the discussion, several CWG members noted that the written comments received from industry members prior to the meeting were generally supportive of the Portal.
Lindsey Klarkowski, director of Data Science & AI/ML Policy at the National Association of Mutual Insurance Companies (“NAMIC”), explained that NAMIC supports the effort to streamline reporting cyber events given that, without a reasonable efficiency solution for the future, the regulatory and administration burden will likely only continue to grow as the number of these events continues to increase. However, Klarkowski also described NAMIC’s concern that centralizing data about cyber events in one NAIC repository would create a “treasure trove” for cyber criminals and therefore pose a greater risk to the insurance industry than continuing to keep cyber event information dispersed across separate repositories maintained by individual US states. To mitigate this concentration risk, NAMIC has recommended that (i) the Portal be used as a centralized procedural mechanism for reporting that a cyber incident has occurred, (ii) the most sensitive data associated with the incident be excluded from collection and inclusion in any centralized data platform, and (iii) state insurance regulators be required to contact the reporting company directly to obtain that sensitive data. Responding to a CWG member who expressed the view that the “descriptions of fixes” that would be collected via the Portal are not particularly sensitive information and would not be that useful to hackers, Klarkowski explained that “there are only a certain number of vendors and fixes that can be put in place as cyber events occur” and that just because one company experienced a breach and put a fix in place does not mean that all companies have implemented that fix; meaning that, a cyber criminal could use a centralized NAIC repository of descriptions of fixes to identify vulnerabilities that some companies have corrected but others have not. In Klarkowski’s view, the risk of breach of such an NAIC repository would therefore be a systemic risk.
Most CWG members who responded to the concerns raised by NAMIC were sympathetic to those concerns but disagreed with the conclusion that the concentration risk created by the Portal and NAIC repository would be an unacceptable, systemic vulnerability. Klarkowski reiterated NAMIC’s position that, while a centralized repository would increase efficiency, the concentration risk would be too great to justify a repository unless it stored very limited information.
Other comments by regulators and interested parties generally supported the idea of a uniform notification method for state regulators. At the conclusion of the discussion, a motion was adopted to direct NAIC staff to work with regulators to create a “test portal” to be rolled out in 2025, to explore and test the Portal’s security and confidentiality with efficient documentation, and then to prepare a proposal to CWG members to vote on before putting the Portal into use.
Presentation on Incident Response Management and Lifecycle
A representative of Alvarez & Marsal, a consulting firm, gave a presentation on best practices for dealing with a cyber incident and some trends in recent years. Phishing, in particular, was flagged as an Achilles’ heel for most organizations. The full presentation deck is available beginning on page 21 of this PDF.
Updates on CWG Workstreams
Shane Mead, a CWG member representing the Kansas Insurance Department, reported that the Information Technology (IT) Examination (E) Working Group/Exhibit C Drafting Group had finished reviewing and suggesting edits to Exhibit C – Evaluation of Controls in Information Technology within the Financial Condition Examiners Handbook and that the group would next identify where cybersecurity and IT general controls overlap and where cybersecurity should be examined separately.
Amann concluded the meeting with a note that the CWG’s charges for 2025 will look very similar to its charges for 2024. The CWG’s 2025 charges were adopted on November 19, 2024, by the Innovation, Cybersecurity and Technology (H) Committee.
To view additional updates from the US NAIC Fall 2024 National Meeting, visit our meeting highlights page.