US NAIC Fall 2023 National Meeting Highlights: Cybersecurity (H) Working Group - Security

On November 16, 2023 the Cybersecurity (H) Working Group (the "Working Group") of the National Association of Insurance Commissioners ("NAIC") met virtually to discuss the following topics:

Cybersecurity Event Response Plan

The Working Group indicated that it will be circulating a revised draft of its Cybersecurity Event Response Plan ("CERP"), which is intended to govern multi-state coordination when multiple states are investigating a significant cyber incident occurring at an insurer. Notable revisions to the CERP which have been made by the Working Group include:

Introduction of a lead state concept: The Working Group noted that a lead state concept "may be an appropriate means of creating efficiency while still allowing states to gather information needed to support regulatory responses to cybersecurity events," and encouraged state departments of insurance ("DOIs") to use the lead state concept "where possible and appropriate."
Guidance regarding notifications: The Working Group acknowledged that it will take time for a licensee to provide all the information set forth in Section 6 of the NAIC Insurance Data Security Model Law, and that some information may be available earlier than other information. Accordingly, the Working Group advised that the "licensee who notified the DOI of a breach has a responsibility to update and supplement previous notifications . . . regarding material changes to previously provided information." Further, "DOIs should establish clear and reasonable communication expectations with the licensee to ensure material updates provided are timely."

The draft CERP also states that if a DOI determines that it is appropriate to investigate an insurers response to a cyber incident, it can use a wide range of "tools," from ad-hoc inquiry to examination process to information demands.

The draft CERP also states that DOIs should apply the principle of "data minimization," and collect only information about cyber events that is adequate, necessary, and relevant, and limit "collection of sensitive information such as vulnerable fields and configurations." The draft CERP also states that DOIs should treat information related to a cybersecurity event as "confidential and privileged under MDL-668 [the NAIC Insurance Data Security Model Law], relevant examination/analysis laws, privileges, and other authority."

Update on the National Institute of Standards and Technology Cybersecurity Framework

John Boyens of the National Institute of Standards and Technology ("NIST") gave an update regarding NIST's progress on the development of Cybersecurity Framework ("CSF") 2.0, which is expected to be adopted in 2024. The purpose of the presentation was to inform both the NAIC and state DOIs of certain substantive changes to CSF 1.0 which will be incorporated in the new version, because, among other reasons, the NAIC Financial Condition Examiner's Handbook includes NIST concepts, and the NAIC will be borrowing heavily from NIST to make recommendations with respect to its various cybersecurity initiatives.

Update on Federal Activities Related to Cybersecurity

Shana Oppenheim of the NAIC staff gave an update on federal activities relating to cybersecurity, which noted the following developments:

Earlier this year, senators John Hickenlooper (D-CO) and Shelley Moore Capito (R-WV) introduced a bill (S. 513) to enact the Insure Cybersecurity Act of 2023. The proposed legislation aims to better insure small businesses against cyberattacks, and would direct the National Telecommunications and Information Administration to create a dedicated working group to develop recommendations for insurers, agents, brokers, and customers to improve communications regarding cybersecurity insurance coverage. Although the bill has been referred to the Senate Committee on Commerce, Science, and Transportation, action on the bill has been postponed indefinitely. The Working Group underscored the importance for insurance regulators to follow this effort, and to find a way to provide input on federal developments.
In July of this year, the Office of the National Cyber Director issued a request for public comment on harmonizing cybersecurity regulations. The comment deadline was October 31, 2023.
Also in July the Securities and Exchange Commission finalized its Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies for registered entities and foreign private issuers that include cybersecurity incident disclosures and annual cybersecurity risk management related disclosures. The rules require registrants to disclose material cybersecurity incidents and to disclose certain information about their cybersecurity risk management processes and oversight annually.
In September the Government Accountability Office ("GAO") issued a Cybersecurity Program Audit Guide. The guide provides auditors with the methodologies, techniques, and audit procedures needed to evaluate the components of the cybersecurity programs and systems of government agencies, as well as providing recommendations regarding risk management and incident response. In the same month, the GAO also released a report, "Critical Infrastructure Protection: National Cybersecurity Strategy Needs to Address Information Sharing Performance Measures and Methods." The report articulates a strategy for the protection of critical infrastructure, such as water and electricity, from cyberattacks.

To view additional updates from the US NAIC Fall 2023 National Meeting, visit our meeting highlights page.

Visit us at mayerbrown.com

Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.