More than 200 regulators and interested parties attended the NAIC’s Cybersecurity (H) Working Group’s first meeting of the year on March 23. The working group, made up of 23 states, co-chaired by Missouri and New York, is planning what crop to plant by refining its draft charges, including:
- Coordinating with the Center for Insurance Policy and Research to create a survey aimed at gathering data on insurers’ cybersecurity practices and cybersecurity-related costs; and
- Supporting state insurance departments responding to insurance industry cybersecurity events. Planned work includes:
- Tracking cyber events and breaches that states can use for visibility into incidents; and
- Creating resources, and potentially training, for state insurance departments to use in responding to breaches, such as guidance on investigative tools, better leveraging third-party forensic investigation reports, asking questions during investigations, and reasonable timelines and expectations.
While intended to help regulators select areas of focus and better understand the often technical aspects of cybersecurity, these priorities could mean bad weather for insurers, including:
- State insurance regulators desiring to play more of a leadership role in cybersecurity join an already crowded field of other “leaders” scrutinizing insurers’ practices;
- The more pressure regulators exert to obtain forensic reports, the more endangered insurers’ privilege and work product protections for such reports may become; and
- Regulators’ increasing knowledge base may embolden them and skew their expectations of insurers who do not have the same information available to them.
The NAIC is certainly revving the tractors and preparing the soil on cybersecurity.