The US National Association of Insurance Commissioners ("NAIC") held its Spring 2024 National Meeting, during which the Cybersecurity (H) Working Group (the "Working Group") adopted the Cybersecurity Event Response Plan ("CERP"), which is based on the NAIC Insurance Data Security Model Law (MDL-668), specifically the process detailed in Section 6, "Notification of a Cybersecurity Event."

The CERP serves as voluntary guidance for state departments of insurance ("DOIs") to effectively manage and respond to cyber events reported by regulated insurance entities. The CERP outlines several critical steps and considerations for DOIs in the wake of a cyber event:

  • Initial Engagement: Upon receiving notification of a cyber event, the DOI is expected to promptly engage with the affected licensee. This initial contact is crucial for establishing communication channels and setting the stage for effective collaboration throughout the incident response process.
  • Information Gathering: The CERP specifies the types of information that the licensee should provide to the DOI. This includes details about the nature and scope of the cyber event, the data and systems impacted, and the measures taken by the licensee to address the incident. The CERP states that DOIs should be "mindful" that only partial information may be available early in an investigation and that new information may be developed as an investigation proceeds. The CERP also encourages DOIs to use their respective authorities to protect the confidentiality of sensitive information.
  • Ongoing Communication: The CERP emphasizes the importance of maintaining open lines of communication among all stakeholders. This includes not only the DOI and the licensee, but also consumers who may be affected by the cyber event, law enforcement agencies, and other regulatory bodies.
  • Consumer Protection: Protecting consumers is a central objective of the CERP. The guide provides direction on how to inform and assist consumers who may be impacted by a cyber event, including guidance on identity protection and fraud prevention measures.

Insurance companies and intermediaries are encouraged to familiarize themselves with the CERP and consider how it may be integrated into their own cybersecurity frameworks. While the CERP is voluntary, its adoption by state DOIs may influence regulatory expectations and industry best practices.

To view additional updates from the US NAIC Spring 2024 National Meeting, visit our meeting highlights page.

Visit us at mayerbrown.com

Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.

© Copyright 2024. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.