On August 13, 2025, the Innovation, Cybersecurity, and Technology (H) Committee (“H Committee”) of the US National Association of Insurance Commissioners (“NAIC”) met at the NAIC’s Summer 2025 National Meeting in Minneapolis, Minnesota. The meeting covered the following matters:
ADOPTION OF TASK FORCE AND WORKING GROUP REPORTS
The H Committee received reports on the recent activities of its working groups, including, among others, the Cybersecurity (H) Working Group, the Third-Party Data and Models Working Group and the Big Data and Artificial Intelligence (H) Working Group.
CYBERSECURITY (H) WORKING GROUP
The Cybersecurity (H) Working Group reported that it met on June 17, 2025 and heard a presentation from the New York State Department of Financial Services on its recent amendment to its cybersecurity regulation–the regulation on which the NAIC’s Insurance Data Security Model Law #668 (the “IDSM”) was largely based. See our Legal Update, “NYDFS Releases Amendment to Cybersecurity Regulation.”
The working group met again on July 15, 2025. During this meeting, the working group introduced a draft guide for compliance and enforcement in connection with the IDSM. The guide is intended to be used by regulators to conduct an IDSM compliance review and gap analysis. It was developed in response to the Chief Financial Regulator Forum’s referral on regulatory compliance for the IDSM. The working group continued discussion of the guide during its August 11 meeting. Following the discussion, the working group exposed a revised draft of the guide for a 30-day comment period ending on September 13, 2025.
The working group also discussed next steps on the Cybersecurity Event Notification Portal Project, which aims to create a centralized portal for regulators to receive cybersecurity event notifications. The portal is intended to address inefficiencies and delays created as a result of fragmented reporting across states. The project remains in process as components of the reporting process and the notification timeline require legal research. During the meeting, regulators indicated an interest in speaking with legal experts to understand the notification practices as a matter of law.
There was also a presentation from NAIC staff on changes to the Property & Casualty Annual Statement Cybersecurity and Identity Theft Supplement for 2024 (“Supplement”). The Supplement has been revised to eliminate identify theft-related reporting, and now requires a three-way split for reporting cyber policies: Primary, Excess and Endorsement Coverage. The change from a two-way split to a three-way split is intended to enhance transparency in how coverage is being written, layered and distributed across policy types. While this creates a clearer picture for regulators on how cybersecurity insurance is structured, it introduces complexity into the data analysis for such policies.
THIRD-PARTY DATA AND MODELS WORKING GROUP
The Third-Party Data and Models Working Group met on August 13, 2025 and continued discussion regarding the definition of “third-party vendor.” Previously, the Third-Party Data and Models Working Group met and requested proposed definitions of “third-party data vendor” and “third-party model vendor” for use in a regulatory framework for the oversight of third-party data and predictive models. In formulating these new definitions, the working group is trying to facilitate regulators obtaining information about what third-party data and models are being used by insurers, whether any such data should not be used, what assumptions are being made regarding the data, and whether any unfairly discriminatory company practices are occurring as a result.
Regulators noted that information about third-party data and models used by insurers cannot be obtained if the insurer does not have such information, thereby creating an impediment to the regulators’ ability to assess insurers’ data and model use. In light of this, the working group is focused on considering the scope of any such regulatory framework, which includes what types of organizations should be considered “third parties,” the definitions of data and/or model vendors, and the potential to limit the focus of oversight efforts to specific insurer operations. The working group plans to prepare and expose draft definitions for comment.
BIG DATA AND ARTIFICIAL INTELLIGENCE (H) WORKING GROUP
See our Legal Update, “US NAIC Summer 2025 National Meeting Highlights: Big Data and Artificial Intelligence (H) Working Group.”
AI PRESENTATIONS
In addition to hearing a presentation on a practical example of human-centered use of AI from a producer of generative AI tools for underwriters, the H Committee heard a presentation on development of an AI governance framework by the International Actuarial Association (IAA). The goal of the framework is to provide actuaries with education on how to use AI responsibly and raise awareness of the risks that need to be managed when designing, developing, implementing, and using AI systems. The framework encourages governance and oversight during the entirety of an AI model’s lifecycle from design to ongoing monitoring after implementation based on ten key components–Roles and Responsibilities, Board of Directors, Committees & Policies, Key Functions, Presence of a Model Owner, Model Risk Ratings, Governance & Risk Management Processes, Independent Validation, Third-Party Vendor Oversight, and Human Supervision & Oversight.
To view additional updates from the US NAIC Summer 2025 National Meeting, visit our meeting highlights page.
[View source.]
