Insurers Warn on Centralized Cyber Risk Database

- The NAIC’s Cybersecurity (H) Working Group is actively developing a "Cybersecurity Event Repository and Portal," with the initial phase focused on centralizing notifications related to its Model Data Security Law (MDL-668) to reduce the reporting burden on companies. - A key driver for such a database is the significant challenge actuaries face in pricing cyber risk due to a lack of standardized, historical data; the constantly evolving nature of threats makes traditional actuarial models less effective. - The NAIC already collects industry data via its Cybersecurity Insurance Coverage Supplement, which was updated for 2024 filings to better differentiate between primary, excess, and endorsement policies, providing more granular data for analysis. - The U.S. cyber insurance market saw direct written premiums of approximately $9.14 billion in 2024, a 7% decrease from 2023, while the number of reported claims rose by nearly 40% to almost 50,000. - From a data architecture perspective, building such a repository requires solving challenges related to integrating disparate legacy systems, data mapping, and master data management to ensure data quality and consistency. - To mitigate the risk of the repository becoming a target, a multi-layered security approach is essential, incorporating encryption for data in transit and at rest, role-based access controls, continuous monitoring, and disaster recovery plans. - The debate is part of a broader 2026 strategic priority for the NAIC to enhance its own data architecture and analytical capabilities while also establishing regulatory frameworks for insurers' use of AI and third-party data models. - Other collaborative efforts to analyze cyber risk include CISA's relaunched Cybersecurity Insurance and Data Analysis Working Group (CIDAWG), which partners with industry to identify the most effective security controls.