Phone 800.991.6695

Menu
NAIC criticized over network flaws and communication after cyberattack

NAIC criticized over network flaws and communication after cyberattack

Image shows the NAIC logo

The National Association of Insurance Commissioners is struggling to contain the fallout from a June 11 cyber breach that potentially exposed sensitive regulatory filings, as well as data from credit rating agencies.

In an update on Thursday, the NAIC confirmed that “data taken from our environment during the security incident was published online by the group responsible.

“We are actively working with an external cybersecurity partner to compare the scope and type of data the group posted with our own analysis,” the note read. “Updates will be posted here as they are available.”

NAIC officials did not provide any additional details or comment.

Meanwhile, industry trade groups say their members are frustrated. In a letter last week to the NAIC, the National Association of Mutual Insurance Companies criticized both the security and a lack of communication.

“It appears evident that the NAIC has not implemented proper cyber guardrails, including practices like segmenting sensitive information systems from one another,” wrote Erin Collins, senior vice president for state and policy affairs at NAMIC.

“NAMIC is also troubled with the lack of communication by the NAIC on this event. The NAIC did not seem to provide any type of directed alert other than what was posted on the NAIC website, did so nearly one full week after identifying the event.”

The NAIC subsequently provided more information this week.

Contacted by InsuranceNewsNet, the American Council of Life Insurers responded with a statement from Jillian Froment, executive vice president and general counsel.

“ACLI is working closely with the NAIC to ensure our members receive clear, timely information about this incident and any next steps. We appreciate the NAIC’s engagement to date and will continue coordinating with them as their review progresses.”

Attackers missed key systems

The NAIC said attackers exploited a zero-day vulnerability in its Oracle PeopleSoft systems. The extortion group ShinyHunters claimed responsibility for the breach.

Despite claims by the hackers, the NAIC confirmed in a Tuesday update that the following systems were not breached: the System for Electronic Rate and Form Filing (SERFF), Online Premium Tax for Insurance (OPTins), Uniform Certificate Authority Application (UCAA), Enterprise Data Platform (EDP), Regulatory Data Collection (RDC), NIPR, Teammate, State Based Systems (SBS), employee personal data, electronic funds transfer, risk-based capital data, policyholder information, producer data, and event registration payment information.

Data that was accessed or acquired included: Publicly available statutory financial reporting information.

“These statements were publicly available prior to this incident through state websites, InsData, or resellers,” the NAIC update noted.

Also, credit rating agency data, including rating determinations of insurer investments, was accessed. This does not include any rating agency investment rationale reports, the NAIC said.

No payment, banking or credit card information was accessed, the NAIC added.

‘Failures’ questioned by think tank

The Pinpoint Policy Institute, a conservative think tank, ripped the NAIC for waiting nearly a week to publicly disclose the cyber breach, as well as its handling of it. PPI is opposed to further regulation, in particular, the NAIC discussions to increase its oversight of rating agencies.

The NAIC is a 501(c)(3) nonprofit entity that does not file Form 990 disclosures “like virtually every other nonprofit in America,” PPI noted in a Thursday commentary. The organization also “circumvents” any formal Administrative Procedures Act notice and comment process.

“Taken together, these failures call into question everything NAIC is currently pursuing,” reads the PPI commentary, which has no byline. “An organization this unaccountable should not be expanding its regulatory footprint.

“The NAIC should pause all policy development until elected officials, who are accountable to the public, can get a full grasp of the NAIC’s unaccountable and potentially collusive behavior.”

In its letter from Adam Shores, senior vice president for state government relations, the American Property Casualty Insurance Association struck a conciliatory tone. But its members still want information on the breach, Shores wrote.

“APCIA is hearing directly from member companies that are seeking clear, timely, and authoritative information regarding the scope of this incident and its potential implications,” he wrote.

© Entire contents copyright 2026 by InsuranceNewsNet.com Inc. All rights reserved. No part of this article may be reprinted without the expressed written consent from InsuranceNewsNet.com.

The post NAIC criticized over network flaws and communication after cyberattack appeared first on Insurance News | InsuranceNewsNet.

Related Posts

Back To Top

Arizona Office

15300 N. 90th Street, Suite 850
Scottsdale, Arizona 85260

PHONE
800.991.6695
FAX
480.991.8885

Indiana Office

6004 Highview Drive, Unit G
Fort Wayne, Indiana 46818

PHONE
800.991.6695
FAX
260.482.6082

Copyright © 2022 The C.O.R.E. Group.
All Rights Reserved. Designed by
Apis Productions