AI, Data, and Cyber: Highlights from the NAIC H Committee

Our JLK Rosenberger associate, Oscar Guitierrez, takes on the task of assessing and summarizing the most recent NAIC H-Committee discussions that took place during the March 2026 Spring National Meeting.  Multiple subcommittees support the H-Committee framework, and Oscar reviews each one in this article. A few highlights from the article:

• The NAIC is expanding AI oversight in insurance. Regulators are piloting an AI evaluation tool to assess how insurers use artificial intelligence in underwriting, pricing, and operations.
• Cybersecurity reporting is becoming more standardized. A new NAIC portal aims to streamline how insurers report cyber incidents and improve coordination across states.
• Third-party data and models are under increased scrutiny. Regulators are focusing on governance in pricing and underwriting and exploring a centralized registry for greater transparency.
• Data standardization is a major regulatory priority. The NAIC is working to align data definitions and reduce inconsistencies across states to improve regulatory insights.
• AI adoption is rising—but human oversight remains essential. Insurers are gradually implementing AI, but regulators emphasize the need for strong governance and human judgment.

The NAIC has several committees, comprised of state insurance regulators and professionals, who come together to stay on top of the changing industry. As a young professional, I am not only trying to catch up and learn the insurance industry but also keep up with its evolution.

Leading up to the Spring meeting, several working groups had already made meaningful progress across their respective areas.

• The Big Data and Artificial Intelligence Working Group continued refining the Artificial Intelligence (AI) systems evaluation tool, incorporating stakeholder feedback and beginning a pilot process across multiple states to test its uses in market conduct and financial examinations. The working group discussed a broader effort to better understand how insurers are using big data and AI, including machine learning, in their operations. The group also focused on helping regulators evaluate AI systems by developing practical tools, guidance, and training resources. The pilot officially began in March, and participating states are using this tool in market exams, financial exams and as a part of a more general regulatory inquiry. You can view a draft of this AI systems evaluation tool here link. Overall, their goal is to equip regulators with the knowledge and resources they need to oversee the use of AI in the insurance industry.
• The Cybersecurity Working Group (CWG) advanced its work on the Cybersecurity Event Notification Portal, including adopting revisions and continuing efforts to align implementation of the Insurance Data Security Model Law. The Group’s  focus is mainly on helping state regulators stay connected by sharing information about emerging threats and coordinating responses, especially during large, multi-state cyber incidents.  With respect to the Cybersecurity Event Notification Portal project, the Group adopted a revised project document that introduces a standardized reporting form, clarified that licensees will not be charged, and outlined security measures including SOC 3 reporting. This project focuses on streamlining  how cyber events are reported and shared across states. On the insurance side, the CWG is also monitoring the cyber insurance market, looking at pricing, coverage, underwriting practices, and the role of reinsurance, all with the goal of helping regulators stay prepared and informed.
• The Third-Party Data and Models Working Group reviewed comments on its regulatory framework and moved toward narrowing its initial scope to pricing and underwriting. The group also began exploring the development of a centralized registry. The conversation focused on potential revisions to the draft framework, assessing comments from stakeholders and identifying areas that may need further clarification or refinement. The group also agreed to narrow the initial scope to pricing and underwriting. Planning includes creating a registry that is intended to be a “lighter-touch”, with governance focused alternative to licensure, further designed to connect regulators with third parties and provide better visibility into governance practices without requiring full approval for each model or dataset. This will assist regulators to verify consistent standards across the industry.
• The Data Call Study Group shifted its focus toward market data, working to standardize data elements and definitions to reduce inconsistencies across states. The Group initially focused on cataloging  every NAIC data element but has now shifted into focusing more on market regulation data. An initial inventory has been developed and provisioned in a NAIC tool called ThoughtSpot. This tool includes Market Conduct Annual Statement (MCAS) data, complaints data, and homeowners data call. The next steps include its review, collecting state ad hoc data call information, incorporating financial statement data, and using it all to identify data gaps.
• The Privacy Protections Working Group continued its section-by-section revision of Model Law #672 – Privacy of Consumer Financial and Health Information Regulation. The drafting group will submit the fully revised draft to the working group and subsequently will be taking additional comments at the end of the year. Also, Article 7 was recently exposed for a 30-day public comment period in March. After review of those comments, work will transition to Article 1 and 8. You can read more about these articles and all others through this link.
• The SupTech/GovTech (H) Subgroup’s main focus is advancing regulatory tools and education. The meetings are regulator-to-regulator focusing on proprietary company information. The results of the recent survey to regulators, alongside collaborations with regulators, were used to identify areas that improve efficiency and strengthen regulatory effectiveness. The subgroup also met on March 3^rd to hear presentations from three insurance departments about building data and analytics teams and discuss their experiences interreacting with industry use of AI. The focus is on helping states build the capacity to use data and technology more effectively in their day-to-day oversight activities.

Speakers from PWC discussed Artificial Intelligence (AI) trends specific to the insurance industry. One trend focused on how many insurers are in a transitional phase and deploying AI incrementally, and where they are moving from their legacy systems that have no AI integration into systems that do have some sort of AI integration. However, this is not a full transition into AI systems. Instead, AI is being used to perform specific tasks and prepare their teams before any serious transformations. There is still a considerable amount of needed analysis. Agentic AI Applications were a highlighted topic. These systems can execute workflows, interact across systems, but require the human element for oversight and higher risk decisions. From personal experience, agentic AI applications can be an extremely useful tool but not a replacement for human judgment, which discerns the tool’s capabilities, troubleshoots issues, and verifies its outputs. The best way this tool has been described to me is to treat it as an eager intern, who will do the work exactly the way you instructed it. Therefore, it is critical that we practice professional skepticism with the work it produces and not blindly trust that its product is correct.

The next NAIC H Committee meeting will be held in August 2026.

We’re Here to Help

If you have any questions about how these might impact your insurance entity, please contact your JLK Rosenberger team member, call 818-334-8646, or click here to contact us. We look forward to speaking with you soon.