Privacy, Security, and Data Protection Update – NAIC Spring 2023 Meeting

During the 2023 Spring National Meeting in Louisville, Kentucky, the NAIC discussed key technology-related topics and their impact on consumers and the insurance industry. While the topics have been broad in nature, they cover key areas that can have a direct impact on consumers and industry.

The Big Data and Artificial Intelligence (H) Working Group provided an update on a survey that seeks to understand the magnitude of, and impact on, the industry’s use of big data and artificial intelligence (AI) and machine learning (ML). More importantly, it sought to identify the risk and governance models.  Results will be reported during the summer session. The underlying concerns remain the proliferation of consumer data being number crunched without consumers’ awareness. Regarding a separate AI/ML-only survey, some key outcomes from the survey include a quantifiable impact on the use of AI/ML technologies for pricing and underwriting: $250 million value for the premiums for over 10,000 lives.  With almost a quarter of a billion dollars at stake, one can easily see why insurers are attracted to employ these technologies in their business practices.

The larger underlying concerns are echoed in the various testimonies, including Dr. Harold Ting’s, an NAIC Consumer Representative, on the so-called “overreaching” use of data without industry-wide model laws to offset data abuse.  Counterarguments to consumer advocates’ cries include using technology to offer products and services matching consumer needs and rooting out discriminatory practices.

Additional key takeaways include the admittance of the difficulties behind a direct regulation model and arguably a prescriptive approach is unachievable. For example, the ability to develop model laws to address the rapidly evolving landscape of AI/ML and big data is itself a challenge, much less trying to come up with a universal one-size-fits-all set of governance documents. The bottom line, and perhaps a hopeful outcome of the working session, is an agreement to pursue a principle-based regulatory framework with purported objective standards that can be universally adopted across the states.

The Cybersecurity (H) Working Group discussed issues centering around the development of a standardized incident response (IR) plan for regulated entities (when it comes to cybersecurity-related issues), the adoption and understanding of cloud services, and progress on a broader approach to using analytics to manage cyber risk.   Although the session was short, the committee members called for continuing transparency and consideration for increased adoption of Open-Source tools for data analytics.  Finally, committee members called for better understanding and tighter control of 3rd party vendors’ cybersecurity policy and practices.