
Background on the initial incident
On June 11, 2026, the National Association of Insurance Commissioners announced that unauthorized access had occurred in a portion of its website environment. Apparently, access was gained via an Oracle PeopleSoft vulnerability. While in PeopleSoft, the unauthorized party accessed and obtained information needed to gain temporary access to certain data storage areas on the NAIC website.
The NAIC said the incident was promptly contained after it was detected, and the organization engaged outside counsel and cybersecurity experts. The NAIC also said it is coordinating with the FBI. According to the NAIC, the incident resulted from a broader campaign exploiting a previously unknown Oracle PeopleSoft “zero-day” vulnerability that affected multiple organizations. The NAIC said it primarily uses PeopleSoft for internal financial reporting
The organization also confirmed that the individual or group responsible has published data from the incident and that it is working with an external data consultant to compare the published material with its own preliminary analysis.
NAIC Details the Scope of Accessed Data
In a July 2 update, the NAIC provided additional details about the information affected by the cybersecurity incident that occurred in June. In particular, it addressed the impact of the breach on insurers’ regulatory reporting. The organization said the statutory financial reporting information accessed by the unauthorized party consisted of annual and quarterly financial statements made publicly available through its InsData system. It said confidential information excluded from InsData, including Risk-Based Capital data and the Supplemental Compensation Exhibit, was not accessed.
Addressing concerns about regulatory reporting, the NAIC explained that some credit rating providers suspended their rating symbol data feeds after learning of the incident, prompting the organization to temporarily suspend assigning new NAIC Designations based on those feeds beginning June 18. To avoid disrupting second-quarter financial reporting, the NAIC said insurers may continue to use the NAIC Designations published in AVS+ as of June 17 until the rating feeds are restored. The NAIC said quarterly filings due August 15 should not be delayed.
The organization also said there is no evidence that confidential insurer information, policyholder information, producer data, personally identifiable information, banking or payment information, or insurer-specific investment portfolio information was accessed or released. It further stated that no confidential, proprietary, trade secret, or otherwise restricted insurer submissions were involved because the affected repository supported InsData’s public financial reporting database.
Regulatory systems remain operational
While confirming that data was exfiltrated, the NAIC said the information obtained consisted of publicly available statutory financial reporting data, credit rating agency rating determinations, and some routine technical information, such as outdated logs and configuration data.
The organization added that its Online Premium Tax for Insurance (OPTins) system was not affected, the unauthorized party no longer has access to its environment, and insurers should continue to expect updates through the NAIC’s cybersecurity, annual statement, and government relations contacts, as well as postings on the organization’s website.
Future updates will be posted on the NAIC website
The NAIC urged interested parties to continue to monitor its website, where the Association will publish updates on the incident as they become available.
The NAIC had cyber insurance
Finally, it is worth noting that the NAIC did indeed have cyber insurance, stating on its update page that it has been in contact with its cyber insurance carrier.