
The New Hampshire Insurance Department (NHID) says that it is monitoring the cybersecurity incident involving the National Association of Insurance Commissioners (NAIC). According to the NHID, based on information provided by the NAIC to date, there is no current evidence that New Hampshire Insurance Department systems or consumer personal or financial information were affected.
The announcement also noted that Insurance Commissioner D.J. Bettencourt participated in an NAIC briefing on the matter, and the Department remains in communication with the NAIC as additional verified information becomes available.
NAIC says incident has been contained
“Protecting the integrity of our regulatory systems and maintaining public confidence are top priorities for the Department,” said Insurance Commissioner D.J. Bettencourt. “I have participated directly in briefings with the NAIC, and based on the information available today, there is no evidence that New Hampshire systems or consumer personal or financial information were affected. We will continue to monitor the situation closely and provide updates if the facts change.”
According to the NAIC, unauthorized access to a portion of its computer systems was identified on June 11 and promptly contained. The NAIC has reported that the vulnerability has been remediated, unauthorized access has been blocked, and outside cybersecurity experts, outside counsel, and law enforcement have been engaged.
Based on the NAIC’s investigation to date, there is no current evidence that personal information, payment information, financial account information, credit card information, or banking information was impacted. The NAIC has also stated that its regulatory filing systems remain secure and fully operational, and that state insurance department systems were not affected.
NAIC reviewing data posted online
The NAIC has indicated that certain data recently posted online by the individual or group responsible is believed to include publicly available statutory financial reporting information, credit rating agency data related to insurer investments, and certain routine technical information, such as outdated logs or configuration information. The NAIC has also engaged an independent data consultant to further evaluate the dataset, a process the organization expects may take several weeks.
Department urges vigilance and reporting of suspicious communications
The Department believes that timely, transparent communication is essential during cybersecurity incidents and will continue to share verified information as it becomes available.
The NAIC has advised that anyone who receives a suspicious communication claiming to come from the NAIC should not respond or click any links, should preserve the message, and should report it to cyberincident@naic.org.