From mapping Model Law 668 adoption across all 50 states and tracking the notification timelines each requires, the compliance burden for a multi-state carrier filing identical breach reports to 19 regulators is exactly the problem this portal solves. A carrier domiciled in Connecticut with operations in Alabama, Delaware, Indiana, Iowa, Louisiana, Maine, Maryland, Michigan, Minnesota, Mississippi, New Hampshire, New York, North Dakota, Ohio, South Carolina, Tennessee, Virginia, and Wisconsin currently files the same cybersecurity event notification up to 19 times, using different formats, different portals, and different submission procedures. Each filing carries a 72-hour clock that starts running simultaneously.
The Cybersecurity (H) Working Group has spent two years building toward a centralized solution. The portal project is the third step in a three-step process: the Cybersecurity Event Response Plan came first, followed by the Insurance Data Security Model Law Compliance and Enforcement Guide, and now the portal itself. At the Spring 2026 National Meeting in San Diego (March 22 to 25), the Working Group adopted a revised project intake form that had been refined through multiple rounds of industry comment. The Innovation, Cybersecurity and Technology (H) Committee is expected to vote on portal adoption at its interim meeting scheduled for April 30, 2026.
Most coverage of the portal has focused on compliance efficiency. That is one part of the story. The second part, and the part most relevant to actuarial practice, is what happens when you centralize incident data that has previously been scattered across 19 separate regulatory silos. For the first time, regulators and eventually researchers will have access to a standardized, comparable dataset of insurer cybersecurity events. That has pricing implications for every carrier writing cyber liability coverage and operational implications for every carrier managing its own cyber risk exposure.
What Model Law 668 Requires and Where It Applies
The Insurance Data Security Model Law (#668) was adopted by the NAIC in 2017 and establishes a comprehensive cybersecurity framework for insurance licensees. The law covers insurers, insurance agents, and other entities licensed by state departments of insurance. Its requirements span five core areas: a risk-based information security program (Section 4), cybersecurity event investigation (Section 5), commissioner notification (Section 6), consumer notification (Section 7), and third-party service provider oversight (Section 3F).
The notification trigger under Section 6 is specific. A licensee must notify its domiciliary commissioner no later than 72 hours after determining that a cybersecurity event has occurred, when the event either involves the licensee’s state of domicile or affects nonpublic information of 250 or more consumers residing in the state. The 72-hour clock starts at determination, not discovery, which gives insurers time to conduct an initial investigation under Section 5 before the notification obligation attaches.
As of the NAIC’s April 2026 adoption tracker, 19 states have enacted Model Law 668 in substantially similar form:
| State | Effective Date | Notable Variations |
|---|---|---|
| Alabama | 2020 | Closely follows model text |
| Connecticut | 2020 | Includes additional safe harbor provisions |
| Delaware | 2020 | Closely follows model text |
| Indiana | 2020 | Closely follows model text |
| Iowa | 2021 | Closely follows model text |
| Louisiana | 2021 | Closely follows model text |
| Maine | 2021 | Closely follows model text |
| Maryland | 2022 | Enhanced third-party vendor requirements |
| Michigan | 2019 | Early adopter; closely follows model text |
| Minnesota | 2022 | Closely follows model text |
| Mississippi | 2021 | Closely follows model text |
| New Hampshire | 2020 | Closely follows model text |
| New York | 2017 (DFS Reg 500) | Pre-dates Model Law 668; DFS 23 NYCRR 500 is broader in scope |
| North Dakota | 2021 | Closely follows model text |
| Ohio | 2018 | Early adopter; NIST framework safe harbor |
| South Carolina | 2019 | Early adopter; closely follows model text |
| Tennessee | 2022 | Closely follows model text |
| Virginia | 2021 | Closely follows model text |
| Wisconsin | 2023 | Most recent adopter at time of portal launch |
The “substantially similar” standard the NAIC uses for its adoption tracker requires states to adopt the model in its entirety but permits variations in style and format. New York’s inclusion is notable because 23 NYCRR 500 predates Model Law 668 and imposes more extensive requirements, including a designated Chief Information Security Officer, annual penetration testing, and a 72-hour notification window to the DFS superintendent specifically. For portal purposes, New York’s participation means the portal must accommodate a jurisdiction whose notification requirements exceed the model law baseline.
The remaining 31 states and territories without Model Law 668 still have their own data breach notification statutes, but these are general-purpose laws that apply to all businesses, not insurance-specific cybersecurity frameworks. The NAIC’s government affairs brief continues to advocate for broader adoption, and the portal itself may accelerate the process: states considering adoption will be able to point to centralized reporting infrastructure as a benefit rather than another regulatory burden for licensees to manage.
How the Portal Works: Architecture and Access Controls
The portal operates as a push system. A licensee experiencing a cybersecurity event logs into the portal, completes a standardized notification form, and selects the states to which the notification should be sent. Only the regulators in those selected states can view the submitted data. This is a critical design choice: the portal is not a shared repository where all state regulators can browse all submissions. It is a distribution mechanism where the submitter controls which jurisdictions receive which information.
This architecture directly addresses the concentration risk concerns raised by the National Association of Mutual Insurance Companies (NAMIC) during the Fall 2025 comment period. NAMIC argued that centralizing detailed cybersecurity event descriptions would create a target for threat actors, who could mine the repository to identify vulnerabilities that some companies had patched but others had not. The push model mitigates this by limiting data visibility to selected state regulators rather than creating a browsable database of incident details.
Several design decisions emerged from the Working Group’s comment and revision process:
- No licensee fees. The portal will be free for submitters. The NAIC will absorb development and maintenance costs, removing a potential barrier to adoption for smaller carriers and independent agents.
- SOC 3 reporting. The NAIC refined the System and Organization Controls (SOC) 3 report language in the intake form in response to industry feedback. A SOC 3 report provides a general-use report on whether the portal’s controls meet the Trust Services Criteria for security, availability, processing integrity, confidentiality, and privacy. This is a lower bar than a SOC 2 Type II report (which provides detailed control descriptions and testing results) but signals the NAIC’s commitment to independent assurance of portal security.
- Standardized intake form. The notification form adopted by the Working Group on March 13, 2026 standardizes the data fields across all participating jurisdictions, eliminating the need for carriers to translate the same incident information into different state-specific formats.
- Phased development. The intake form adoption authorizes the NAIC to begin development. Key aspects of the portal’s structure, content, and functionality will be addressed in subsequent phases. The Working Group has not yet published a target launch date, but the phased approach suggests a build-test-iterate model rather than a single large deployment.
The American Property Casualty Insurance Association (APCIA) expressed support for the centralized concept and requested opportunities to provide feedback on prototypes and operational details as development proceeds. This positions the portal as a collaborative regulatory technology project rather than a top-down mandate, which may help adoption rates among carriers that are wary of new regulatory reporting systems.
The Multi-State Compliance Burden the Portal Solves
Consider a national P&C carrier domiciled in Ohio with policyholders in all 19 Model Law 668 states. When a ransomware attack compromises the nonpublic information of 50,000 policyholders across those states, the carrier’s compliance team currently faces the following workflow:
- Section 5 investigation. The carrier investigates the event, determines the scope of compromised data, and identifies affected consumers by state of residence.
- 72-hour clock starts. Upon determining that a cybersecurity event has occurred and that it meets the notification threshold (250 or more consumers in any given state, or the event involves the carrier’s domiciliary state), the carrier has 72 hours to notify each applicable commissioner.
- 19 separate filings. The carrier must file notifications with each of the 19 state regulators. Each state may have its own submission portal, its own form, its own formatting requirements, and its own preferred level of detail. Some states accept email submissions; others require uploads to state-specific online systems.
- Follow-up responses. Each state regulator may send follow-up questions on a different timeline, requiring the compliance team to manage 19 parallel response tracks.
The resource cost is substantial. Compliance staff spend time reformatting the same information for different state portals rather than focusing on incident response. Outside counsel may need to review each state submission separately to ensure compliance with jurisdiction-specific variations. For a mid-size carrier with a lean compliance team, the administrative burden of multi-state notification can divert attention from the actual cybersecurity response at the worst possible time.
Under the portal model, steps three and four collapse into a single submission. The carrier fills out one standardized form, selects all 19 states, and the portal distributes the notification to each state regulator. Follow-up questions from individual states would still require state-specific responses, but the initial notification becomes a single administrative action instead of 19.
This reduction in filing friction also has a subtle actuarial implication: it may improve notification timeliness. When compliance teams are overwhelmed by the mechanics of multi-state filing, there is a risk that some notifications are delayed beyond the 72-hour window, creating regulatory exposure that compounds the financial impact of the underlying cyber event. A single-submission portal reduces that risk by lowering the marginal cost of adding each additional state to the notification.
The Federal Reporting Overlap
The NAIC portal addresses state-level insurance regulator notification. It does not replace or consolidate the growing number of federal cybersecurity reporting obligations that insurers also face. Understanding the overlap is important for compliance teams and for actuaries modeling the total regulatory cost of cyber events.
| Federal Requirement | Agency | Notification Timeline | Applicability to Insurers |
|---|---|---|---|
| CIRCIA | CISA | 72 hours for cyber incidents; 24 hours for ransomware payments | Applies to covered entities in critical infrastructure sectors; insurers may qualify depending on final rule definitions |
| SEC Cybersecurity Disclosure | SEC | 4 business days for material incidents (Form 8-K) | Publicly traded insurers only |
| GLBA Safeguards Rule | FTC | 30 days for breaches affecting 500+ consumers | Financial institutions including some insurance entities |
| HIPAA Breach Notification | HHS | 60 days for breaches affecting 500+ individuals; annual for smaller breaches | Health insurers and business associates handling PHI |
The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), passed in 2022, adds another layer. Under CIRCIA, covered entities in critical infrastructure sectors must report major cyber incidents to CISA within 72 hours and ransomware payments within 24 hours. The final rule’s scope is still being defined, but insurers could qualify as covered entities depending on how CISA draws the sector boundaries. A 2023 Department of Homeland Security report identified 52 existing or proposed federal cybersecurity reporting requirements, highlighting the fragmentation that exists even before state insurance-specific obligations are counted.
For a publicly traded health insurer experiencing a significant breach, the reporting cascade includes the NAIC portal for state insurance regulators, Form 8-K for the SEC, HIPAA notification for HHS, potential CIRCIA reporting for CISA, and state attorney general notifications under general-purpose breach notification statutes. The NAIC portal solves one piece of this puzzle, but the total reporting burden remains complex. Industry groups have advocated for a federal “common form” approach, where a single submission could satisfy multiple federal requirements, but no such harmonization has been implemented.
NAMIC’s Systemic Risk Objection and the Portal’s Security Response
NAMIC’s concern deserves detailed examination because it reflects a genuine tension in cybersecurity regulation. The argument is straightforward: a centralized repository of cybersecurity event descriptions creates a high-value target. If breached, the repository could provide threat actors with a roadmap of which companies have patched specific vulnerabilities and, by inference, which have not. The systemic risk of a single breach exposing the incident details of every reporting insurer could exceed the compliance efficiency gains.
NAMIC requested that the Working Group document its intent that submissions should remain “high-level” to avoid centralizing excessive sensitive data. This request reflects a practical compromise: the portal can centralize notification logistics without centralizing granular technical details about attack vectors, unpatched vulnerabilities, or remediation timelines.
The Working Group responded to these concerns through several design choices. The push architecture limits data visibility to selected state regulators rather than creating a browsable repository. The SOC 3 reporting commitment provides third-party assurance of portal security controls. And the phased development approach allows security architecture to be refined before the portal handles production data.
From an actuarial perspective, the tension between data granularity and security exposure maps directly onto a familiar modeling challenge: the more detailed the incident data, the better the loss models, but the more detailed the centralized data, the greater the concentration risk if the repository itself is compromised. The portal’s design attempts to thread this needle by standardizing notification format (which helps data analysis) while limiting the technical depth of submissions (which reduces the value of the data to threat actors).
The Actuarial Implications: From Fragmented Data to Standardized Incident Records
This is where the portal’s significance extends beyond compliance efficiency. Cyber insurance pricing has been constrained by data limitations since the line’s inception. As Munich Re’s 2026 cyber risk report notes, the focus on “more and ever-better data on risk trends, losses, and incidents” remains critical for underwriting and modeling advancements. Swiss Re projects global cyber insurance premiums at $16.4 billion in 2026, but growth has slowed from double-digit rates to roughly 5% compound annual growth since 2023, driven in part by rate deterioration from a competitive market that lacks the loss data granularity to differentiate risk precisely.
The portal creates a potential pathway to better data in three specific ways:
Standardized incident categorization. When 19 states receive breach notifications in 19 different formats, the resulting data is difficult to aggregate. Different states may categorize the same event differently, use different severity scales, or capture different data fields. The portal’s standardized intake form creates uniform records across all participating jurisdictions, making it possible to aggregate and compare incident data for the first time.
Frequency data by insurer type and size. Regulators will be able to see patterns in incident frequency across different insurer types (P&C, life, health), size categories (premium volume, employee count), and geographic distributions. This is the kind of data that actuaries pricing cyber coverage currently lack or must estimate from general industry surveys. Even if the portal data is not directly shared with the market, regulatory analysis published in aggregate could inform industry-level frequency assumptions.
Notification-to-resolution timelines. Because the portal captures the notification timestamp and states can track follow-up communications, it becomes possible to analyze how long different types of cyber events take to resolve from a regulatory perspective. For reserve actuaries, this creates a reference point for development patterns on cyber claims, an area where loss development triangles are still immature relative to established P&C lines.
The American Academy of Actuaries has noted that cyber insurance is nearing an inflection point, with the gap between data needs and data availability constraining the market’s ability to serve smaller commercial policyholders. Standardized regulatory incident data could narrow that gap, particularly for loss frequency modeling where existing data sources rely heavily on voluntary disclosures and vendor claims databases.
CyberCube Threat Briefing: AI-Accelerated Attack Vectors
The portal project did not develop in isolation from the threat landscape. At the Spring 2026 Working Group meeting, William Altman, Director of Cyber Threat Intelligence Services at CyberCube, presented on current cybercrime risks and trends. The briefing highlighted ransomware as the primary criminal threat facing insurers, with generative AI enabling threat actors to “scale, localize, and personalize attacks more effectively.”
This threat intelligence context reinforces the urgency of both the portal and the broader Model Law 668 framework. AI-powered phishing campaigns, which use large language models to craft convincing, personalized messages at scale, have accelerated the frequency of initial access attempts against financial institutions including insurers. The Alston & Bird summary of the Spring meeting noted that regulators emphasized a shift from breach containment toward business continuity and resilience planning, acknowledging that successful cyberattacks are increasingly a question of when, not if.
For actuaries, the AI-accelerated threat environment creates compound uncertainty. Traditional cyber loss models built on historical frequency data may understate forward-looking risk if the underlying attack technology has fundamentally changed the threat generation rate. The portal’s standardized incident data, collected in real time as events are reported, would provide earlier signals of frequency trend changes than retrospective industry surveys or annual regulatory reports.
Model Law 668 Amendments in Progress
The portal is not the only Model Law 668 initiative underway. The Cybersecurity Working Group is also drafting amendments to the model law itself, with a full draft expected for public comment in 2026. The amendments address areas where the 2017 model law has shown gaps as the threat landscape has evolved.
Key areas under consideration include:
- Third-party service provider requirements. Section 3F of the current model requires licensees to exercise due diligence in selecting third-party service providers and require them to implement appropriate security measures. The amendments are expected to strengthen the specificity of these requirements, potentially aligning with the NAIC’s parallel work on third-party AI vendor governance.
- Incident response planning. The Cybersecurity Event Response Plan (CERP) adopted by the Working Group establishes a voluntary framework for regulatory coordination during large-scale cyber events. Amendments could codify some CERP provisions as mandatory requirements under the model law.
- Board-level oversight. Following the trend established by New York’s 23 NYCRR 500 amendments, the model law amendments may require board-level approval of information security programs and regular board reporting on cybersecurity posture, similar to the governance requirements in the NAIC’s AI risk taxonomy compliance framework.
For the portal, these amendments matter because they could expand the notification requirements that the portal facilitates. If amended Model Law 668 requires more detailed incident reporting, faster notification timelines, or broader categories of reportable events, the portal’s standardized form would need to be updated accordingly. The phased development approach gives the NAIC flexibility to align the portal with the evolving model law.
How the Portal Compares to Existing State Reporting Infrastructure
Several states have built their own cybersecurity event reporting systems outside the Model Law 668 framework. Understanding how the NAIC portal relates to these existing systems clarifies what the portal is and is not replacing.
New York DFS Cyber Portal. New York operates its own cybersecurity event reporting system under 23 NYCRR 500, which requires direct notification to the DFS superintendent within 72 hours. The DFS system captures more detailed information than the Model Law 668 notification and includes requirements for ongoing updates as the investigation progresses. The NAIC portal would need to interoperate with, not replace, New York’s existing system unless the DFS agrees to accept NAIC portal submissions as satisfying its own notification requirements.
State attorney general breach notification portals. Most states operate breach notification portals under their general data breach notification statutes (not insurance-specific). These are separate from the Model Law 668 notification and would continue to require independent filings. A carrier experiencing a breach would file through the NAIC portal for insurance regulator notification and separately through state AG portals for consumer breach notification compliance.
NAIC’s existing regulatory technology infrastructure. The NAIC already operates several technology platforms for regulatory data collection, including the System for Electronic Rates and Forms Filing (SERFF) for rate and form filings and the Financial Data Repository for statutory financial statements. The Cybersecurity Event Notification Portal would be built within this existing infrastructure, leveraging the NAIC’s security controls and access management systems. The SOC 3 reporting commitment suggests the portal will undergo the same kind of independent security assessment that these existing platforms receive.
Pricing Implications for Cyber Insurance Writers
Patterns we have seen in cyber insurance pricing over the past three years point to a market that is both maturing and struggling with data adequacy. S&P Global Ratings projects the cyber insurance market reaching $23 billion in annual premiums by 2026, while Swiss Re’s more conservative estimate puts the market at $16.4 billion. The gap between these estimates reflects fundamental uncertainty about how the market will develop, uncertainty that better data could help resolve.
The portal’s potential contribution to pricing actuarial work falls into several categories:
Industry loss frequency benchmarks. The absence of standardized, industry-wide frequency data for insurer cyber events forces pricing actuaries to rely on vendor databases (which may have selection bias), industry surveys (which have response bias), and claims experience from their own book (which may be too thin for credible estimates). Even aggregate frequency data published by regulators from portal submissions would provide a useful reference point for calibrating a priori loss assumptions.
Tail risk calibration. Large-scale cyber events affecting major carriers are rare but potentially catastrophic. The portal would capture these events as they occur, providing regulators with real-time visibility into systemic events and giving the industry a more complete view of tail risk events that individual carriers may not experience in their own books.
Sector-specific loss patterns. If the portal data can be segmented by insurer type (P&C vs. life vs. health), it becomes possible to identify whether certain insurance sectors experience different types or frequencies of cyber events. This sector-specific view could support more refined pricing for cyber coverage sold to insurance companies themselves, a growing segment as carriers increasingly purchase their own cyber liability protection.
The path from portal data to pricing improvements is not straightforward. The data belongs to regulators, and there is no indication that the NAIC plans to make individual incident records available to the market. But regulatory analysis, published in aggregate form, has historically informed actuarial pricing in other lines. NAIC statistical agents aggregate loss data from statutory filings that carriers use for industry benchmarking. A similar dynamic could develop with cyber incident data over time, particularly if the NAIC publishes periodic reports summarizing portal submission trends.
What Compliance Teams Should Do Now
The portal is not yet operational, but compliance teams at carriers operating in Model Law 668 states should begin preparing for the transition from state-by-state filing to centralized submission.
- Map your current notification workflow. Document the specific steps, portals, forms, and timelines your team uses for each Model Law 668 state. This baseline will help you identify how much of the current process the portal will replace and what gaps remain (such as state AG notifications that the portal does not cover).
- Review your 72-hour response capability. The portal reduces filing friction but does not extend the 72-hour notification deadline. Assess whether your incident response team can determine that a cybersecurity event has occurred, scope its impact by state, and complete the portal submission within the required timeframe. Tabletop exercises that incorporate the portal workflow will be useful once the submission form is finalized.
- Monitor the H Committee vote. If the Innovation, Cybersecurity and Technology (H) Committee approves the portal project at its April 2026 interim meeting, the NAIC will begin development. Track the Working Group’s public updates for prototype release dates and opportunities to participate in testing.
- Assess federal reporting overlap. Map the intersection of Model Law 668 notification with your SEC, CIRCIA, HIPAA, and FTC reporting obligations. The portal solves one layer of the reporting stack; your incident response plan should integrate all layers into a coordinated workflow.
- Engage the comment process for Model Law 668 amendments. The Working Group is drafting amendments to the model law itself. If your company has views on notification scope, reporting detail requirements, or third-party service provider obligations, the comment period is the time to provide input.
Why This Matters
The Cybersecurity Event Notification Portal is a regulatory infrastructure project with implications that extend well beyond filing convenience. By standardizing how insurers report cyber incidents to state regulators, the NAIC is building the foundation for the first comparable, cross-state dataset of insurance industry cybersecurity events. That dataset, even in aggregate form, could materially improve the data inputs available for cyber risk pricing, reserve estimation, and enterprise risk management.
For compliance professionals, the portal converts a fragmented, repetitive, and error-prone multi-state notification process into a single submission. That efficiency gain is real and immediate once the portal becomes operational.
For actuaries, the longer-term significance is in the data standardization. Cyber insurance pricing has been constrained by the absence of standardized loss frequency data across the industry. The portal does not solve that problem directly, but it creates the regulatory infrastructure that could generate such data over time. The three-step sequence the NAIC has followed, from the Cybersecurity Event Response Plan to the Compliance and Enforcement Guide to the portal itself, demonstrates an intentional buildout of cybersecurity regulatory capacity that will shape how the insurance industry manages and prices cyber risk for years to come.
For the broader industry, the portal project also signals the NAIC’s willingness to invest in regulatory technology that reduces compliance costs. Alongside the AI Systems Evaluation Tool pilot and the third-party AI vendor registry proposal, the cybersecurity portal represents a pattern of the NAIC building centralized technology infrastructure to address problems that arise from the fragmented, state-by-state regulatory structure. Whether that infrastructure can scale to serve all 56 U.S. insurance jurisdictions while maintaining the security and confidentiality that cyber event data demands remains the open question.
Further Reading
- NAIC Four-Tier AI Risk Taxonomy Redefines Insurer Compliance
- NAIC Proposes Third-Party AI Vendor Registry for Insurers
- NAIC Flags Agentic AI as Insurance’s Next Governance Gap
- The AI Governance Gap in Actuarial Practice
- Cyber Insurance Market 2026: Pricing, Coverage, and Emerging Risks
Sources
- NAIC Cybersecurity (H) Working Group
- NAIC Insurance Data Security Model Law #668 (Full Text)
- NAIC Model Law 668 State Adoption Tracker
- NAIC Model Law 668 State Adoption Map (April 2026)
- NAIC Government Affairs Brief: Insurance Data Security Model Law
- Sidley Austin: NAIC Spring 2026 Regulatory Update (April 14, 2026)
- Mayer Brown: NAIC Spring 2026 H Committee Update (April 2026)
- Alston & Bird: Key AI, Cybersecurity, and Privacy Takeaways from NAIC 2026 Spring Meeting
- Munich Re: Cyber Insurance Risks and Trends 2026
- Swiss Re: Shifting Cyber Insurance Growth Into the Next Gear
- S&P Global Ratings: Cyber Insurance Market Outlook 2026
- American Academy of Actuaries: Cyber Insurance Nears an Inflection Point
- CISA: Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA)
- DHS: Harmonization of Cyber Incident Reporting to the Federal Government (2023)
- NAIC Cybersecurity (H) Working Group Meeting Minutes