The National Association of Insurance Commissioners (NAIC), which sets standards for the US insurance industry, has suspended its risk designations for insurers’ investments following a significant data breach. The cyber attack targeted data provided by major credit rating agencies, including Moody’s, S&P, Fitch, KBRA, and Morningstar DBRS.
The hacking group ShinyHunters has claimed responsibility for the breach, stating they accessed over 45,000 files. In response, credit rating agencies have paused data sharing with the NAIC while the FBI assists in the investigation. While credit rating determinations were accessed, the NAIC noted that the highly sensitive “rationale reports”—which justify private, non-public investment ratings—remain secure.
Why These Ratings Matter
-
Capital Requirements: These risk designations dictate how much backup capital life insurers must hold to guarantee they can pay out future policyholder claims. Lower risk designations allow insurers to hold less capital, boosting their profit margins.
-
Regulatory Scrutiny: The breach comes amid growing concern from global watchdogs, like the Bank for International Settlements (BIS), that insurers may be using “private letter ratings” to artificially inflate the perceived safety of complex assets and bypass capital rules.
The timeline of the breach has also drawn criticism. Rating agency KBRA noted that the NAIC discovered the breach on June 11 but did not confirm that KBRA data was compromised until June 26, limiting the agency’s ability to swiftly assess the fallout.
