An Important Update on the NAIC's Security Incident

Security Incident Update

This information reflects the NAIC's current understanding based on the facts developed to date. We will provide updates on NAIC.org as they are available.

In transparency, the NAIC is providing additional FAQs about its security incident. Please see previous updates for additional information about the incident’s background, its impacts, and remediation activities. 

July 2, as of 7 p.m. ET

FAQs:

Q: The NAIC shared that publicly available statutory financial reporting information was accessed by the unauthorized party. What is included in such reporting information?

A: The publicly available statutory financial reporting information contains annual and quarterly financial statements. The only data that was accessed was that data which is available for purchase through the NAIC’s InsData system as described at the following:

https://content.naic.org/prod_serv_financial_home.htm

Non-public data, such as the supplemental compensation exhibit, which is not filed with the NAIC, and Risk-Based Capital, which is confidential, are excluded from the InsData data store and WAS NOT accessed. 

Q: What credit rating agency information was accessed?

A: Credit rating agency data, including private and public rating determinations of investments, was accessed. The NAIC receives rating symbol (e.g. BBB+, A1, etc.) data feeds for both public and private ratings from its credit rating providers. The rating symbol data feeds vary by credit rating provider (CRP), but always includes a security identifier (e.g. CUSIP, CINS, ISIN, PPN, etc.). As private ratings are non-public information, they are considered confidential. The analysis supporting the rating, called a rationale report, was not subject to this incident.

Q. The NAIC temporarily paused issuing new Designations. What does that mean and what is the impact?

A: Credit rating providers (CRP) send their rating symbol data feeds to the NAIC. Information from those feeds is used to assign and publish NAIC Designations, or ratings of investment risk, to public and private investments. NAIC Designations are used by insurers for purposes of their financial reporting, statutory accounting, satisfying state investment limitation statutes, other insurance regulatory reporting, and for calculating their risk-based capital, which is one measure used by regulators along with other financial information, to evaluate an insurance company's financial condition.

Some credit rating providers paused their rating symbol data feeds shortly after being notified of the security incident.  As a result, beginning June 18, 2026, the NAIC paused assigning and publishing NAIC Designations that are based upon CRP ratings within the Automated Valuation Service (AVS+), which is used by insurers to receive the NAIC Designations published by NAIC and has been in contact with credit rating providers about the security incident. Once the rating symbol feeds are restored, NAIC Designation assignments and publication based upon CRP ratings will resume.  

Notwithstanding the pause in publication in AVS+ of NAIC Designation based upon CRP ratings for the purposes of second quarter financial reporting ending on June 30, 2026, which is not due until August 15, the NAIC will be using the CRP ratings symbol data as of June 17, 2026, the last date prior to the suspension, to determine NAIC Designations published in AVS+. Insurers may use those NAIC Designations published in AVS+ for purposes of their second quarter filings with state insurance regulators and the NAIC until the CRP ratings symbol data feed suspension has been lifted and regular publication of NAIC designations in AVS+ has resumed. As such, quarterly reporting should not be delayed. The NAIC will post an announcement as soon as those data feeds have resumed. 

Q: Was the state fees payment system compromised?

A: No

Q: How will the NAIC communicate impacts of company specific data to insurers? How can insurers expect updates?

A: There is no evidence that non-public or confidential insurance company information has been accessed by the unauthorized party. The insurer data in scope consists solely of publicly available statutory financial reporting data. The analysis from Mandiant confirms the scope includes PeopleSoft and certain data storage areas.  

The NAIC has been communicating with companies through cyber security, annual statement, and government relations contacts throughout this process. Should any new information become available, or if our findings change, we will promptly notify these contacts and provide updated information.

Q: Did the accessed data include any information that insurers had marked, submitted, or reasonably understood to be confidential, nonpublic, trade secret, proprietary, or restricted?

A: No. The information accessed was a data repository used to support InsData, the NAIC's public portal for insurance company financial statements and statutory reporting information.

Q: Was any insurer-specific investment portfolio information exposed through the rating agency data, either directly or by linkage to statutory investment schedules?

A: No

  • Was any of this data destroyed or exfiltrated?

 No

Q: Has NAIC determined that no PlI, banking payment information, policyholder information, producer data, or employee personal data was accessed, or is that still subject to further review?

A: There is no evidence that PII, banking, policyholder, producer, or employee data was accessed or released by the unauthorized party. 

  • Was any of this data destroyed or exfiltrated?

No

Q: Was any data exfiltrated?

A: Yes. Data accessed or acquired, based on findings to date, included: 

  • Publicly available statutory financial reporting information.
  • Credit rating agency data, including private and public rating determinations of investments. This does not include any rating agency investment rationale reports.
  • Some additional storage data was included, which contained routine technical information, such as outdated logs or configuration information.

Q: Can insurers continue with premium tax engagement with the NAIC?

A: Yes. OPTins was not impacted by this incident. We have confirmed that the unauthorized user no longer has access to our environment, and we took immediate steps to secure and further protect our systems.

Q: How can insurers stay updated?

A: The NAIC has been communicating with insurers through cyber security, annual statement, and government relations contacts throughout this process. Should any new information become available, or if our findings change, we will promptly notify these contacts and provide updated information. Updates will also be posted to NAIC.org.

June 26, 2026, as of 5 p.m. ET

The NAIC is providing the following update:

Incident Background

  • Unauthorized access to a portion of the NAIC’s environment was identified on June 11 via an Oracle PeopleSoft vulnerability. While in PeopleSoft, the unauthorized party was able to obtain information needed to gain temporary access to certain data storage areas. The ability to gain this temporary access has been blocked and remediated.
  • The incident was promptly contained following detection, and the NAIC engaged outside counsel and cybersecurity experts. FBI coordination is underway.
  • The incident resulted from a broad campaign to exploit a vulnerability in PeopleSoft that was unknown to the developer or software users at the time, otherwise known as a “zero-day vulnerability,” which affected multiple organizations. The NAIC uses PeopleSoft primarily for internal financial reporting purposes.
  • The individual or group responsible has published the data.
  • We are actively working with an external data consultant to compare the scope and type of data the group posted with our own preliminary analysis.

Impacts  

  • Data accessed or acquired, based on findings to date, included:
    • Publicly available statutory financial reporting information. These statements were publicly available prior to this incident through state websites, InsData, or resellers.
    • Credit rating agency data, including rating determinations of insurer investments. This does not include any rating agency investment rationale reports.
    • Potentially, some additional storage data was included, which contained routine technical information, such as outdated logs or configuration information.
  • Importantly, there is no current evidence that PII or payment and financial account information was accessed, including credit card or banking information.
  • Regarding the status of systems:
    • State insurance departments’ systems are not impacted.
    • The individual or group responsible claimed to have technology provided by the NAIC, including the System for Electronic Rate and Form Filing (SERFF), Online Premium Tax for Insurance (OPTins), Uniform Certificate Authority Application (UCAA), Enterprise Data Platform (EDP), and Regulatory Data Collection (RDC). Outside cybersecurity experts confirmed the unauthorized party did not take this information, nor compromised these regulatory reporting systems.
    • Based on findings to date, the following were also not accessed: NIPR, Teammate, State Based Systems (SBS), employee personal data, electronic funds transfer, risk-based capital data, policyholder information, producer data, and event registration payment information.
    • Due to the incident, certain credit rating agencies have paused their data feeds and consequently, the NAIC has temporarily suspended assigning designations to insurer investments. Insurers should monitor AVS+ for any updates.  

Remediation & Next Steps

  • In conjunction with NAIC senior management, our outside cybersecurity experts have confirmed that affected systems have been remediated, and we have taken additional steps to strengthen our defenses with their partnership.
  • Our operations have returned to normal with two exceptions:
    • We are meeting with credit rating providers and have provided third-party assurances that our systems are secure, and the NAIC designation process can resume.
    • Online invoice payment via PeopleSoft is not yet available.
  • We have engaged cybersecurity experts to compare our data with what affected systems have been remediated.
  • We understand that this process can take several weeks.  Though speed is important, accuracy is paramount. Updates regarding that process will be communicated to stakeholders and via updates on NAIC.org. 

If you receive a suspicious communication claiming to come from the NAIC, do not respond or click any links, preserve the message and report it to cyberincident@naic.org.

We will continue to provide more information as it is available.

June 25, as of 8:47 p.m. ET

Based on our preliminary review of the information known to date, the data recently posted by the individual or group responsible is thought to include the following:

  • Publicly available statutory financial reporting information. These statements were publicly available prior to this incident through state websites, InsData, or resellers.
  • Credit rating agency data, including rating determinations of insurer investments. This does not include any rating agency investment rationale reports.

The data impacted also potentially includes additional NAIC storage data, which contained routine technical information, such as outdated logs or configuration information.

From the information known to date, there is no current evidence that personal information (PII) or payment or financial account information was impacted, including credit card or banking information.

Also, the NAIC's regulatory filing systems are operating as normal and are secure.   

We have engaged an outside data consultant to further evaluate the dataset to validate our internal analysis. We anticipate this review to take at least several weeks.

We will continue to post updates here and are committed to transparency as this work proceeds. 

June 25, as of 12:05 pm ET

The NAIC is aware data taken from our environment during the security incident was published online by the group responsible. We are actively working with an external cybersecurity partner to compare the scope and type of data the group posted with our own analysis. Updates will be posted here as they are available.

June 23, 2026, as of 3:15 p.m. ET

Incident Background

  • Unauthorized access to a portion of the NAIC’s environment was identified on June 11 via an Oracle PeopleSoft vulnerability. While in PeopleSoft, the unauthorized party was able to obtain information needed to gain temporary access to certain data storage areas. The ability to gain this temporary access has been blocked and remediated.
  • The incident was promptly contained following detection, and the NAIC engaged outside counsel and cybersecurity experts. FBI coordination is underway.
  • The incident resulted from a broad campaign to exploit a vulnerability in PeopleSoft that was unknown to the developer or software users at the time, otherwise known as a “zero-day vulnerability,” which affected multiple organizations. The NAIC uses PeopleSoft primarily for internal financial reporting purposes.
  • Based on our investigation with outside cybersecurity experts and what we know today, we do not believe the group responsible has the amount or scope of data it has claimed, and as of this writing, we have no confirmation that data from our environment has been published or released.

Impacts

  • Data accessed or acquired, based on findings to date, included:
    • Publicly available statutory financial reporting information. These statements were publicly available prior to this incident through state websites, InsData, or resellers.
    • Credit rating agency data, including rating determinations of insurer investments. This does not include any rating agency investment rationale reports.
  • Importantly, no PII or payment information was accessed, including credit card or banking information.
  • Regarding the status of systems:
    • State insurance departments’ systems are not impacted.
    • The individual or group responsible claimed to have technology provided by the NAIC, including the System for Electronic Rate and Form Filing (SERFF), Online Premium Tax for Insurance (OPTins), Uniform Certificate Authority Application (UCAA), Enterprise Data Platform (EDP), and Regulatory Data Collection (RDC). Outside cybersecurity experts confirmed the unauthorized party did not take this information, nor compromised these regulatory reporting systems.
    • Based on findings to date, the following were also not accessed: NIPR, Teammate, State Based Systems (SBS), employee personal data, electronic funds transfer, risk-based capital data, policyholder information, producer data, and event registration payment information.
    • Due to the incident, certain credit rating agencies have paused their data feeds and consequently, the NAIC has temporarily suspended assigning designations to insurer investments.

Remediation & Next Steps

  • In conjunction with NAIC senior management, our outside cybersecurity experts have confirmed that affected systems have been remediated, and we have taken additional steps to strengthen our defenses with their partnership.
  • Our operations have returned to normal with two exceptions:
    • We are meeting with credit rating providers to provide third-party assurances that our systems are secure, and the NAIC designation process can resume.
    • Online invoice payment via PeopleSoft is not yet available.
  • We are working with credit rating agencies and anticipate providing them with third-party verification of our systems, and on any steps they require to restore services.
  • If the data is released by the group responsible, we will engage cybersecurity experts to compare our data with what affected systems have been remediated.
  • We understand that this process can take months. Though speed is important, accuracy is paramount. Updates regarding that process will be communicated to stakeholders and via updates on NAIC.org.

If you receive a suspicious communication claiming to come from the NAIC, do not respond or click any links, preserve the message and report it to cyberincident@naic.org.

We recognize the seriousness of this incident and the trust placed in the NAIC and the state-based regulatory insurance system. We will continue to provide updates as more information is available.

An update from the NAIC

June 18, 2026

We previously advised that the NAIC identified unauthorized access to our PeopleSoft system by an unknown third party. This update shares what we have since learned.

We are now aware that the individual or group responsible for this incident has publicly claimed to have obtained NAIC data. At this time, we have no confirmation that data from our environment has been published or released. We understand this is concerning, and we want to keep you informed about what we know, what we are still determining, and the steps we are taking. Based on public reporting, this appears to be part of a broader campaign affecting many organizations that use this software.

Our investigation, conducted with outside cybersecurity experts and in coordination with law enforcement, remains ongoing. At this stage, we are continuing to assess whether any data was accessed or acquired, and, if so, what information and whose information may be involved. Because this review is ongoing, some details may change as we learn more, and we will update this page accordingly.

This development does not change our commitment to the people and organizations we serve. If we determine that your personal information is involved, we will notify you directly as required and as appropriate, and we will provide guidance on steps you can take to protect yourself.

If you receive a suspicious communication claiming to come from the NAIC, do not respond or click any links, preserve the message and report it to cyberincident@naic.org.

We recognize the seriousness of this event and the trust placed in the NAIC and the state-based insurance regulatory system. We are continuing to strengthen our defenses, and we are committed to transparency as our investigation proceeds.

June 17, 2026

The NAIC identified, on or about June 11, unauthorized access to our PeopleSoft systems. After detecting the incident, we promptly activated our incident response procedures and took steps to contain the situation. We are working diligently to investigate and will provide relevant updates as appropriate.  

We are committed to maintaining the integrity of the state-based insurance system and protecting our members' information. 

While these types of situations have become all-too common, we recognize the significance of this event and have taken prompt and appropriate steps to address it.

We are conducting a thorough investigation to determine what information may have been affected. Based on what we know at this stage, we are not able to confirm the full scope, and we will update this page as our understanding develops. If we determine that personal information has been affected, we will notify those individuals as required and as appropriate. 

We will provide updates here as they are available, as well as share plans for notifying impacted parties as we confirm any additional information about this incident.

FAQs 

1. What happened? What has been impacted? 

We are aware of an incident in which an unauthorized third party gained access to a portion of our IT systems. The investigation is ongoing, and we are actively working with leading cybersecurity experts to assess the situation. We do not have additional information to share at this time.

2. How did this happen? What security measures does NAIC have in place to prevent this type of event? 

We are actively working with leading cybersecurity experts to investigate the matter. We do not have additional information to share at this time.

3. Where are you in the investigation? When will it be completed? 

We are actively working with leading cybersecurity experts to assess the situation. These investigations are complex and take time.

4. When will the investigation be completed? When will you provide additional information or updates? 

This is a top priority for us and something we take extremely seriously. We have a dedicated internal team focused on this matter, supported by leading cybersecurity experts. These investigations are complex and take time, though we are working with urgency. We will provide relevant updates as appropriate. 

5. Do you have insurance to cover potential expenses related to this matter? How much? 

We have been in contact with our cyber insurance carrier.