US insurance rulemaker suspends investment risk designations after cyber attack

The National Association of Insurance Commissioners has suspended its own investment risk designations after a cyberattack disrupted data sharing with major credit rating agencies, according to reporting on the incident. The move adds a new operational complication to a core insurance supervision process that can affect capital treatment, portfolio decisions and insurer returns.

The NAIC is the standard-setting body for U.S. state insurance regulators. Its investment risk designations help determine how much capital insurers must hold against certain assets, which means the disruption has implications beyond the breach itself.

Reporting links the attack to the hacking group ShinyHunters. The FBI is involved in the response, and the NAIC has said the incident is still being assessed.

What the NAIC suspended

The suspended process sits at the center of how insurers’ investment holdings are classified for regulatory purposes. Lower-risk designations can reduce capital charges, while higher-risk treatment can increase them.

That makes the designation system important for insurers’ balance sheets and earnings, especially when firms hold assets where the classification affects the economics of the position.

According to the reporting, the attack disrupted information flows used in rating-related decisions, prompting the NAIC to pause the assignment of its own risk designations while the breach is reviewed.

How the breach unfolded

Later reporting said the NAIC identified the breach on June 11, 2026, and publicly disclosed the incident on June 17, 2026. On June 26, TechRadar reported that the NAIC had confirmed a cyberattack, described its incident-response steps and said there was no evidence that personal, banking or payment data had been accessed.

The latest development came on June 27, when the Financial Times reported that the NAIC had suspended investment risk designations after the attack disrupted data sharing with major credit rating agencies.

The agencies named in reporting include Moody’s, S&P, KBRA, Fitch and Morningstar DBRS. Reporting says those firms have paused data sharing with the NAIC while the incident is investigated.

Why the rating data matters

The disruption matters because the NAIC’s designation process depends on information tied to credit ratings and related determinations. Reporting says the breach accessed credit-rating determinations, but not the rationale reports used to support private letter ratings.

That distinction is significant. Private letter ratings can play a role in how some assets are treated for regulatory and capital purposes, and the integrity of those inputs affects how insurers’ portfolios are supervised.

KBRA said delayed notification limited its ability to assess the situation, according to the reporting. The exact scope of the interruption, and how quickly data sharing can safely resume, remains unclear.

Regulatory backdrop

The incident lands at a sensitive moment for insurance regulators. The NAIC has been scrutinizing credit risk tied to opaque or complex assets, including private credit and data-center-related exposures.

Regulators and the Bank for International Settlements have also questioned whether private ratings can obscure the true risk of some assets, and recent academic work cited by the Financial Times found evidence consistent with ratings inflation.

That broader debate gives the cyberattack added weight. If a breach affects the data that feeds investment risk designations, it can complicate not only routine supervision but also the larger discussion over how much confidence regulators should place in rating-based capital treatment.

What happens next

The key unanswered questions are what exactly the attackers accessed inside the rating-agency data flows, how long the pause in data sharing will last, and whether any insurer capital calculations or filing deadlines will be delayed or revised.

For now, the NAIC, the affected rating firms and law enforcement are still working through the scope of the intrusion and the operational fallout. The immediate risk is not only the breach itself, but whether it interrupts a classification process that sits behind insurer capital treatment and confidence in insurance oversight.