NAIC Fall Meeting Update: Third-Party Data And Models (H) Working Group Exposes Risk-Based Regulatory Framework For Third-Party Data And Model Vendors

On December 9, 2025, the Third-Party Data and Models (H) Working Group, which reports to the Innovation Cybersecurity and Technology (H) Committee exposed a draft Third-Party Data and Model Regulatory Framework (the "Framework"; available here). The proposed framework is targeted at increasing oversight of third-party data and model vendors contracted with insurers. The Framework would provide insurance regulators with access to third-party data and establish governance standards for vendors.

A key component of the Framework is the registration requirement of vendors with state departments of insurance before their materials and data could be used with insurers. Information regarding the vendor/entity, and model documentation would have to be provided at registration, and an annual attestation would have to be made as to adherence to third-party model vendor governance program requirements. Confidentiality for third-party model filings would be the same as for insurers' confidential, proprietary, and trade secret information.

Upon opening the meeting to questions, regulators offered some minor comments relating to potential timeframes for vendor filings and attestations along with acknowledgment of potential carveouts for registration. Comments from interested parties highlighted a desire to simplify the process with reciprocity between states with portable registrations between states. Others noted concerns about the increase of administrative costs for compliance with the Framework, especially for smaller vendors within the industry – with particular concern around dampening innovation. Other commentators noted that there is work to be done definitionally for key terms such as "data."

The Working Group has opened a 60 day comment period on the Framework. Contact information for submissions will be available here.