KBRA is issuing this statement in the interest of transparency to our clients, investors, issuers, and other market participants regarding a cybersecurity incident recently disclosed by the National Association of Insurance Commissioners (NAIC).
The facts regarding the incident are set forth in the NAIC’s public Security Update, available on the NAIC’s website. The situation is evolving, and we encourage all clients to check for updates on the NAIC’s website for information on what data has been compromised.
The NAIC became aware of a cybersecurity breach affecting its systems on June 11, 2026. On June 18, the NAIC publicly disclosed the incident and subsequently notified KBRA. On June 26, the NAIC notified KBRA that unpublished KBRA ratings information submitted through our regulatory data feed had been exported during the incident. The NAIC requires KBRA and other credit rating agencies to provide these data feeds for NAIC designation purposes.
Based on the information provided to KBRA by the NAIC, the compromised data includes unpublished ratings information and related identifiers but did not include transaction or issuer names or information. On June 26, the NAIC informed KBRA that the compromised information involved in the incident had been uploaded to a site used to distribute data obtained through cyber incidents.
This incident did not involve unauthorized access to KBRA’s systems or a compromise of KBRA’s cybersecurity controls. Based on the information currently available, unauthorized access occurred within the NAIC’s systems after KBRA had securely transmitted information pursuant to regulatory reporting requirements.
As a repository for confidential regulatory information submitted by credit rating agencies, the NAIC is responsible for safeguarding that information and for notifying affected organizations when a cybersecurity incident may affect information entrusted to it. The period between the NAIC’s discovery of the incident on June 11, its public disclosure on June 18, and its confirmation to KBRA on June 26 that KBRA’s data had been affected limited KBRA’s ability to assess the situation, evaluate potential impacts, and communicate with regulators, clients, and other stakeholders.
In response to this incident, KBRA has suspended its regulatory data feed to the NAIC pending satisfactory resolution of the cybersecurity issues identified by the NAIC and a better understanding of the safeguards that will be implemented to prevent a recurrence.
KBRA will continue to monitor developments and engage with the NAIC as the NAIC’s investigation proceeds. KBRA believes our clients and other stakeholders deserve timely and transparent communication regarding matters that may affect confidential information entrusted to third parties. Please reach out to NAICDataBreach@kbra.com if you have additional questions.
About KBRA
KBRA, one of the major credit rating agencies, is registered in the U.S., EU, and the UK. KBRA is recognized as a Qualified Rating Agency in Taiwan, and is also a Designated Rating Organization for structured finance ratings in Canada. As a full-service credit rating agency, investors can use KBRA ratings for regulatory capital purposes in multiple jurisdictions.
Doc ID: 1015776
View source version on businesswire.com: https://www.businesswire.com/news/home/20260626990215/en/
Media gallery
