NYS Department of Financial Services header image

Andrew M. Cuomo
Governor

Benjamin M. Lawsky
Superintendent

Insurance Circular Letter No. 2 (2014)

March 31, 2014

TO:

All authorized life insurers, retirement systems, fraternal benefit societies and employee welfare funds (collectively, "addressees").

RE:Disaster Planning, Preparedness and Response

STATUTORY REFERENCES: Insurance Law Section 308 and Articles 42, 45, and 46 and Financial Services Law Sections 202 and 306.

Summary

This circular letter sets forth the standards expected of authorized life insurers in planning and preparing for, and responding to, disasters in New York State.  To that end, this letter describes the role of the New York State Disaster Coalition and the organization and operation of the Insurance Emergency Operations Center (“IEOC”).

The letter also describes the data reports and plans (Business Continuity Plan and Disaster Response Plan Questionnaires; and Disaster Response Plans) that various life insurers are expected to provide the Department of Financial Services (“Department”) before a disaster strikes, so that the Department can assist in promptly organizing industry response to a disaster.

Further, the letter describes the part played by insurance company Disaster Liaisons in staffing the IEOC and responding to Department requests for information.

Finally, the letter describes the post disaster reporting process (Post Disaster Data and Loss Statistics), and confidentiality of reports provided to the Department.

This circular letter repeals and replaces Circular Letter No. 4 (2013).  Authorized life insurers, retirement systems, fraternal benefit societies and employee welfare funds are hereinafter referred to as "life companies" in this circular letter and its attachments.  Disaster planning, preparedness, and response for health insurers and property/casualty insurers are covered by separate circular letters.

Discussion

  1. Organization of this Circular Letter
  2. The following table sets forth the topics covered in this circular letter.

    SectionTitlePage
    AOrganization of this Circular Letter 2
    BThe New York State Insurance Disaster Coalition and Insurance Emergency Operations Center 2
    CBefore a Disaster Strikes 3
    C1Disaster Response Plan and Questionnaire 3
    C2Business Continuity Plan Questionnaire 5
    DOperations During a Disaster 5
    D1Insurance Company Disaster Liaisons 5
    D2Liaison Duties and Responsibilities 6
    EAfter a Disaster 7
     Post Disaster Coverage Data and Loss Statistics 7
    F Communications Network 7
  3. The New York State Insurance Disaster Coalition and Insurance Emergency Operations Center
  4. When an emergency or disaster occurs, the Department provides the Governor and the State Office of Emergency Management (“SOEM") with critical information regarding the amount and extent of property losses, as well as other damage assessments.  Based on this information, the Governor determines whether and when to request a federal disaster declaration, and how to prioritize the deployment of state assets.

    The insurance community, including the property, life, and health sectors, has been identified as a key resource in providing early assessments of damage arising from natural or man-made disasters.  Insurers play an important role in quantifying the magnitude of losses - insured and uninsured - and in determining the appropriate degree and duration of insurer response to losses.  Accordingly, all entities to which this circular letter is directed are expected to assist the Department in obtaining necessary information before, during, and after disasters strike.

    An integral part of the Insurance Disaster Coalition response to any disaster is the IEOC, which will be staffed by selected insurance industry disaster liaisons and representatives of the Department and will coordinate disaster response.

    The IEOC will be activated at the direction of the Superintendent, in accordance with the nature and extent of the event.  Where possible, this determination will be made in conjunction with the Department’s disaster coalition partners.

  5. Before a Disaster Strikes
  6. 1)  Disaster Response Plan and Questionnaire

    Each addressee of this letter should incorporate the New York State Insurance Disaster Coalition procedures into its own Disaster Response Plan.  Since the New York State Insurance Disaster Coalition procedures and the IEOC continue to be integral parts of the industry’s response to any disaster in New York State, the submission of each insurer’s Disaster Response Plan is necessary to maintain the effectiveness and accuracy of information used by the Disaster Coalition in the event of a future disaster.

    a)    Disaster Response Plan

    The Disaster Response Plan should describe how each addressee intends to provide its policyholders with the resources needed to recover from a disaster.  To this end, a Disaster Response Plan should at a minimum detail what preparations the entity has made, where applicable, with respect to the following:

    Please note that more detailed guidance about creating a Disaster Response Plan is provided in the attached appendices.

    By June 1, 2014, each company must submit a Disaster Response Plan to the Department. Entities must provide their completed Disaster Response Plan to the Department via the Department’s Portal Application or in hard copy. No other format will be accepted. If a company chooses to submit the Disaster Response Plan in hard copy, it should mail the plan to the Department at State of New York Department of Financial Services, Disaster Response Coordinator, One State Street, New York, NY 10004.

    If the current Disaster Response Plan is the same as the most recent Disaster Response Plan filed with the Department, please submit a statement indicating that the previously filed plan is still in effect. The statement should also indicate the names and NAIC numbers of the companies covered by the plan, and the date it was submitted. The statement should be submitted as an attachment via the Department’s Portal or in hard copy. For orderly processing of files attached in the Department’s Portal, files that are either new Disaster Response Plans or statements indicating that the previously filed plan is still in effect should be named “Disaster Response Plan.”

    For orderly processing of files submitted through the Insurance Department Portal, files which are either new Disaster Response Plans or statements indicating that the previously filed plan is still in effect, should be named “Disaster Response Plan.”

    b)   Disaster Response Plan Questionnaire

    The Disaster Response Plan Questionnaire is not to be used in lieu of an addressee’s own Disaster Response Plan.  Rather, the requested information should be included as part of each entity’s plan.

    By June 1, 2014, the Disaster Response Plan Questionnaire must be submitted to the Department via the Department’s Portal Application or in hard copy.  No other format will be accepted.

    In the Disaster Response Plan Questionnaire, each entity will be providing the Department with the name of the designated disaster liaison(s), along with its person’s telephone and cell phone number(s) (for both business and after business hours), email address, and/or pager number, if applicable.  Any change in contact information should be reported immediately to the Department by submitting an updated Disaster Response Plan Questionnaire.

    The Department strongly encourages companies to provide the information via the Department’s Portal Application.  The Disaster Response Plan Questionnaire electronic template, and instructions for its completion and submission, can be found on the Department’s website at:

    http://www.dfs.ny.gov/insurance/circltr/cl2014_dpr.htm

    Please note that if a company chooses to provide the current Disaster Response Plan Questionnaire in electronic form, it must be submitted as an attachment via the Department’s Portal.

    If a company instead chooses to submit the questionnaire in hard copy, it can contact the Department to request a hard copy of the questionnaire at State of New York Department of Financial Services, Disaster Response Coordinator, One State Street, New York, NY 10004.

    2)   Business Continuity Plan Questionnaire

    To assure the Department that each addressee has taken steps to put in place a Business Continuity Plan that would reasonably ensure that the recovery of critical business processes could take place in the event of a disaster, each addressee is required to complete the Business Continuity Plan Questionnaire and attest to the accuracy of the answers provided.

    By June 1, 2014, the Business Continuity Plan Questionnaire must be submitted to the Department via the Department’s Portal Application or in hard copy.  No other format will be accepted.

    The Business Continuity Plan Questionnaire electronic template, and instructions for its completion and submission, can be found on the Department’s website at:

    http://www.dfs.ny.gov/insurance/circltr/cl2014_dpr.htm

    Please note that if a company chooses to provide the current Business Continuity Plan Questionnaire in electronic form, it must be submitted as an attachment via the Department’s Portal.

    If a company instead chooses to submit the questionnaire in hard copy, it can contact the Department to request a hard copy of the questionnaire at State of New York Department of Financial Services, Disaster Response Coordinator, One State Street, New York, NY 10004.

  7. Operations During a Disaster
  8. 1)  Insurance Company Disaster Liaisons

    Upon the Department’s activation of its IEOC, the Superintendent may activate designated insurance company disaster liaisons representing several of the largest underwriters in the emergency or disaster area.  Disaster liaisons will be contacted based upon information submitted in the Disaster Response Plan Questionnaire.

    Subsequently, disaster liaisons should be prepared to participate in the State’s Disaster Response Plan as follows:

    2)  Liaison Duties and Responsibilities

    Insurance company disaster liaisons should:

  9. After a Disaster
  10. Post Disaster Coverage Data and Loss Statistics

    After an emergency or disaster the Department will contact disaster liaisons, as needed, who will be required to provide to the Department specific statistics about insured losses.  These statistics will be periodically updated on an as-needed basis, but not less than monthly.

    Reports will be consolidated by Department staff for submission to SOEM and the Governor’s office.

  11. Communications Network
  12. Insurance industry representatives of the New York State Insurance Disaster Coalition are requested to provide the Department with Internet links to not-for-profit websites that are beneficial to the public before, during, and after a disaster.

Conclusion

This circular letter endeavors to assist the life insurance industry in planning and preparing for, and responding to, disasters that may befall the citizens and policyholders of New York State. Your cooperation in furnishing timely and accurate responses is essential to the success of the New York State Insurance Disaster Coalition, and is appreciated by the Department and the people of New York State.

Questions concerning any aspect of this circular letter should be directed to the Disaster Response Coordinator, by phone at (212) 480-4702, by mail to the New York State Department of Financial Services, Disaster Response Coordinator, One State Street, New York, NY 10004, or by e-mail to predis@dfs.ny.gov.

 

Very truly yours,

______________________________________
Benjamin M. Lawsky
Superintendent


 

 

Appendix A

Additional Guidance on Formulating/Maintaining a Disaster Response Plan

LIFE COMPANIES PROVIDING LIFE INSURERS

(As noted earlier, the term “life companies” as used in this document refers to all authorized life insurers, retirement systems and fraternal benefit societies.)

The Disaster Response Plan (Plan) is a separate document from a company’s business continuity and disaster recovery plans and should be an operational document indicating the order in which actions will be taken to assure that resources are made available to policyholders in a timely manner.  If your Plan provides affirmative answers to the questions contained in this Appendix, it generally will meet the Department’s standards for a Life Company’s Disaster Response Plan.

Your Plan should describe how you intend to provide your policyholders, certificateholders, claimants and beneficiaries (herein, “customers”) with the assistance they will need to maintain coverage, seek assistance from the company, file claims, and obtain loans and other policyholder services in a disaster situation that affects customers.

The Department recognizes that the size, lines of business, corporate structure and location of life companies’ operations in New York varies greatly, as does their particular need for and capacity to implement Plans.  Therefore, this Appendix describes “standards,” some of which may be appropriate only to certain companies, but which all companies should evaluate as they construct and assess their Plans.  The Department will evaluate the Plan of each life company on its own merits.  

REQUIREMENTS

The Department fully expects each life company to perform a risk-based analysis of its capacity to serve its customers in the event that a disaster affects large numbers of its customers.  The Department expects each company to establish, maintain and update a Plan that. responds to the risk-based analysis performed as required above.  If a company already has a Plan or Plans, it should be prepared to explain the elements of its Plan in terms of the risks perceived by the company and how the Plan responds to those risks.

APPLICABILITY

The Department is aware that certain of its life companies are wholly-owned subsidiaries of other life companies or are members of groups composed of other than life companies.  This tier of companies may be included in the Plan of the parent company.  In such cases, the subsidiary should be prepared to demonstrate to the Department that

  1. the parent’s Plan specifically provides for the needs of the subsidiary and its customers,
  2. the parent’s Plan has specific application to the subsidiary in the case where only the subsidiary is affected by a disaster, and
  3. the parent’s Plan provides for the continued operation and service to customers of the subsidiary in the event that the operations of the parent, and not the subsidiary, are affected by a disaster.

If the parent’s Plan does not cover the subsidiary, or if in the Department’s judgment the parent’s Plan, as applied to the subsidiary, is inadequate, the subsidiary is required to develop and implement its own Plan.

In addition, smaller companies located in one geographic area of the State may find it cost-effective to pool their resources in establishing shared Plan facilities, such as communications equipment and alternate worksites.  The Department encourages this kind of innovative and cooperative approach, provided that:

  1. separate management and operational conduct of each company is maintained,
  2. no confidential customer, policyholder or claimant financial or health information is disclosed to another party without appropriate consent, and
  3. the security of all company information is separately protected, in compliance with Regulations 152, 169 and 173. 

Sharing of administrative or processing systems is not contemplated by this paragraph.

Companies that sell both life and medical/health care insurance should respond to the questions in the relevant portions of the Appendix B regarding medical insurance in addition to this Appendix, which pertains to life insurance and related products.  Companies selling both life and medical/health care insurance are encouraged to contact the Department if they have questions on how to prepare or report on their combined or separate Plans.

ELEMENTS OF DISASTER RESPONSE PLANS

The Department expects each company to establish and maintain a Plan that considers and is responsive to all of these elements, subject to the qualifications described in this Appendix with regard to “standards” and the distinctions that can be made for certain subsidiaries and smaller companies.

Company/Group Characteristics:

  1. What is the company/group’s license status (domestic, foreign, alien)?
  2. Does the company/group share or participate in an affiliate, parent company or another company’s disaster response Plan?
  3. Where is the company’s main administrative office located?
  4. Where are the company’s administrative offices that handle the following claims, requests and payments for New York residents located?  (Please specify county and state of office and specify individual or group, where applicable.)
  5. What types of products are sold or administered by the company/group?

Management Oversight:

  1. Does the Company have a Plan?
  2. Is it a written Plan?
  3. Has the Plan been reviewed and approved by:
          a) Senior Management?
          b) Board of Directors or a committee thereof?
  4. Has a resolution been adopted by the Board of Directors, or a committee thereof, attesting to the approval of the Plan?
  5. Has Management identified additional, or alternative, dedicated resources that may be needed during a disaster?
  6. Has Management analyzed its ability to provide the financial resources necessary to meet the cost of the additional resources that will be needed?
  7. Is a person/titled position named as being responsible for activating the Plan after a disaster is declared?
  8. Is a person/titled position named as being responsible for monitoring the Plan?
  9. Is a person/titled position named as being responsible for terminating the Plan following a disaster?

General Information:

  1. Does the company/group have a methodology for identifying a disaster, and the levels thereof, that require activation of all or parts of the Plan?
  2. Are there guidelines that help to determine the need for activation of one or more parts of the Plan?
  3. Has the company/group formed a disaster response team?
  4. Are the responsibilities of the disaster response team members defined in order to establish areas of responsibility and reporting authority?
  5. Does the Plan provide for training of staff in order to prepare them for their responsibilities in the case of varying levels of disasters that activate various parts of the Plan?

Policyholder and Claimant (Customer) Services:

  1. Does the Plan explain what steps the company has taken to ensure timely responses to customers for such requests as:

  2. Has Management provided for additional or alternative claims and policyholder service handling capacity and procedures (system or personnel) that might be needed during the activation of the Plan?
  3. If the company/group uses a Third Party Administrator (TPA) or Managing General Agent (MGA) for claims processing, has that TPA or MGA made plans to provide for additional or alternative claims and policyholder service handling capacity and procedures (system or personnel) that might be needed during the activation of the Plan?

External Communication:

  1. Does the Plan explain what steps will be taken to notify, in a timely manner, the company’s customers of any procedural changes?
  2. Does the Plan describe how your company communicates with, and responds to, employees of a group located in state, when the employer is out of state during a disaster?
  3. Does the Plan describe how your company communicates with, and responds to, employees of a group located out of state, when the employer is in state during a disaster?

Producer Relations:

  1. Does the Plan explain what steps will be taken to notify, in a timely manner, the company’s producers of any procedural changes made in response to a disaster?
  2. Does the Plan provide for alternative communication links with producers affected by the disaster?
  3. Does the Plan provide for alternative facilities/equipment for producers (who are normally supplied with facilities and equipment by the company) who are affected by the disaster?
  4. Does the Plan provide for backup record keeping systems for producers (whose records are normally maintained by the company) who are affected by the disaster?

Fraud Detection:

  1. Does the Plan include any additional procedures for detecting fraud in the event that normal antifraud programs are unavailable or impaired by the disaster?
  2. Does the Plan include specific additional procedures to detect and prevent fraud that may be attempted as a result of the disaster?
  3. Does the Plan include procedures for reporting fraudulent activity to the appropriate regulatory authorities?

Testing of Plan:

  1. Has the Plan been tested?
  2. Does the Plan indicate how often the Plan will be tested?
  3. Did the testing include the use of an alternate site for information technology (IT) systems?
  4.  


Appendix B

Additional Guidance on Formulating/Maintaining a Disaster Response Plan

LIFE COMPANIES PROVIDING MEDICAL/HEALTH INSURANCE

(As noted earlier, the term “life companies” as used in this document refers to all authorized life insurers, retirement systems and fraternal benefit societies.)

The Disaster Response Plan (Plan) is a separate document from a company’s business continuity and disaster recovery plans and should be an operational document indicating the order in which actions will be taken to assure that resources are made available to policyholders in a timely manner.  If your Plan provides affirmative answers to the following questions, it generally will meet the Department’s standards for an acceptable Plan.

Your Plan should describe how you intend to provide your members and subscribers, as well as providers, with the resources they will need to recover from a disaster.  

Management Oversight:

  1. Does the Company have a Plan?
  2. Is it a written Plan?

  3. Has the Plan been reviewed and approved by:
          a) Senior Management?
          b) Board of Directors or a committee thereof?
  4. Has a resolution:
         
    a) been adopted by resolution of the Board of Directors attesting to the approval of the Plan?
         
    b)if the answer to a) is “yes”, has the resolution been submitted to the Department as evidence of the board’s approval?
  5. Has Management identified additional resources that will be needed during a disaster?  (For example, telephones, server capacity and staff.)
  6. Has Management analyzed its ability to provide the financial resources necessary to meet the cost of the additional resources that will be needed?
  7. Is a person/titled position named as being responsible for activating the Plan after a disaster is declared?
  8. Is a person/titled position named as being responsible for monitoring the Plan?
  9. Is a person/titled position named as being responsible for terminating the Plan following a disaster?

General Information:

  1. Does the Plan define what constitutes a disaster?
  2. Are there clear guidelines to indicate when the Disaster Response Plan should be invoked?
  3. Has the Company established a disaster response team?
  4. Are the responsibilities of the disaster response team members segregated to establish clear reporting authority?
  5. Does the Plan indicate that there is a role for a designated "disaster liaison" and/or back-up liaison?
  6. Does the Plan indicate that the designated disaster liaison and/or back-up liaison have been advised of their duties?
  7. Does the Plan provide for training of staff in order to prepare them on their responsibilities in the case of a disaster?
  8. Has the Company established varying levels of response based on the severity of the disaster?

Claimant Services: (Doctors & Hospitals as claimants)

  1. Does the Plan explain what steps the company has taken to ensure timely responses to claimants?
  2. Has Management provided for the additional claims handling capacity (system or personnel) that might be needed during a disaster?

External Communication

  1. Does the Plan explain what steps will be taken to notify in a timely manner the company’s members//subscribers of any procedural changes made?
  2. Does the Plan explain what steps will be taken to notify in a timely manner its providers of any procedural changes made?
  3. Does the Plan explain what steps will be taken to notify in a timely manner its brokers/agents of any procedural changes made?
  4. Does the Plan describe how your company communicates with and responds to employees of a group located in state, when the employer is out of state during a disaster?
  5. Does the Plan describe how your company communicates with and responds to employees of a group located out of state, when the employer is in state during an emergency?

Fraud Detection:

  1. If normal controls are not in place due to a disaster, does the Plan include any additional procedures for detecting fraud?
  2. Does the Plan include procedures for reporting fraudulent activity to the appropriate regulatory authorities?

Testing of Plan:

  1. Has the Plan been tested?
  2. Does the Plan indicate when the last test was conducted?
  3. Does the Plan indicate how often the Plan will be tested?
  4. Did the testing include the use of an alternate site for information technology (IT) systems?