April 24, 2018
Contact: Richard Loconte, 212-709-1691
DFS SUPERINTENDENT VULLO ISSUES UPDATED DISASTER RESPONSE AND RECOVERY PLAN REQUIREMENTS FOR INSURERS
Superintendent Directs Insurers to Update Plans Aimed at Ensuring They Are Proactively Prepared to Address Consumer Needs Before a Disaster Strikes
Insurers Also Directed to Submit Disaster Response Plan and Business Continuity Questionnaires to DFS
Updated Guidance Now Includes Student Health Plans, Mortgage Insurers and Title Insurers
Financial Services Superintendent Maria T. Vullo today announced that the Department of Financial Services (DFS) has issued updated disaster response and recovery plan requirements for all insurance companies licensed to conduct business in New York State. DFS is directing all insurers to submit updated disaster response and recovery plans and responses to online questionnaires by June 29, 2018. DFS also directed property/casualty companies to file responses to a Pre-Disaster Data Survey by May 19, 2018. The updated guidance for property/casualty companies now also requires mortgage insurers and title insurers to file a disaster response plan and questionnaire by September 28, 2018. DFS has issued these updated requirements in light of disasters that may occur outside of New York, such as hurricanes, terrorist attacks, or cybersecurity breaches, which could affect an insurer’s ability to serve New York consumers.
“When disaster strikes, as it did when Hurricanes Maria and Irma devastated Puerto Rico and the Virgin Islands last year, it is important for all insurers to be able to respond quickly and to be able to continue operations to ensure they can serve the increased needs of consumers resulting from the emergency, whether it’s a storm, a data breach or a terrorist attack,” said Superintendent Vullo. “Disaster response and business continuity plans should reflect the nature, scale and complexity of each insurer’s business and these plans need to be updated at least annually.”
When a disaster occurs in New York, DFS provides the Governor and the New York State Office of Emergency Management with critical information regarding the amount and extent of losses, damages, personal injuries, and deaths resulting from the disaster. Based on this information, the Governor determines whether and when to request a federal disaster declaration and how to prioritize the deployment of state assets. For instance, after Hurricanes Irma and Maria, DFS took immediate action to engage New York’s financial services industry to support residents of Puerto Rico and the U.S. Virgin Islands, including issuing a circular letter urging all New York insurers that cover people, homes and businesses in Puerto Rico and the U.S. Virgin Islands to undertake fair and speedy resolution of claims resulting from the hurricanes. In addition, two bilingual DFS insurance examiners spent two weeks each in Puerto Rico working with consumers to resolve insurance claims and to identify and address insurance fraud issues, through a partnership with the other state insurance commissioners.
In the two updated circular letters issued today, DFS advised insurers of their disaster related obligations under New York’s Insurance Law. The first circular letter was directed to property/casualty insurers, including mortgage guaranty insurers, title insurers and captive insurers. The second circular letter was directed to life insurers, as well as such entities as health insurers, fraternal benefit societies and employee welfare funds. The second circular letter was updated to add student health plans, which must submit a disaster response plan and responses to the disaster response plan and business continuity questionnaires by September 28, 2018.
In addition to filing a disaster response and recovery plan, insurers must have a business continuity plan and regularly perform a business impact analysis to predict the consequences of disruption of a business function. The guidance issued today clarifies the requirements of the business analysis. It should identify the operational and financial impacts resulting from the disruption of business functions and processes, and include, at a minimum, the following:
- The point in time when a business interruption would have a greater impact, such as a particular season or the end of the month or quarter;
- The amount of time before which the business interruption would have an operational or financial impact;
- The operational and financial impact of physical damage to buildings; damage to or breakdown of machinery, systems, or equipment; restricted access to a site or building; a utility outage; damage to or loss or corruption of information technology; and absenteeism of essential employees;
- Resources needed for the business to continue to function at varying levels of disruption; and
- The potential for dissatisfaction or defection by policy owners, policyholders, contract holders, insureds, annuitants, payees, beneficiaries, third-party claimants, and health service providers.
The circular letters outline what an insurer’s business continuity plan should, at a minimum, include, such as:
- Defining the scope, objectives, and assumptions of the business continuity plan;
- Defining the roles and responsibilities of employees;
- Identifying the lines of authority, succession of management, and delegation of authority;
- Addressing interaction with external business entities, including contractors and vendors;
- Including results of a business impact analysis;
- Identifying recovery time objectives for business processes and information technology;
- Identifying the recovery point objective for data restoration;
- Setting forth detailed procedures, resource requirements, and logistics for execution of all recovery strategies.
Following a disaster, the DFS Superintendent, in accordance with the nature and extent of the disaster, will activate the Department’s Insurance Emergency Operations Center (IEOC). The IEOC is staffed by insurance industry disaster liaisons and Department representatives to coordinate disaster responses. Where possible, the Superintendent will consult with the insurance industry before activating the IEOC.
Electronic templates for responses to the pre-disaster survey and disaster response plan and business continuity plan questionnaires, and instructions for their completion and submission, are available on the DFS website at: http://www.dfs.ny.gov/insurance/iindx.htm#dpr.