NOTE: WITHDRAWN EFFECTIVE 04/12/2012

Circular Letter No. 3 (2011)

February 17, 2011

TO: All authorized life insurers, retirement systems, fraternal benefit societies and employee welfare funds.

RE: Disaster Planning, Preparedness and Response

STATUTORY REFERENCE: Sections 301, 305, and 308; and Articles 42, 45, and 46 of the New York Insurance Law

This circular letter replaces and repeals Circular Letter No. 3 (2010). Authorized life insurers, retirement systems, fraternal benefit societies and employee welfare funds are hereafter referred to as "life companies" in this circular letter and its attachments. Disaster planning, preparedness, and response for health insurers and property/casualty insurance industries are covered by separate circular letters.

The following table is provided to enable all licensees to better understand what is required of them by this circular letter.

A. Organization of this Circular Letter

Section Title Page
A Organization of this Circular Letter 1
B The New York State Insurance Disaster Coalition and Insurance Emergency Operations Center (IEOC) 2
C Before a Disaster Strikes 2
C1 Disaster Response Plan and Questionnaire 2
C2 Business Continuity Plan Questionnaire 4
D Operations During a Disaster 4
D1 Insurance Company Disaster Liaisons 4
D2 Liaison Duties and Responsibilities 5
E After a Disaster 6
  Post Disaster Coverage Data and Loss Statistics 6
F Miscellaneous Items 6
F1 Confidentiality 6
F2 Communications Network 6
Questions concerning any aspect of this circular letter should be directed to Principal Insurance Examiner Vincent Mazzarella the Emergency Management Coordinator, by phone at (212) 480-5440, by email to [email protected], or by mail to State of New York Insurance Department, Emergency Management Coordinator, 25 Beaver Street, New York, NY 10004.

B. The New York State Insurance Disaster Coalition and Insurance Emergency Operations Center (IEOC)

When an emergency or disaster situation occurs, the Insurance Department provides the Governor and the State Emergency Management Office (SEMO) with critical information regarding the amount and extent of property losses, as well as other damage assessments. Based on this information, the Governor determines whether and when to request a federal disaster declaration, and how to prioritize the deployment of state assets.

The insurance community, including the property, life and health sectors, has been identified as a key resource in providing early assessments of damages arising from natural or man-made disasters. Insurers play an important role in quantifying the magnitude of losses - insured and uninsured - and in determining both the degree and duration of insurer response to losses. Accordingly, all entities to which this circular letter is directed are expected to assist the Insurance Department in obtaining necessary information before, during, and after disasters strike.

An integral part of the Insurance Disaster Coalition response to any disaster is the Insurance Emergency Operations Center (IEOC), which will be staffed by selected insurance industry disaster liaisons and representatives of the Insurance Department in order to coordinate disaster response.

The Insurance Emergency Operations Center will be activated upon direction of the Superintendent of Insurance, in accordance with the nature and extent of the event. Where possible, this determination will be made in conjunction with the Insurance Department’s disaster coalition partners.

C. Before a Disaster Strikes

1) Disaster Response Plan and Questionnaire

Each addressee of this letter should incorporate the New York State Insurance Disaster Coalition procedures into its own Disaster Response Plan. Since the New York State Insurance Disaster Coalition procedures and the Insurance Emergency Operations Center continue to be integral parts of the industry’s response to any disaster in New York State, the submission of each insurer’s Disaster Response Plan is necessary to maintain the effectiveness and accuracy of information used by the Disaster Coalition in the event of a future disaster.

a) Disaster Response Plan

The Disaster Response Plan should describe how each addressee intends to provide its policyholders with the resources needed to recover from a disaster. To this end, a Disaster Response Plan should at a minimum detail what preparations the entity has made, where applicable, with respect to the following:

  • Board of Directors support for a Disaster Response Plan;
  • Appropriate emergency response training of company personnel;
  • Plans for suitable expansion of claims handling capacity in a variety of disaster scenarios, including provisions to cover:
    • adequate personnel;
    • catastrophe response team availability;
    • access to disaster areas and personnel identification; and
  • Testing of the Disaster Response Plan; and
  • Incorporation of the role of insurance company disaster liaisons, and their interaction with the New York State Department of Insurance.

Please note that more detailed guidance on creating a Disaster Response Plan is provided in the attached appendices.

By June 1, 2011, each company must submit a Disaster Response Plan to the Insurance Department. Entities must provide their completed Disaster Response Plan to the Insurance Department via the Insurance Department Portal Application or in hard copy. No other format will be accepted. If the company chooses to submit the Disaster Response Plan in hard copy, please mail the plan to the Insurance Department at the address provided in Section A.

If the current Disaster Response Plan is the same as the most recent Disaster Response Plan filed with the Department, please submit a statement indicating that the previously filed plan is still in effect. The statement should also indicate the names and NAIC numbers of the companies covered by the plan, as well as, the date it was submitted. The statement should be submitted as an attachment via the Insurance Department Portal or in hard copy.

For orderly processing of files attached in the Insurance Department Portal, files which are either new Disaster Response Plans or statements indicating that the previously filed plan is still in effect, should be named “Disaster Response Plan.”

b) Disaster Response Plan Questionnaire

The Disaster Response Plan Questionnaire is not to be used in lieu of an addressee’s own Disaster Response Plan. Rather, the requested information is to be included as part of each entity’s own plan.

By June 1, 2011, the Disaster Response Questionnaire must be submitted to the Insurance Department via the Insurance Department Portal Application or in hard copy. No other format will be accepted.

By completing the Disaster Response Plan Questionnaire, each entity will be providing the Insurance Department’s Disaster Preparedness and Response Bureau with the name of the designated disaster liaison(s), along with that person’s telephone and cell phone number(s) (for both business and after business hours), email address, and/or pager number, if applicable. Any change in contact information should be reported immediately to the Insurance Department by submitting an updated Disaster Response Plan Questionnaire.

The Insurance Department strongly encourages companies to provide the information via the Insurance Department Portal Application. The Disaster Response Plan Questionnaire electronic template, and instructions for its completion and submission, can be found on the Insurance Department website at:

http://www.ins.state.ny.us/circltr/2011/cl2011_dpr.htm

Please note that if the company chooses to provide the current Disaster Response Plan Questionnaire in electronic form, it must be submitted as an attachment via the Insurance Department Portal.

If the company instead chooses to submit the questionnaire in hard copy, it can contact the Department to request a hard copy of the questionnaire at the address provided in Section A.

2) Business Continuity Plan Questionnaire

To assure the Insurance Department that each addressee has taken steps to put in place a Business Continuity Plan that would reasonably ensure that the recovery of critical business processes could take place in the event of a disaster, each addressee is required to complete the Business Continuity Plan Questionnaire and attest to the accuracy of the answers provided.

By June 1, 2011, the Business Continuity Plan Questionnaire must be submitted to the Insurance Department via the Insurance Department Portal Application or in hard copy. No other format will be accepted.

The Business Continuity Plan Questionnaire electronic template, and instructions for its completion and submission, can be found on the Insurance Department website at: http://www.ins.state.ny.us/circltr/2011/cl2011_dpr.htm

Please note that if the company chooses to provide the current Business Continuity Plan Questionnaire in electronic form, it must be submitted as an attachment via the Insurance Department Portal.

If the company instead chooses to submit the questionnaire in hard copy, it can contact the Department to request a hard copy of the questionnaire at the address provided in Section A.

D. Operations During a Disaster

1) Insurance Company Disaster Liaisons

Upon the Insurance Department’s activation of its Insurance Emergency Operations Center (IEOC), the Superintendent may activate designated insurance company disaster liaisons representing several of the largest underwriters in the emergency or disaster areas. Participating companies will be determined based on the previously described Pre-Disaster Reports. Disaster liaisons will be contacted based upon information submitted in the Disaster Response Plan Questionnaire.

Subsequently, disaster liaisons should be prepared to participate in the State’s Disaster Response Plan as follows:

  • A teleconference of the selected disaster liaisons will be held, where possible, following the occurrence of a disaster – and prior to the activation of the Insurance Department’s IEOC – to discuss the magnitude of the disaster and the scope of activation plans.
  • Upon activation of the IEOC, disaster liaisons or their designees will be expected to staff the IEOC at either of its two locations: One Commerce Plaza, Albany, NY; or 25 Beaver Street, New York, NY.
  • The Insurance Department will provide a fully-equipped IEOC for use by disaster liaisons at either of the aforementioned locations. Included are analog data and voice telephone lines, along with videoconferencing links to the SEMO emergency operations center.
  • The Insurance Department will continue to coordinate communications among company and association contacts through ongoing teleconference calls to: plan staffing of the IEOC for the actual or threatening (as in the case of hurricanes) emergency; individually discuss with each insurer’s liaison the company’s catastrophe operations; individually review each insurer’s Disaster Response Plan; and discuss catastrophe operations and emerging issues.
  • Disaster liaisons may be expected to remain on duty at the IEOC as determined by the Superintendent of Insurance acting in consultation with coalition partners.

2) Liaison Duties and Responsibilities

Insurance company disaster liaisons should:

  • Have a qualified back up. Both persons preferably should be members of the entity’s catastrophe team, or manager-level employees, who are familiar with company protocols and have access to critical information.
  • Provide coverage data and loss statistics as requested by the Insurance Department.
  • Transmit information about the disaster from the insurance industry to emergency response officials and other industry representatives.
  • Be authorized and knowledgeable about company internal information systems and sources, and authorized to access such systems so that applicable, timely information can be provided to SEMO/New York City Office of Emergency Management, and other emergency responders via the Insurance Department.
  • Be prepared to remain on duty during the hours when the IEOC is operating, normally from 7:00 a.m. to 6:00 p.m., or for such time periods as necessary to assist with the effective management of the disaster. Depending on the level of the disaster, this may be a seven-day-week commitment.

E. After a Disaster

Post Disaster Coverage Data and Loss Statistics

Depending on the type of emergency encountered, in the ensuing days after a disaster, the Insurance Department will contact disaster liaisons, as needed, who will be required to provide to the Insurance Department specific statistics about insured losses. These statistics will be periodically updated on an as-needed basis, but not less than monthly.

Reports will be consolidated by Insurance Department staff for submission to SEMO and the Governor’s office only.

F. Miscellaneous Items

1) Confidentiality

All of the above reports and statistics are to be compiled and summarized by Insurance Department personnel for internal Insurance Department use. Reports submitted to SEMO and the Governor will be on an aggregate basis, with no individual company information identified in those reports.

At the time of submission, an insurer should request an exception from disclosure under Section 89(5) of the Public Officers Law (commonly known as the Freedom of Information Law, or FOIL) for any information or reports that it submits to the Insurance Department that it believes are trade secrets or commercial information that, if disclosed, would cause substantial injury to its competitive position.

In the event that a request is received by the Insurance Department for the release of information pursuant to FOIL and the insurer requested an exception from disclosure upon submission, the insurer will be notified and given the opportunity to respond to the Insurance Department in accordance with FOIL and Regulation 71 (11 NYCRR 241.6).

2) Communications Network

Insurance industry representatives of the New York State Insurance Disaster Coalition are requested to provide the Insurance Department with Internet links to not-for-profit websites that are beneficial to the public before, during, and after a disaster.

Your cooperation in furnishing timely and accurate responses is essential to the success of the New York State Insurance Disaster Coalition, and is appreciated by the Insurance Department and the people of New York State.

Very truly yours,

James J. Wrynn
Superintendent of Insurance

Appendix A

Additional Guidance on Formulating/Maintaining a Disaster Response Plan

“LIFE COMPANIES”

(As noted earlier, the term “life companies” as used in this document refers to all authorized life insurers, retirement systems and fraternal benefit societies.)

The Disaster Response Plan (Plan) is a separate document from a company's business continuity and disaster recovery plans and should be an operational document indicating the order in which actions will be taken to assure that resources are made available to policyholders in a timely manner. If your Plan provides affirmative answers to the questions contained in this Appendix, it generally will meet the Disaster Preparedness and Response Bureau's standards for a “Life Company's” Disaster Response Plan.

Your Plan should describe how you intend to provide your policyholders, certificate holders, claimants and beneficiaries (herein, “customers”) with the assistance they will need to maintain coverage, seek assistance from the company, file claims, and obtain loans and other policyholder services in a disaster situation that affects customers.

The Department recognizes that the size, lines of business, corporate structure and location of life companies’ operations in New York varies greatly, as does their particular need for and capacity to implement Plans. Therefore, this Appendix describes “standards”, some of which may be appropriate only to certain companies, but which all companies should evaluate as they construct and assess their Plans. The Department will evaluate the Plan of each “life company” on its own merits.

REQUIREMENTS

The Department fully expects each “life company” to perform a risk-based analysis of its capacity to serve its customers in the event that a disaster affects large numbers of its customers. The Department expects each company to establish, maintain and update a Plan that responds to the risk-based analysis performed as required above. If a company already has a Plan or Plans, it should be prepared to explain the elements of its Plan in terms of the risks perceived by the company and how the Plan responds to those risks.

APPLICABILITY

The Department is aware that certain of its “life companies” are wholly-owned subsidiaries of other “life companies” or are members of groups composed of other than “life companies”. This tier of companies may be included in the Plan of the parent company. In such cases, the subsidiary should be prepared to demonstrate to the Department that

  1. the parent’s Plan specifically provides for the needs of the subsidiary and its customers,
  2. the parent’s Plan has specific application to the subsidiary in the case where only the subsidiary is affected by a disaster, and
  3. the parent’s Plan provides for the continued operation and service to customers of the subsidiary in the event that the operations of the parent, and not the subsidiary, are affected by a disaster.

If the parent’s Plan does not cover the subsidiary, or if in the Department’s judgment the parent’s Plan, as applied to the subsidiary, is inadequate, the subsidiary is required to develop and implement its own Plan.

In addition, smaller companies located in one geographic area of the State may find it cost-effective to pool their resources in establishing shared Plan facilities, such as communications equipment, and alternate worksites. The Department encourages this kind of innovative and cooperative approach, provided that:

  1. the separate management and operational conduct of each company is maintained,
  2. no confidential customer, policyholder or claimant financial or health information is disclosed to another party without appropriate consent, and
  3. the security of all company information is separately protected, in compliance with Regulations 152, 169 and 173.

Sharing of administrative or processing systems is not contemplated by this paragraph.

Companies that sell both life and medical/health care insurance should respond to the questions in the relevant portions of the Appendix B regarding medical insurance in addition to this Appendix, which pertains to life insurance and related products. Companies selling both life and medical/health care insurance are encouraged to contact the Department if they have questions on how to prepare or report on their combined or separate Plans.

Companies should direct their questions to Principal Insurance Examiner Vincent Mazzarella the Emergency Management Coordinator, by phone at (212) 480-5440, by e-mail to [email protected], or by mail to State of New York Insurance Department, Emergency Management Coordinator, 25 Beaver Street, New York, NY 10004.

ELEMENTS OF DISASTER RESPONSE PLANS

The Department expects each company to establish and maintain a Plan that considers and is responsive to all of these elements, subject to the qualifications described in this Appendix with regard to “standards” and the distinctions that can be made for certain subsidiaries and smaller companies.

Company/Group Characteristics:

  1. What is the company/group’s license status (domestic, foreign, alien)?
  2. Does the company/group share or participate with an affiliate, parent company or another company’s disaster response Plan?
  3. Where is the company's main administrative office location?
  4. Where are the company's administrative offices that handle the following claims, requests and payments for New York residents located? (Please specify county and state of office and specify individual or group, where applicable.)
    1. Death claims.
    2. Cash value surrenders/withdrawals.
    3. Policy loans.
    4. Changes to annuity payouts or separate account transfers.
    5. Other policy or contract changes.
    6. Premium payments.
  5. What types of products are sold or administered by the company/group?

Management Oversight:

  1. Does the Company have a Plan?
  2. Is it a written Plan?
  3. Has the Plan been reviewed and approved by:
    a) Senior Management?
    b) Board of Directors or a committee thereof?
  4. Has a resolution been adopted by the Board of Directors, or a committee thereof, attesting to the approval of the Plan?
  5. Has Management identified additional, or alternative, dedicated resources that may be needed during a disaster?
  6. Has Management analyzed its ability to provide the financial resources necessary to meet the cost of the additional resources that will be needed?
  7. Is a person/titled position named as being responsible for activating the Plan after a disaster is declared?
  8. Is a person/titled position named as being responsible for monitoring the Plan?
  9. Is there a person/titled position named as being responsible for terminating the activation of the Plan following a disaster?

General Information:

  1. Does the company/group have a methodology for identifying a disaster, and the levels thereof, that require activation of all or parts of the Plan?
  2. Are there guidelines that help to determine the need for activation of one or more parts of the Plan?
  3. Has the company/group formed a disaster response team?
  4. Are the responsibilities of the disaster response team members defined in order to establish areas of responsibility and reporting authority?
  5. Does the Plan provide for training of staff in order to prepare them in their responsibilities in the case of varying levels of disasters that activate various parts of the Plan?

Policyholder and Claimant (Customer) Services:

  1. Does the Plan explain what steps the company has taken to ensure timely responses to customers for such requests as:
    1. death claims; lost policy or contract;
    2. cash value surrenders/withdrawals;
    3. policy loans;
    4. changes to annuity payouts or separate account transfers;
    5. extended grace periods for payment of premiums;
    6. temporary or permanent changes of contact information;
    7. access to an agent or policyholder representative?
  2. Has Management provided for additional or alternative claims and policyholder service handling capacity and procedures (system or personnel) that might be needed during the activation of the Plan?
  3. If the company/group uses a Third Party Administrator (TPA) or Managing General Administrator (MGA) for claims processing, has that TPA or MGA made plans to provide for additional or alternative claims and policyholder service handling capacity and procedures (system or personnel) that might be needed during the activation of the Plan?

External Communication:

  1. Does the Plan explain what steps will be taken to notify, in a timely manner, its customers of any procedural changes?
  2. Does the Plan describe how your company communicates with, and responds to, employees of a group located in state, when the employer is out of state during a disaster?
  3. Does the Plan describe how your company communicates with, and responds to, employees of a group located out of state, when the employer is in state during a disaster?

Producer Relations:

  1. Does the Plan explain what steps will be taken to notify, in a timely manner, the company’s producers of any procedural changes made in response to a disaster?
  2. Does the Plan provide for alternative communication links with producers affected by the disaster?
  3. Does the Plan provide for alternative facilities/equipment for producers (who are normally supplied with facilities and equipment by the company) who are affected by the disaster?
  4. Does the Plan provide for backup record keeping systems for producers (whose records are normally maintained by the company) who are affected by the disaster?

Fraud Detection:

  1. Does the Plan include any additional procedures for detecting fraud in the event that normal antifraud programs are unavailable or impaired by the disaster?
  2. Does the Plan include specific additional procedures to detect and prevent fraud that may be attempted as a result of the disaster?
  3. Does the Plan include procedures for reporting fraudulent activity to the appropriate regulatory authorities?

Testing of Plan:

  1. Has the Plan been tested?
  2. Does the Plan indicate how often the Plan will be tested?
  3. Did the testing include the use of an alternate site for information technology (IT) systems?

Appendix B

Additional Guidance on Creating a Disaster Response Plan

“LIFE COMPANIES” PROVIDING MEDICAL/HEALTH INSURANCE

The Disaster Response Plan (Plan) is a separate document from a company’s business continuity and disaster recovery plans and should be an operational document indicating the order in which actions will be taken to assure that resources are made available to policyholders in a timely manner. If your Plan provides affirmative answers to the following questions, it generally will meet the Department’s standards for an acceptable Plan.

Your Plan should describe how you intend to provide your members and subscribers, as well as, providers with the resources they will need to recover from a disaster.

Management Oversight:

  1. Does the Company have a Plan?
  2. Is it a written Plan?
  3. Has the Plan been reviewed and approved by:
    a) Senior Management?
    b) Board of Directors or a committee thereof?
  4. Has a resolution:
    a) been adopted by the Board of Directors attesting to the approval of the Plan?
    b) if “a” is “yes”, has such a resolution been submitted to the Department as evidence of the board’s approval?
  5. Has Management identified additional resources that will be needed during a disaster? (For example, telephones, server capacity and staff.)
  6. Has Management analyzed its ability to provide the financial resources necessary to meet the cost of the additional resources that will be needed?
  7. Is a person/titled position named as being responsible for activating the Plan after a disaster is declared?
  8. Is a person/titled position named as being responsible for monitoring the Plan?
  9. Is a person/titled position named as being responsible for terminating the Plan following a disaster?

General Information:

  1. Does the Plan define what constitutes a disaster?
  2. Are there clear guidelines to indicate when the Disaster Response Plan should be invoked?
  3. Has the Company established a disaster response team?
  4. Are the responsibilities of the disaster response team members segregated to establish clear reporting authority?
  5. Does the Plan indicate that there is a role for designated "disaster liaison" and/or back-up liaison?
  6. Does the Plan indicate that the designated “disaster liaison” and/or back-up liaison have been advised of their duties?
  7. Does the Plan provide for training of staff in order to prepare them on their responsibilities in the case of a disaster?
  8. Has the Company established varying levels of response based on the severity of the disaster?

Claimant Services: (Doctors and Hospitals as claimants)

  1. Does the Plan explain what steps the company has taken to ensure timely responses to claimants?
  2. Has Management provided for the additional claims handling capacity (system or personnel) that might be needed during a disaster?

External Communication

  1. Does the Plan explain what steps will be taken to notify its member/subscribers of any procedural changes made in a timely manner?
  2. Does the Plan explain what steps will be taken to notify its providers of any procedural changes made in a timely manner?
  3. Does the Plan explain what steps will be taken to notify its brokers/agents of any procedural changes made in a timely manner?
  4. Does the Plan describe how your company communicates with and responds to employees of a group located in-state, when the employer is out of state during a disaster?
  5. Does the Plan describe how your company communicates with and responds to employees of a group located out of state, when the employer is in-state during an emergency?

Fraud Detection:

  1. If normal controls are not in place due to a disaster, does the Plan include any additional procedures for detecting fraud?
  2. Does the Plan include procedures for reporting fraudulent activity to the appropriate regulatory authorities?

Testing of Plan:

  1. Has the Plan been tested?
  2. Does the Plan indicate when the last test was conducted?
  3. Does the Plan indicate how often the Plan will be tested?
  4. Did the testing include the use of an alternate site for information technology (IT) systems?