Insurance Circular Letter No. 5 (2019)
April 17, 2019
All authorized property/casualty insurance companies, co-operative property/casualty insurance companies, financial guaranty insurance corporations, mortgage guaranty insurance companies, title insurance corporations, non-profit property/casualty insurance companies, reciprocal insurers, captive insurance companies, New York State Insurance Fund, New York Property Insurance Underwriting Association, New York Medical Malpractice Insurance Plan, New York Automobile Insurance Plan, Motor Vehicle Accident Indemnification Corporation, rate service organizations, and Excess Line Association of New York
Disaster Planning, Preparedness, and Response by the Property/Casualty Insurance Industry
STATUTORY AND REGULATORY REFERENCES: Insurance Law Sections 308, 2108(n), 2130, and 7001 and Articles 52, 53, 54, and 55; Financial Services Law Section 202; and 11 NYCRR 243 (Insurance Regulation 152), 11 NYCRR 420 (Insurance Regulation 169), and 11 NYCRR 421 (Insurance Regulation 173).
Experience teaches us that disasters – crippling storms, terrorist attacks, cybersecurity breaches – can happen unexpectedly, meaning that we must be prepared to respond at every level if such an event occurs. This circular letter sets forth the standards expected of authorized property/casualty insurers, co-operative property/casualty insurance companies, financial guaranty insurance companies, mortgage guaranty insurance companies, title insurance companies, non-profit property/casualty insurance companies, reciprocal insurers, captive insurance companies, the New York State Insurance Fund, the New York Property Insurance Underwriting Association, the New York Medical Malpractice Insurance Plan, the New York Automobile Insurance Plan, the Motor Vehicle Accident Indemnification Corporation, rate service organizations (“RSOs”), and the Excess Line Association of New York (“ELANY”) (collectively, “addressees”) in planning and preparing for, and responding to, disasters occurring anywhere in the world, including in New York State, that could affect an addressee’s ability to continue doing business and servicing the people of New York State. This circular letter repeals and replaces Circular Letter No. 3 (2018). A separate circular letter covers disaster planning, preparedness, and response by the life and health insurance industries.
When a disaster occurs in New York, the New York State Department of Financial Services (“Department”) provides the Governor and the New York State Office of Emergency Management (“SOEM”) with critical information regarding the amount and extent of losses, damages, personal injuries, and deaths resulting from the disaster. Based on this information, the Governor determines whether and when to request a federal disaster declaration and how to prioritize the deployment of state assets.
The insurance industry has been identified as a key resource in providing early assessments of losses, damages, personal injuries, and deaths arising from disasters, and plays an important role in quantifying the magnitude of losses, damages, personal injuries, and deaths, whether insured or uninsured, and in determining the appropriate response to the disaster. Accordingly, all addressees should assist the Department with obtaining necessary information before, during, and after a disaster.
An integral part of the response to any disaster is the Department’s Insurance Emergency Operations Center (“IEOC”), which is staffed by insurance industry disaster liaisons and Department representatives, and which coordinates disaster responses. The Superintendent of Financial Services (“Superintendent”) will activate the IEOC in accordance with the nature and extent of the disaster. Where possible, the Superintendent will consult with the insurance industry before activating the IEOC.
A. Before a Disaster Strikes
1. Pre-Disaster Data Survey
This section applies to an addressee, other than an RSO or ELANY, with New York direct written premium reported on page 19 of its last annual statement for any of the following lines of insurance:
- 01. Fire
- 02.1 Allied Lines
- 02.2 Multiple Peril Crop
- 02.3 Federal Flood
- 03 Farmowners Multiple Peril
- 04 Homeowners Multiple Peril
- 05.1 Commercial Multiple Peril (Non-Liability Portion)
- 12 Earthquake
- 21.1 Private Passenger Auto Physical Damage
- 21.2 Commercial Auto Physical Damage
Accurate, timely, and consistent information is of critical importance to the Governor and SOEM during and after a disaster. In order for the Department to determine which addressees are the largest insurance writers in each New York county so that the Department knows which addressees to contact in the event of a disaster, an addressee must submit, pursuant to Insurance Law § 308, a response to the Department’s pre-disaster data survey, which is available on the Department’s website. With regard to private passenger and commercial auto physical damage lines of insurance, the survey requests the number of motor vehicles covered and the number of policies in-force broken down by county. For the purpose of this survey, “motor vehicle” is used in the broadest sense to mean any vehicle covered by the private passenger and commercial auto physical damage lines of insurance, including automobiles, trucks, trailers, vans, motorcycles, and all-terrain vehicles. With regard to the non-motor vehicle lines of insurance listed above, the survey requests the amount of insurance in-force (gross exposure) and the number of policies in-force broken down by county.
The Department will use the responses it receives to apportion corporate emergency access system adjuster cards as described in Supplement No. 1 to Circular Letter No. 8 (2007).
2. Business Continuity and Disaster Response Plans
Each addressee should perform regularly a business impact analysis to predict the consequences of disruption of a business function and process as a result of a disaster, and to gather information needed to develop recovery strategies. The business impact analysis should identify the operational and financial impacts resulting from the disruption of business functions and processes and should consider the following, at a minimum, as relevant: (a) the point in time when a business interruption would have a greater impact, such as a particular season or the end of the month or quarter; (b) the amount of time before which the business interruption would have an operational or financial impact; (c) the operational and financial impact of physical damage to buildings; damage to or breakdown of machinery, systems, or equipment; restricted access to a site or building; a utility outage; damage to or loss or corruption of information technology; and absenteeism of essential employees; (d) resources needed for the business to continue to function at varying levels of disruption; and (e) potential for dissatisfaction or defection by policyholders, contract holders, insureds, third-party claimants, and health service providers (collectively, “customers”).
An addressee should use the results of this analysis to establish, maintain, and periodically update a business continuity plan. Each addressee, other than ELANY, an RSO, or a financial guaranty insurer, also should perform regularly a risk-based analysis of its capacity to assist customers in New York State affected by a disaster occurring anywhere in the world, including in New York State, and should use the results of this analysis to establish, maintain, and periodically update a disaster response plan that takes into account the results of the analysis. The business continuity and disaster response plans should be separate documents.
The Department recognizes that size, lines of business, and corporate structure varies among addressees. Therefore, business continuity and disaster response plans should be appropriate for the nature, scale, and complexity of the addressee and the business it writes or conducts, and should adhere to the standards set forth in this circular letter, as relevant.
The Department understands that certain addressees are members of holding company systems under Insurance Law Article 15 or are subsidiaries of domestic insurers under Insurance Law Article 16 (collectively, “groups”). An addressee may be covered under a business continuity or disaster response plan established by the holding company, parent domestic insurer, or another member of the group. In such cases, the addressee should be prepared to demonstrate to the Department that the plan provides for the needs of the addressee and its customers. If the plan does not do so, or if, in the Department’s judgment, the plan, as applied to the addressee, is inadequate, then the Department will ask the addressee to establish its own business continuity or disaster response plan.
An addressee that is a captive insurer may be covered under a business continuity or disaster response plan established by an industrial insured, as defined in Insurance Law § 7002(e). In such cases, the addressee should be prepared to demonstrate to the Department that the plan provides for the needs of the addressee and any third-party claimant. If the plan does not do so, or if, in the Department’s judgment, the plan as applied to the addressee, is inadequate, then the Department will ask the addressee to establish its own business continuity or disaster response plan.
a. Business Continuity Plan and Questionnaire
A business continuity plan should, at a minimum, address the following items, as relevant:
- define the scope, objectives, and assumptions of the business continuity plan;
- define the roles and responsibilities of employees;
- identify the lines of authority, succession of management, and delegation of authority;
- address interaction with external business entities, including contractors and vendors;
- include results of a business impact analysis;
- identify recovery time objectives for business processes and information technology;
- identify the recovery point objective for data restoration;
- set forth detailed procedures, resource requirements, and logistics for execution of all recovery strategies;
- set forth detailed procedures, resource requirements, and logistics for relocation to alternate worksites;
- set forth detailed procedures, resource requirements, and a data restoration plan for the recovery of information technology, such as networks and required connectivity, servers, computers, wireless devices, applications, and data;
- document all forms and resource requirements for all manual workarounds;
- define procedures for incident detection and reporting, alerts and notifications, business continuity plan activation, emergency operations center activation, damage assessment and situation analysis, and the development and approval of an incident action plan;
- describe a training curriculum for business continuity team members;
- set forth a testing schedule, procedures, and forms for business recovery strategies and information technology recovery strategies;
- set forth a schedule, triggers, and assignments for the periodic review of the business continuity plan; and
- set forth a corrective action program to address deficiencies.
The business continuity plan should be reviewed and approved on at least an annual basis by either the addressee’s or the group member’s (1) board of directors, or appropriate committee thereof, or (2) governing body.
Addressees located in the same geographic area may find it cost-effective to pool their resources and establish shared facilities, such as shared alternate worksites, in the event their business functions and processes are disrupted as a result of a disaster. The Department encourages this kind of cooperative approach, provided that: (1) the addressees maintain separate management and operations; (2) an addressee does not disclose confidential customer information without appropriate consent; and (3) an addressee maintains records in compliance with 11 NYCRR 243 (Insurance Regulation 152), 11 NYCRR 420 (Insurance Regulation 169), and 11 NYCRR 421 (Insurance Regulation 173).
b. Disaster Response Plan and Questionnaire
A disaster response plan should, at a minimum, address the following items, as relevant:
- the jurisdiction in which the addressee is domiciled;
- the address of the addressee’s headquarters;
- the addresses of the addressee’s offices where the following is handled for policies or contracts issued or delivered in New York: (i) claims; (ii) policy or contract changes; (iii) premium payments; and (iv) any other policy or contract holder services or administration;
- the kinds of insurance products sold or administered by the addressee;
- the methodology the addressee uses for identifying a disaster and determining whether the addressee should activate all or part of its disaster response plan;
- the name and title of the person responsible for activating the disaster response plan and for deactivating the plan;
- the name and title of the person responsible for monitoring the disaster response plan;
- the responsibilities and reporting authority of the disaster response team;
- the names of and contact information for the addressee’s primary and secondary employees who are available during and after a disaster to relay information between the addressee and the Department (“disaster liaisons”);
- the names of and contact information for the addressee’s primary and secondary employees who have control of the addressee’s disaster operations (“disaster leaders”);
- the way in which the addressee trains its employees and agents to assist customers during and after a disaster;
- the way in which the addressee will provide additional or alternative claims and customer service handling capacity and procedures, including ensuring that there are adequate personnel and information technology systems;
- if the addressee uses an independent adjuster or managing general agent (“MGA”), then the way in which the independent adjuster or MGA will provide additional or alternative claims and customer service handling capacity and procedures, including when the independent adjuster or MGA may be located in the disaster-affected area;
- the steps the addressee will take to notify, in a timely manner, the addressee’s customers of any procedural changes;
- the steps the addressee will take to notify, in a timely manner, insurance producers or insurance adjusters of any procedural changes made in response to a disaster;
- the additional or alternative communication channels the addressee will use to communicate with insurance producers or insurance adjusters located in or servicing a disaster-affected area;
- if an addressee supplies facilities and equipment for insurance producers, then the alternate facilities or equipment the addressee will provide for producers affected by the disaster;
- the additional or alternative procedures an addressee will use for detecting a fraudulent insurance act during and after a disaster; and
- the methodology the addressee uses to test the disaster response plan and the frequency of testing.
The disaster response plan should be reviewed and approved on at least an annual basis by either the addressee’s or the group member’s (1) board of directors, or appropriate committee thereof, or (2) governing body.;
c. Storage of Business Continuity and Disaster Response Plans
An addressee should distribute the business continuity and disaster response plans to all relevant employees. The business continuity team leader and disaster leader should maintain a master copy of the business continuity plan and disaster response plan, respectively. Copies of the business continuity and disaster response plans should be stored at a secure off-site location in a format that allows access if an addressee’s servers are down and allows for printing on demand.
d. Filing of Pre-Disaster Data Survey, Disaster Response Plan, and
By May 10, 2019, each addressee must submit a response to the pre-disaster data survey to the Department, as applicable, pursuant to Insurance Law § 308. By June 28, 2019, each addressee must submit to the Department a disaster response plan, a response to the disaster response plan questionnaire, and a response to the business continuity plan questionnaire, as applicable, pursuant to Insurance Law § 308. The electronic templates for the disaster response plan and business continuity plan questionnaires, and instructions for their completion and submission, are available on the Department’s website. An addressee should report to the Department as soon as possible any change in the information requested by submitting an updated response to the disaster response plan or business continuity plan questionnaire.
When submitting a disaster response plan, an addressee must document that the relevant board of directors, or appropriate committee thereof or, if there is no board of directors, then the governing body, approved the disaster response plan. If the current disaster response plan is the same as the last plan filed with the Department, then an addressee need not submit the plan again. Rather, the addressee must submit a statement indicating that the previously filed disaster response plan is still in effect.
A disaster response plan or the statement indicating that the previously filed disaster response plan is still in effect should include the name of the addressee covered by the disaster response plan, the addressee’s National Association of Insurance Commissioners (“NAIC”) number, and a contact person’s name, e-mail address, and telephone number. In addition, an addressee should submit a disaster response plan as a searchable document, such as an Adobe pdf file.
The Department requests that an addressee submit responses to the pre-disaster data survey, a disaster response plan, a response to the disaster response plan questionnaire, and a response to the business continuity plan questionnaire to the Department through the Department’s portal application, though it may mail or deliver them to the Department as a hard copy. Please name the file “Disaster Response Plan” when submitting a disaster response plan or the aforementioned statement through the Department’s portal application.
If an addressee submits the documents as a hard copy, then the addressee should mail or deliver the documents to the Department to the attention of Ashbert Carrington, Financial Services Examiner 2, New York State Department of Financial Services, One State Street, 22nd Floor, New York, NY 10004.
B. After a Disaster
1. Disaster Liaisons
After a disaster, the Superintendent may contact designated addressee disaster liaisons representing addressees with the greatest amount of direct written premiums in the disaster area. Disaster liaisons should be prepared to participate in the state’s disaster response plan as follows:
- the Department will arrange a conference call of the selected disaster liaisons, where possible, following the occurrence of a disaster to discuss the disaster’s magnitude and the scope of IEOC activation plans;
- upon activation of the IEOC, disaster liaisons or their designees will be expected to staff the IEOC at the Department’s offices in Albany or New York City or an alternative location, as appropriate;
- the Department will provide a fully-equipped IEOC at one of the aforementioned locations;
- the Department will continue to coordinate communications through ongoing teleconference calls in order to plan staffing of the IEOC, discuss with each addressee’s disaster liaison the addressee’s disaster operations, review each addressee’s disaster response plan, and discuss disaster operations and emerging issues; and
- disaster liaisons or their designees may be expected to remain on duty at the IEOC as determined by the Superintendent in consultation with the insurance industry.
Disaster liaisons should:
- be members of the addressee’s disaster response team or manager-level employees who are familiar with addressee protocols and have access to critical information;
- provide coverage data and claim statistics as requested by the Department;
- be knowledgeable about addressee internal information systems and sources and authorized to access such systems, so that applicable, timely information can be provided to SOEM, the New York City Office of Emergency Management, and other emergency responders via the Department; and
- be prepared to remain on duty during the hours when the IEOC is operating, normally from 7:00 a.m. to 6:00 p.m., or for such time periods as necessary to assist with the effective management of the disaster. Depending on the level of the disaster, this may be a seven-day-per-week commitment.
2. Post Disaster Coverage Data and Loss Statistics
After a disaster, the Department will contact disaster liaisons, as needed, who should provide the Department with coverage data and claim statistics. The Department may request the data and statistics on an on-going basis as necessary.
3. Insurance Adjuster Temporary Permits
Insurance Law § 2108(n) permits the Superintendent to issue a temporary permit to a person to act as an independent adjuster for an authorized insurer “in order to facilitate the settlement of claims under insurance contracts involving widespread property losses arising out of a conflagration or catastrophe common to all such losses.” The Superintendent may issue a temporary permit for a term not exceeding 120 days. The authorized insurer on whose behalf the person will be adjusting claims must execute and file with the Superintendent a written application for the temporary permit, and must certify that the person who will be doing the adjusting is qualified by experience and training to adjust claims.
Insurers should maintain adequate New York-licensed independent adjuster staff to respond to all events short of a major catastrophe. Consistent with the legislative intent of § 2108(n), the Department will issue temporary permits only for infrequent and widespread conflagrations or catastrophes that have caused severe loss or damage for a large number of New Yorkers. Furthermore, given its limited scope, a temporary permit enables its holder to adjust claims solely related to the conflagration or catastrophe for which the insurer requested the permit as noted on the application and during the specific time frame for which the permit is valid.
An insurer may submit an application for a temporary permit as soon as a conflagration or catastrophe causing widespread property losses occurs and before a formal governmental disaster declaration has been made. An insurer may complete an application on the Department’s website. An insurer that completes an application on-line will receive the temporary permit by email or facsimile.
4. Hurricane and Windstorm Deductibles
An insurer should notify the Department whenever the insurer activates, or intends to activate, a hurricane or windstorm deductible under any property/casualty insurance policy. The insurer should notify the Department by sending an email to [email protected] or sending a facsimile to the attention of John Capuano at (518) 486-1503.
C. New York Information Network
On May 3, 2002, the former Insurance Department issued Insurance Circular Letter No. 12 (2002) establishing the New York Information Network (“NYIN”). The NYIN is the main conduit through which the Department will communicate intelligence reports and other critical but sensitive information on terrorism to the New York insurance community. As part of the NYIN, addressees’ chief executive officers (“CEOs”), or their equivalent, should designate a primary and secondary intelligence or information officer using the form available on the Department’s website. The primary intelligence or information officer will serve as the sole liaison for all terrorism-related intelligence and information. This person will be responsible for providing the Department with any such intelligence or information. In instances where the Department needs to communicate sensitive information to addressees, the Department will initiate the communication through the NYIN and information will be directed to the primary intelligence or information officer only. The secondary intelligence or information officer will serve as the back-up liaison when the primary intelligence or information officer is unavailable. The Department will contact the secondary intelligence or information officer when critical information must be relayed to the addressee and multiple attempts to contact the primary intelligence or information officer have failed.
The primary and secondary intelligence or information officers should be senior-level executives who possess the authority to communicate directly with the addressee’s CEO (or equivalent). A person should not serve as the primary and the secondary intelligence or information officer for the same addressee. For addressees that are a part of a group, the designation of the primary and secondary intelligence or information officer should be done on an individual addressee basis. While the same person may be designated as either the primary or secondary intelligence or information officer for individual addressees within a group, the designation should be entered separately for each addressee at the link provided above.
An addressee should provide the Department with updated information as soon as possible when any previously provided information changes.
This circular letter endeavors to assist addressees with planning and preparing for, and responding to, disasters. An addressee’s cooperation in furnishing timely and accurate responses is essential and appreciated by the Department and the people of New York State.
Please direct questions concerning this circular letter to Ashbert Carrington, Financial Services Examiner 2, by telephone at (212) 480-4702, by mail to the attention of Ashbert Carrington, Financial Services Examiner 2, at the New York State Department of Financial Services, One State Street, 22nd Floor, New York, NY 10004, or by e-mail to [email protected]
Very truly yours,
Linda A. Lacewell
Acting Superintendent of Financial Services