Insurance Circular Letter No. 6 (2019)
April 17, 2019
All authorized life insurance companies, retirement systems, fraternal benefit societies, employee welfare funds, authorized accident and health insurance companies, Article 43 corporations, certified Public Health Law Article 44 health maintenance organizations, municipal cooperative health benefit plans, and student health plans certified pursuant to Insurance Law § 1124
Disaster Planning, Preparedness, and Response by the Life and Health Insurance Industries
STATUTORY AND REGULATORY REFERENCES: Insurance Law Sections 308, 1109, and 1124 and Articles 42, 43, 45, 46, and 47; Financial Services Law Section 202; and 11 NYCRR 243 (Insurance Regulation 152), 11 NYCRR 420 (Insurance Regulation 169), and 11 NYCRR 421 (Insurance Regulation 173).
Experience teaches us that disasters – crippling storms, terrorist attacks, cybersecurity breaches – can happen unexpectedly, meaning that we must be prepared to respond at every level if such an event occurs. This circular letter sets forth the standards expected of authorized life insurance companies, retirement systems, fraternal benefit societies, employee welfare funds, authorized accident and health insurance companies, Article 43 corporations, certified Public Health Law Article 44 health maintenance organizations, municipal cooperative health benefit plans, and student health plans certified pursuant to Insurance Law § 1124 (collectively, “addressees”) in planning and preparing for, and responding to, disasters occurring anywhere in the world, including in New York State, that could affect an addressee’s ability to continue doing business and servicing the people of New York State. This circular letter repeals and replaces Circular Letter No. 4 (2018). A separate circular letter covers disaster planning, preparedness, and response by the property/casualty industry.
When a disaster occurs in New York, the New York State Department of Financial Services (“Department”) provides the Governor and the New York State Office of Emergency Management (“SOEM”) with critical information regarding the amount and extent of losses, damages, personal injuries, and deaths resulting from the disaster. Based on this information, the Governor determines whether and when to request a federal disaster declaration and how to prioritize the deployment of state assets.
The insurance industry has been identified as a key resource in providing early assessments of losses, damages, personal injuries, and deaths arising from disasters, and plays an important role in quantifying the magnitude of losses, damages, personal injuries, and deaths, whether insured or uninsured, and in determining the appropriate response. Accordingly, all addressees should assist the Department with obtaining necessary information before, during, and after a disaster.
An integral part of the response to any disaster is the Department’s Insurance Emergency Operations Center (“IEOC”), which is staffed by insurance industry disaster liaisons and Department representatives, and which coordinates disaster responses. The Superintendent of Financial Services (“Superintendent”) will activate the IEOC in accordance with the nature and extent of the disaster. Where possible, the Superintendent will consult with the insurance industry before activating the IEOC.
A. Before a Disaster Strikes
Each addressee should perform regularly a business impact analysis to predict the consequences of disruption of a business function and process as a result of a disaster, and gather information needed to develop recovery strategies. The business impact analysis should identify the operational and financial impacts resulting from the disruption of business functions and processes and should consider the following, at a minimum, as relevant: (a) the point in time when a business interruption would have a greater impact, such as a particular season or the end of the month or quarter; (b) the amount of time before which the business interruption would have an operational or financial impact; (c) the operational and financial impact of physical damage to buildings; damage to or breakdown of machinery, systems, or equipment;restricted access to a site or building;a utility outage; damage to or loss or corruption of information technology; absenteeism of essential employees; (d) resources needed for the business to continue to function at varying levels of disruption; and (e) potential for dissatisfaction or defection by policy owners, policyholders, contract holders, insureds, annuitants, payees, beneficiaries, and health service providers (collectively, “customers”)
An addressee should use the results of this analysis to establish, maintain, and periodically update a business continuity plan. Each addressee also should perform regularly a risk-based analysis of its capacity to assist customers in New York State affected by a disaster occurring anywhere in the world, including in New York State, and should use the results of this analysis to establish, maintain, and periodically update a disaster response plan that takes into account the results of the analysis. The business continuity and disaster response plans should be separate documents.
The Department recognizes that size, lines of business, and corporate structure varies among addressees. Therefore, an addressee’s business continuity and disaster response plans should be appropriate for the nature, scale, and complexity of the addressee and the business it writes or conducts, and should adhere to the standards set forth in this circular letter, as relevant.
The Department understands that certain addressees are members of holding company systems under Insurance Law Article 15 or are subsidiaries of parent corporations under Insurance Law Article 17 (collectively, “groups”). An addressee may be covered under a business continuity or disaster response plan established by the holding company or parent corporation or another member of the group. In such cases, the addressee should be prepared to demonstrate to the Department that the plan provides for the needs of the addressee and its customers. If the plan does not do so, or if, in the Department’s judgment, the plan, as applied to the addressee, is inadequate, then the Department will ask the addressee to establish its own business continuity or disaster response plan.
1. Business Continuity Plan and Questionnaire
A business continuity plan should , at a minimum, address the following items, as relevant:
- define the scope, objectives, and assumptions of the business continuity plan;
- define the roles and responsibilities of addressee employees;
- identify the lines of authority, succession of management, and delegation of authority;
- address interaction with external business entities, including contractors and vendors;
- include results of a business impact analysis;
- identify recovery time objectives for business processes and information technology;
- identify the recovery point objective for data restoration;
- set forth detailed procedures, resource requirements, and logistics for execution of all recovery strategies;
- set forth detailed procedures, resource requirements, and logistics for relocation to alternate worksites;
- set forth detailed procedures, resource requirements, and a data restoration plan for the recovery of information technology, such as networks and required connectivity, servers, computers, wireless devices, applications, and data;
- document all forms and resource requirements for all manual workarounds;
- define procedures for incident detection and reporting, alerts and notifications, business continuity plan activation, emergency operations center activation, damage assessment and situation analysis, and the development and approval of an incident action plan;
- describe a training curriculum for business continuity team members;
- set forth a testing schedule, procedures, and forms for business recovery strategies and information technology recovery strategies;
- set forth a schedule, triggers, and assignments for the periodic review of the business continuity plan; and
- set forth a corrective action program to address deficiencies.
The business continuity plan should be reviewed and approved on at least an annual basis by either the addressee’s or the group member’s (1) board of directors, or appropriate committee thereof, or (2) governing body.
Addressees located in the same geographic area may find it cost-effective to pool their resources and establish shared facilities, such as shared alternate worksites, in the event their business functions and processes are disrupted as a result of a disaster. The Department encourages this kind of cooperative approach, provided that: (1) the addressees maintain separate management and operations; (2) an addressee does not disclose confidential customer information without appropriate consent; and (3) an addressee maintains records in compliance with 11 NYCRR 243 (Insurance Regulation 152), 11 NYCRR 420 (Insurance Regulation 169), and 11 NYCRR 421 (Insurance Regulation 173).
2. Disaster Response Plan and Questionnaire
A disaster response plan should, at a minimum, address the following items, as relevant:
a. the jurisdiction in which the addressee is domiciled;
b. the address of the addressee’s headquarters;
c. the addresses of the addressee’s offices where the following is handled for policies or contracts delivered or issued for delivery in New York: (i) claims; (ii) cash value surrenders or withdrawals; (iii) policy loans; (iv) changes to annuity payouts or separate account transfers; (v) other policy or contract changes; (vi) premium payments; and (vii) any other policy or contract holder or policy or contract owner services or administration;
d. the kinds of insurance products sold or administered by the addressee;
e. the methodology the addressee uses for identifying a disaster and determining whether the addressee should activate all or part of its disaster response plan;
f. the name and title of the person responsible for activating the disaster response plan and for deactivating the plan;
g. the name and title of the person responsible for monitoring the disaster response plan;
h. the responsibilities and reporting authority of the disaster response team;
i. the names of and contact information for the addressee’s primary and secondary employees who are available during and after a disaster to relay information between the addressee and the Department (“disaster liaisons”);
j. the names of and contact information for the addressee’s primary and secondary employees who have control of the addressee’s disaster operations (“disaster leaders”);
k. the way in which the addressee trains its employees and agents to assist customers during and after a disaster;
l. the way in which the addressee will provide additional or alternative claims and customer service handling capacity and procedures, including ensuring that there is adequate personnel and information technology systems;
m. if the addressee uses an independent adjuster or managing general agent (“MGA”), then the way in which the independent adjuster or MGA will provide additional or alternative claims and customer service handling capacity and procedures, including when the independent adjuster or MGA may be located in the disaster-affected area;
n. the steps the addressee will take to notify, in a timely manner, the addressee’s customers of any procedural changes;
o. the steps the addressee will take to notify, in a timely manner, insurance producers or insurance adjusters of any procedural changes made in response to a disaster;
p. the additional or alternative communication channels the addressee will use to communicate with insurance producers or insurance adjusters located in or servicing a disaster-affected area;
q. if an addressee supplies facilities and equipment for insurance producers, then the alternate facilities or equipment the addressee will provide for producers affected by the disaster;
r. the additional or alternative procedures an addressee will use for detecting a fraudulent insurance act during and after a disaster; and
s. the methodology the addressee uses to test the disaster response plan and the frequency of testing.
The disaster response plan should be reviewed and approved on at least an annual basis by either the addressee’s or the group member’s (1) board of directors, or appropriate committee thereof, or (2) governing body.
3. Storage of Business Continuity and Disaster Response Plans
An addressee should distribute the business continuity and disaster response plans to all relevant employees. The business continuity team leader and disaster leader should maintain a master copy of the business continuity plan and disaster response plan, respectively. Copies of the business continuity and disaster response plans should be stored at a secure off-site location in a format that allows access if an addressee’s servers are down and allows for printing on demand.
4. Filing of Disaster Response Plan and Questionnaires
By June 28, 2019, each addressee must submit to the Department a disaster response plan, a response to the disaster response plan questionnaire, and a response to the business continuity plan questionnaire, pursuant to Insurance Law § 308. The electronic templates for the disaster response plan and business continuity plan questionnaires, and instructions for their completion and submission, are available on the Department’s website. An addressee should report to the Department as soon as possible any change in the information requested by submitting an updated response to the disaster response plan or business continuity plan questionnaire.
When submitting a disaster response plan, an addressee must document that the disaster response plan was approved by the relevant board of directors, or appropriate committee thereof or, if there is no board of directors, then the governing body. If the current disaster response plan is the same as the last plan filed with the Department, then an addressee need not submit the plan again. Instead, the addressee must submit a statement indicating that the previously filed disaster response plan is still in effect.
A disaster response plan or the statement indicating that the previously filed disaster response plan is still in effect should include the name of the addressee or addressees covered by the disaster response plan, the addressee’s National Association of Insurance Commissioners (“NAIC”) number, and a contact person’s name, e-mail address, and telephone number. In addition, an addressee should submit a disaster response plan as a searchable document, such as an Adobe pdf file.
The Department requests that an addressee submit a disaster response plan, a response to the disaster response plan questionnaire, and a response to the business continuity plan questionnaire to the Department through the Department’s portal application, though it may mail or deliver them to the Department in hard copy. Please name the file “Disaster Response Plan” when submitting a disaster response plan or the aforementioned statement through the Department’s portal application.
If an addressee submits the documents as a hard copy, then the addressee should mail or deliver the documents to the Department to the attention of Ashbert Carrington, Financial Services Examiner 2, New York State Department of Financial Services, One State Street, 22nd Floor, New York, NY 10004.
B. After a Disaster
1. Disaster Liaisons
After a disaster, the Superintendent may contact designated addressee disaster liaisons representing addressees with the greatest amount of direct written premiums in the disaster area. Disaster liaisons should be prepared to participate in the state’s disaster response plan as follows:
- the Department will arrange a conference call of the selected disaster liaisons, where possible, following the occurrence of a disaster to discuss the disaster’s magnitude and the scope of IEOC activation plans;
- upon activation of the IEOC, disaster liaisons or their designees will be expected to staff the IEOC at the Department’s offices in Albany or New York City or an alternative location, as appropriate;
- the Department will continue to coordinate communications through ongoing teleconference calls in order to plan staffing of the IEOC, discuss with each addressee’s disaster liaison the addressee’s disaster operations, review each addressee’s disaster response plan, and discuss disaster operations and emerging issues; and IEOC at the Department’s offices in Albany or New York City or an alternative location, as appropriate;
- disaster liaisons or their designees may be expected to remain on duty at the IEOC as determined by the Superintendent in consultation with the insurance industry.
Addressee disaster liaisons should:
- be members of the addressee’s disaster response team or manager-level employees who are familiar with addressee protocols and have access to critical information;
- provide coverage data and claim statistics as requested by the Department;
- be knowledgeable about addressee internal information systems and sources and authorized to access such systems, so that applicable, timely information can be provided to SOEM, the New York City Office of Emergency Management, and other emergency responders via the Department; and
- be prepared to remain on duty during the hours when the IEOC is operating, normally from 7:00 a.m. to 6:00 p.m., or for such time periods as necessary to assist with the effective management of the disaster. Depending on the level of the disaster, this may be a seven-day-per-week commitment.
2. Post Disaster Coverage Data and Loss Statistics
After a disaster, the Department will contact disaster liaisons, as needed, who should provide the Department with coverage data and claim statistics. The Department may request the data and statistics on an on-going basis as necessary.
C. New York Information Network
On May 3, 2002, the former Insurance Department issued Insurance Circular Letter No. 12 (2002) establishing the New York Information Network (“NYIN”). The NYIN is the main conduit through which the Department will communicate intelligence reports and other critical but sensitive information on terrorism to the New York insurance community. As part of the NYIN, addressees’ chief executive officers (“CEOs”), or their equivalent, should designate a primary and secondary intelligence or information officer using the form available on the Department’s website. The primary intelligence or information officer will serve as the sole liaison for all terrorism-related intelligence and information. This person will be responsible for providing the Department with any such intelligence or information. In instances where the Department needs to communicate sensitive information to addressees, the Department will initiate the communication through the NYIN and information will be directed to the primary intelligence or information officer only. The secondary intelligence or information officer will serve as the back-up liaison when the primary intelligence or information officer is unavailable. The Department will contact the secondary intelligence or information officer when critical information must be relayed to the addressee and multiple attempts to contact the primary intelligence or information officer have failed.
The primary and secondary intelligence or information officers should be senior-level executives who possess the authority to communicate directly with the addressee’s CEO (or equivalent). A person should not serve as the primary and the secondary intelligence or information officer for the same addressees that are a part of a group, the designation of the primary and secondary intelligence or information officer should be done on an individual addressee basis. While the same person may be designated as either the primary or secondary intelligence or information officer for individual addressees within a group, the designation should be entered separately for each addressee at the link provided above.
An addressee should provide the Department with updated information as soon as possible when any previously provided information changes.
This circular letter endeavors to assist addressees with planning and preparing for, and responding to, disasters. An addressee’s cooperation in furnishing timely and accurate responses is essential and appreciated by the Department and the people of New York State.
Please direct questions concerning this circular letter to Ashbert Carrington, Financial Services Examiner 2, by telephone at (212) 480-4702, by mail to the attention of Ashbert Carrington, Financial Services Examiner 2, at the New York State Department of Financial Services, One State Street, 22nd Floor, New York, NY 10004, or by e-mail to [email protected]
Very truly yours,
Linda A. Lacewell
Acting Superintendent of Financial Services