Insurance Circular Letter No. 11
July 25, 2022
All authorized life insurance companies, retirement systems, fraternal benefit societies, employee welfare funds, authorized accident and health insurance companies, Article 43 corporations, certified Public Health Law Article 44 health maintenance organizations, municipal cooperative health benefit plans, and student health plans certified pursuant to Insurance Law § 1124
Disaster Planning, Preparedness, and Response by the Life and Health Insurance Industries
STATUTORY AND REGULATORY REFERENCES: Insurance Law Sections 308, 1109, and 1124 and Articles 42, 43, 45, 46, and 47; Financial Services Law Section 202; and 11 NYCRR 243 (Insurance Regulation 152), 11 NYCRR 420 (Insurance Regulation 169), and 11 NYCRR 421 (Insurance Regulation 173).
Experience teaches us that disasters – crippling storms, floods, terrorist attacks, cybersecurity breaches, pandemics – can happen unexpectedly, meaning that we must be prepared to respond at every level if such an event occurs. This circular letter sets forth the standards expected of authorized life insurance companies, retirement systems, fraternal benefit societies, employee welfare funds, authorized accident and health insurance companies, Article 43 corporations, certified Public Health Law Article 44 health maintenance organizations, municipal cooperative health benefit plans, and student health plans certified pursuant to Insurance Law § 1124 (collectively, “addressees”) in planning and preparing for, and responding to, disasters occurring anywhere in the world, including in New York State, that could affect an addressee’s ability to continue doing business and servicing the people of New York State. This circular letter repeals and replaces Circular Letter No. 7 (2021). A separate circular letter covers disaster planning, preparedness, and response by the property/casualty industry.
When a disaster occurs in New York, the New York State Department of Financial Services (“Department”) provides the Governor and the New York State Office of Emergency Management (“SOEM”) with critical information regarding the amount and extent of losses, damages, personal injuries, and deaths resulting from the disaster. Based on this information, the Governor determines whether and when to request a federal disaster declaration and how to prioritize the deployment of state assets.
The insurance industry has been identified as a key resource in providing early assessments of losses, damages, personal injuries, and deaths arising from disasters, and plays an important role in quantifying the magnitude of losses, damages, personal injuries, and deaths, whether insured or uninsured, and in determining the appropriate response. Accordingly, all addressees should assist the Department with obtaining necessary information before, during, and after a disaster.
An integral part of the response to any disaster is the Department’s Insurance Emergency Operations Center (“IEOC”), which is staffed by insurance industry disaster liaisons and Department representatives, and which coordinates disaster responses. The Superintendent of Financial Services (“Superintendent”) will activate the IEOC in accordance with the nature and extent of the disaster. Where possible, the Superintendent will consult with the insurance industry before activating the IEOC.
- Before a Disaster Strikes
Each addressee should perform at least annually a business impact analysis to predict the consequences of disruption of any business function and process as a result of a disaster, and gather information needed to develop recovery strategies. The business impact analysis should identify the operational and financial impacts resulting from the disruption of business functions and processes and should consider the following, at a minimum, as relevant: (a) the point in time when a business interruption would have a greater impact, such as a particular season or the end of the month or quarter; (b) the amount of time before which the business interruption would have an operational or financial impact; (c) the operational and financial impact of physical damage to buildings; damage to or breakdown of machinery, systems, or equipment; restricted access to a site or building; a utility outage; damage to or loss or corruption of information technology; and absenteeism of essential employees; (d) resources needed for the business to continue to function at varying levels of disruption; and (e) potential for dissatisfaction or defection by policy owners, policyholders, contract holders, insureds, annuitants, payees, beneficiaries, and health service providers (collectively, “customers”).
An addressee should use the results of this analysis to establish, maintain, and update as necessary a business continuity plan. Each addressee also should perform at least annually a risk-based analysis of its capacity to assist customers in New York State affected by a disaster occurring anywhere in the world, including in New York State, and should use the results of this analysis to establish, maintain, and update as necessary a disaster response plan that takes into account the results of the analysis. The business continuity and disaster response plans should be separate documents.
The Department recognizes that size, lines of business, and corporate structure vary among addressees. Therefore, an addressee’s business continuity and disaster response plans should be appropriate for the nature, scale, and complexity of the addressee and the business it writes or conducts and should adhere to the standards set forth in this circular letter, as relevant.
The Department understands that certain addressees are members of holding company systems under Insurance Law Article 15 or are subsidiaries of parent corporations under Insurance Law Article 17 (collectively, “groups”). An addressee may be covered under a business continuity or disaster response plan established by the holding company or parent corporation or another member of the group. In such cases, the addressee should be prepared to demonstrate to the Department that the plan provides for the needs of the addressee and its customers. If the plan does not do so, or if, in the Department’s judgment, the plan, as applied to the addressee, is inadequate, then the Department will ask the addressee to establish its own business continuity or disaster response plan.
- Business Continuity Plan
A business continuity plan should, at a minimum, address the following items, as relevant:
a. define the scope, objectives, and assumptions of the business continuity plan;
b. address all significant business activities, including financial functions, underwriting and claims functions, telecommunication services, data processing, network services, and security and remote access, and assign a restoration priority to each significant business activity
c. define the roles and responsibilities of addressee employees;
d. identify the lines of authority, succession of management, and delegation of authority;
e. address communication and interaction with employees, customers, insurance producers, independent adjusters, and other external business entities, including contractors and vendors, and any contingency plans in the event that the insurance producers, independent adjusters, and other external business entities experience a business interruption;
f. include results of a business impact analysis;
g. identify recovery time objectives for business processes and information technology;
h. identify the recovery point objective for data restoration;
i. set forth detailed procedures, resource requirements, and logistics for execution of all recovery strategies;
j. set forth detailed procedures, resource requirements, and logistics for relocation to alternate worksites;
k. set forth detailed procedures, resource requirements, including a list of critical computer programs, operating systems, and data files, and a data restoration plan for the recovery of information technology, such as networks and required connectivity, servers, computers, wireless devices, applications, and data;
l. document all forms and resource requirements for all manual workarounds;
m. define procedures for incident detection and reporting, alerts and notifications, business continuity plan activation, emergency operations center activation, damage assessment and situation analysis, and the development and approval of an incident action plan;
n. describe a training curriculum for business continuity team members;
o. set forth a periodic review of the business continuity plan, including a testing schedule, procedures, and forms for business and information technology recovery strategies; and
p. set forth a corrective action program to address deficiencies discovered as a result of testing or deployment of the business continuity plan.
The business continuity plan should be reviewed and approved on at least an annual basis by either the addressee’s or the group member’s (1) board of directors, or appropriate committee thereof, or (2) governing body.
Addressees located in the same geographic area may find it cost-effective to pool their resources and establish shared facilities, such as shared alternate worksites, in the event that their business functions and processes are disrupted as a result of a disaster. The Department encourages this kind of cooperative approach, provided that: (1) the addressees maintain separate management and operations; (2) an addressee does not disclose confidential customer information without appropriate consent; and (3) an addressee maintains records in compliance with 11 NYCRR 243 (Insurance Regulation 152), 11 NYCRR 420 (Insurance Regulation 169), and 11 NYCRR 421 (Insurance Regulation 173).
- Disaster Response Plan
A disaster response plan should, at a minimum, address the following items, as relevant:
a. the jurisdiction in which the addressee is domiciled;
b. the addresses of the addressee’s offices where the following is handled for policies or contracts delivered or issued for delivery in New York: (i) claims; (ii) cash value surrenders or withdrawals; (iii) policy loans; (iv) changes to annuity payouts or separate account transfers; (v) other policy or contract changes; (vi) premium payments; and (vii) any other policy or contract holder or policy or contract owner services or administration;
c. the kinds of insurance products sold or administered by the addressee;
d. the methodology the addressee uses for identifying a disaster and determining whether the addressee should activate all or part of its disaster response plan;
e. the name and title of the person responsible for activating the disaster response plan and for deactivating the plan;
f. the name and title of the person responsible for monitoring the disaster response plan;
g. the responsibilities and reporting authority of the disaster response team;
h. the names of and contact information for the addressee’s primary and secondary employees who are available during and after a disaster to relay information between the addressee and the Department (“disaster liaisons”);
i. the names of and contact information for the addressee’s primary and secondary employees who have control of the addressee’s disaster operations (“disaster leaders”);
j. the way in which the addressee trains its employees and agents to assist customers during and after a disaster;
k. the way in which the addressee prepares staff for its responsibility to respond to changing circumstances, as a disaster enters varying stages, that will necessitate activation of different phases and parts of the disaster response plan;
l. the way in which the addressee will provide additional or alternative claims and customer service handling capacity and procedures, including ensuring that there is adequate personnel and information technology systems;
m. if the addressee uses an independent adjuster or managing general agent (“MGA”), then the way in which the independent adjuster or MGA will provide additional or alternative claims and customer service handling capacity and procedures, including when the independent adjuster or MGA may be located in the disaster-affected area;
n. whether the addressee has a local or toll-free number for customers to report claims;
o. whether the addressee requires that there be legal counsel available to advise on coverage or claim issues;
p. the steps the addressee will take to notify, in a timely manner, the addressee’s customers of any procedural changes;
q. the steps the addressee will take to notify, in a timely manner, insurance producers or independent adjusters of any procedural changes made in response to a disaster;
r. the additional or alternative communication channels the addressee will use to communicate with insurance producers or independent adjusters located in or servicing a disaster-affected area;
s. if an addressee supplies facilities and equipment for insurance producers, then the alternate facilities or equipment the addressee will provide for producers affected by the disaster;
t. the additional or alternative procedures an addressee will use for detecting a fraudulent insurance act during and after a disaster; and
u. the methodology the addressee uses to test the disaster response plan and the frequency of testing.
The disaster response plan should be reviewed and approved on at least an annual basis by either the addressee’s or the group member’s (1) board of directors, or appropriate committee thereof, or (2) governing body.
- Storage of Business Continuity and Disaster Response Plans
An addressee should distribute the business continuity and disaster response plans to all relevant employees. The business continuity team leader and disaster leader should maintain a master copy of the business continuity plan and disaster response plan, respectively. Copies of the business continuity and disaster response plans should be stored at a secure off-site location in a format that allows access if an addressee’s servers are down and allows for printing on demand.
- Filing of Disaster Response Plan and Questionnaire and Business Continuity Plan Questionnaire
By October 7, 2022, each addressee must submit to the Department a disaster response plan, a response to the disaster response plan questionnaire, and a response to the business continuity plan questionnaire, pursuant to Insurance Law § 308. Under Insurance Law § 308(a)(1), an addressee’s submission must include the signature of the officer or other executive who has responsibility for the oversight of the submission, affirming that the information set forth in the submission is true under penalty of perjury.
The Department requests that an addressee make all required submissions to the Department through the Department’s portal application. The instructions for completion and submission of the disaster response plan and questionnaire and business continuity plan questionnaire, as well as instructions for use of the portal application, are available on the Department’s website. An addressee should report to the Department as soon as possible any change in the information requested by submitting an updated response to the disaster response plan or business continuity plan questionnaire.
As indicated in the portal application, when submitting a disaster response plan, an addressee must document that the relevant board of directors, or appropriate committee thereof or, if there is no board of directors, then the governing body, approved the disaster response plan. An addressee must track any changes to the disaster response plan since the last submission so that the changes are readily identifiable by the Department. If the current disaster response plan is the same as the last plan filed with the Department, then an addressee need not submit the plan again. Rather, the addressee must indicate in the portal application that the previously filed disaster response plan is still in effect and upload to the portal application the signed affirmation referenced above.
A disaster response plan should include the name of the addressee or addressees covered by the disaster response plan, the addressee’s National Association of Insurance Commissioners (“NAIC”) number, and a contact person’s name, e-mail address, and telephone number. In addition, an addressee should submit a disaster response plan as a searchable document, such as an Adobe pdf file.
- Business Continuity Plan
- After a Disaster
- Disaster Liaisons
After a disaster, the Superintendent may contact designated addressee disaster liaisons representing addressees with the greatest amount of direct written premiums in the disaster area. Disaster liaisons should be prepared to participate in the state’s disaster response plan as follows:
- the Department will arrange a conference call of the selected disaster liaisons, where possible, following the occurrence of a disaster to discuss the disaster’s magnitude and the scope of IEOC activation plans;
- upon activation of the IEOC, disaster liaisons or their designees will be expected to staff the IEOC at the Department’s offices in Albany or New York City or an alternative location, as appropriate;
- the Department will provide a fully-equipped IEOC at one of the aforementioned locations;
- the Department will continue to coordinate communications through ongoing teleconference or videoconference calls in order to plan staffing of the IEOC, discuss with each addressee’s disaster liaison the addressee’s disaster operations, review each addressee’s disaster response plan, and discuss disaster operations and emerging issues; and
- disaster liaisons or their designees may be expected to remain on duty at the IEOC as determined by the Superintendent in consultation with the insurance industry.
Addressee disaster liaisons should:
- be members of the addressee’s disaster response team or manager-level employees who are familiar with addressee protocols and have access to critical information;
- provide coverage data and claim statistics as requested by the Department;
- be knowledgeable about addressee internal information systems and sources and authorized to access such systems, so that applicable, timely information can be provided to SOEM, the New York City Office of Emergency Management, and other emergency responders via the Department; and
- be prepared to remain on duty during the hours when the IEOC is operating, normally from 7:00 a.m. to 6:00 p.m., or for such time periods as necessary to assist with the effective management of the disaster. Depending on the level of the disaster, this may be a seven-day-per-week commitment.
- Post Disaster Coverage Data and Loss Statistics
After a disaster, the Department will contact disaster liaisons, as needed, who should provide the Department with coverage data and claim statistics. The Department may request the data and statistics on an on-going basis as necessary.
- Disaster Liaisons
- New York Information Network
On May 3, 2002, the former Insurance Department issued Insurance Circular Letter No. 12 (2002) establishing the New York Information Network (“NYIN”). The NYIN is the main conduit through which the Department will communicate intelligence reports and other critical but sensitive information on terrorism to the New York insurance community. As part of the NYIN, addressees’ chief executive officers (“CEOs”), or their equivalent, should designate a primary and secondary intelligence or information officer using the form available on the Department’s website. The primary intelligence or information officer will serve as the sole liaison for all terrorism-related intelligence and information. This person will be responsible for providing the Department with any such intelligence or information. In instances where the Department needs to communicate sensitive information to addressees, the Department will initiate the communication through the NYIN and information will be directed to the primary intelligence or information officer only. The secondary intelligence or information officer will serve as the back-up liaison when the primary intelligence or information officer is unavailable. The Department will contact the secondary intelligence or information officer when critical information must be relayed to the addressee and multiple attempts to contact the primary intelligence or information officer have failed.
The primary and secondary intelligence or information officers should be senior-level executives who possess the authority to communicate directly with the addressee’s CEO (or equivalent). A person should not serve as the primary and the secondary intelligence or information officer for the same addressee. For addressees that are a part of a group, the designation of the primary and secondary intelligence or information officer should be done on an individual addressee basis. While the same person may be designated as either the primary or secondary intelligence or information officer for individual addressees within a group, the designation should be entered separately for each addressee at the link provided above.
An addressee should provide the Department with updated information as soon as possible when any previously provided information changes.
This circular letter endeavors to assist addressees with planning and preparing for, and responding to, disasters. An addressee’s cooperation in furnishing timely and accurate responses is essential and appreciated by the Department and the people of New York State.
Please direct questions concerning this circular letter to Ashbert Carrington, Financial Services Examiner 2, by telephone at (212) 480-4702 or by e-mail to [email protected].
Very truly yours,
Adrienne A. Harris
Superintendent of Financial Services