Insurance Circular Letter No. 7 (2021)
July 19, 2021
TO: All authorized life insurance companies, retirement systems, fraternal benefit societies, employee welfare funds, authorized accident and health insurance companies, Article 43 corporations, certified Public Health Law Article 44 health maintenance organizations, municipal cooperative health benefit plans, and student health plans certified pursuant to Insurance Law § 1124
RE:Disaster Planning, Preparedness, and Response by the Life and Health Insurance Industries
STATUTORY AND REGULATORY REFERENCES:Insurance Law Sections 308, 1109, and 1124 and Articles 42, 43, 45, 46, and 47; Financial Services Law Section 202; and 11 NYCRR 243 (Insurance Regulation 152), 11 NYCRR 420 (Insurance Regulation 169), and 11 NYCRR 421 (Insurance Regulation 173).
Experience teaches us that disasters – crippling storms, floods, terrorist attacks, cybersecurity breaches, pandemics – can happen unexpectedly, meaning that we must be prepared to respond at every level if such an event occurs.This circular letter sets forth the standards expected of authorized life insurance companies, retirement systems, fraternal benefit societies, employee welfare funds, authorized accident and health insurance companies, Article 43 corporations, certified Public Health Law Article 44 health maintenance organizations, municipal cooperative health benefit plans, and student health plans certified pursuant to Insurance Law § 1124 (collectively, “addressees”) in planning and preparing for, and responding to, disasters occurring anywhere in the world, including in New York State, that could affect an addressee’s ability to continue doing business and servicing the people of New York State.This circular letter repeals and replaces Circular Letter No. 6 (2019).A separate circular letter covers disaster planning, preparedness, and response by the property/casualty industry.
When a disaster occurs in New York, the New York State Department of Financial Services (“Department”) provides the Governor and the New York State Office of Emergency Management (“SOEM”) with critical information regarding the amount and extent of losses, damages, personal injuries, and deaths resulting from the disaster.Based on this information, the Governor determines whether and when to request a federal disaster declaration and how to prioritize the deployment of state assets.
The insurance industry has been identified as a key resource in providing early assessments of losses, damages, personal injuries, and deaths arising from disasters, and plays an important role in quantifying the magnitude of losses, damages, personal injuries, and deaths, whether insured or uninsured, and in determining the appropriate response.Accordingly, all addressees should assist the Department with obtaining necessary information before, during, and after a disaster.
An integral part of the response to any disaster is the Department’s Insurance Emergency Operations Center (“IEOC”), which is staffed by insurance industry disaster liaisons and Department representatives, and which coordinates disaster responses.The Superintendent of Financial Services (“Superintendent”) will activate the IEOC in accordance with the nature and extent of the disaster.Where possible, the Superintendent will consult with the insurance industry before activating the IEOC.
A. Before a Disaster Strikes
Each addressee should perform at least annually a business impact analysis to predict the consequences of disruption of any business function and process as a result of a disaster, and gather information needed to develop recovery strategies.The business impact analysis should identify the operational and financial impacts resulting from the disruption of business functions and processes and should consider the following, at a minimum, as relevant:(a) the point in time when a business interruption would have a greater impact, such as a particular season or the end of the month or quarter;(b) the amount of time before which the business interruption would have an operational or financial impact;(c) the operational and financial impact of physical damage to buildings; damage to or breakdown of machinery, systems, or equipment; restricted access to a site or building; a utility outage; damage to or loss or corruption of information technology; and absenteeism of essential employees; (d) resources needed for the business to continue to function at varying levels of disruption; and (e) potential for dissatisfaction or defection by policy owners, policyholders, contract holders, insureds, annuitants, payees, beneficiaries, and health service providers (collectively, “customers”).
An addressee should use the results of this analysis to establish, maintain, and update as necessary a business continuity plan.Each addressee also should perform at least annually a risk-based analysis of its capacity to assist customers in New York State affected by a disaster occurring anywhere in the world, including in New York State, and should use the results of this analysis to establish, maintain, and update as necessary a disaster response plan that takes into account the results of the analysis.The business continuity and disaster response plans should be separate documents.
The Department recognizes that size, lines of business, and corporate structure varies among addressees.Therefore, an addressee’s business continuity and disaster response plans should be appropriate for the nature, scale, and complexity of the addressee and the business it writes or conducts, and should adhere to the standards set forth in this circular letter, as relevant.
The Department understands that certain addressees are members of holding company systems under Insurance Law Article 15 or are subsidiaries of parent corporations under Insurance Law Article 17 (collectively, “groups”).An addressee may be covered under a business continuity or disaster response plan established by the holding company or parent corporation or another member of the group.In such cases, the addressee should be prepared to demonstrate to the Department that the plan provides for the needs of the addressee and its customers.If the plan does not do so, or if, in the Department’s judgment, the plan, as applied to the addressee, is inadequate, then the Department will ask the addressee to establish its own business continuity or disaster response plan.
1. Business Continuity Plan
A business continuity plan should, at a minimum, address the following items, as relevant:The business continuity plan should be reviewed and approved on at least an annual basis by either the addressee’s or the group member’s (1) board of directors, or appropriate committee thereof, or (2) governing body.
Addressees located in the same geographic area may find it cost-effective to pool their resources and establish shared facilities, such as shared alternate worksites, in the event that their business functions and processes are disrupted as a result of a disaster.The Department encourages this kind of cooperative approach, provided that:(1) the addressees maintain separate management and operations; (2) an addressee does not disclose confidential customer information without appropriate consent; and (3) an addressee maintains records in compliance with 11 NYCRR 243 (Insurance Regulation 152), 11 NYCRR 420 (Insurance Regulation 169), and 11 NYCRR 421 (Insurance Regulation 173).
2. Disaster Response Plan
A disaster response plan should, at a minimum, address the following items, as relevant:
The disaster response plan should be reviewed and approved on at least an annual basis by either the addressee’s or the group member’s (1) board of directors, or appropriate committee thereof, or (2) governing body.
3. Storage of Business Continuity and Disaster Response Plans
An addressee should distribute the business continuity and disaster response plans to all relevant employees. The business continuity team leader and disaster leader should maintain a master copy of the business continuity plan and disaster response plan, respectively. Copies of the business continuity and disaster response plans should be stored at a secure off-site location in a format that allows access if an addressee’s servers are down and allows for printing on demand.
4. Filing of Disaster Response Plan and Questionnaire and Business Continuity Plan Questionnaire
By October 8, 2021, each addressee must submit to the Department a disaster response plan, a response to the disaster response plan questionnaire, and a response to the business continuity plan questionnaire, pursuant to Insurance Law § 308.Under Insurance Law § 308(a)(1), an addressee’s submission must include the signature of the officer or other executive who has responsibility for the oversight of the submission, affirming that the information set forth in the submission is true under penalty of perjury.
The Department requests that an addressee make all required submissions to the Department through the Department’s Portal Application. The instructions for completion and submission of the disaster response plan and questionnaire and business continuity plan questionnaire, as well as instructions for use of the portal application, are available on this website. An addressee should report to the Department as soon as possible any change in the information requested by submitting an updated response to the disaster response plan or business continuity plan questionnaire.
Each addressee must submit its current disaster response plan, even if it is the same as the last plan filed with the Department. As indicated in the portal application, when submitting a disaster response plan, an addressee must document that the disaster response plan was approved by the relevant board of directors, or appropriate committee thereof or, if there is no board of directors, then the governing body. An addressee must track any changes to the disaster response plan since the last submission so that changes are readily identifiable by the Department.
A disaster response plan should include the name of the addressee or addressees covered by the disaster response plan, the addressee’s National Association of Insurance Commissioners (“NAIC”) number, and a contact person’s name, e-mail address, and telephone number. In addition, an addressee should submit a disaster response plan as a searchable document, such as an Adobe pdf file.
B. After a Disaster
1. Disaster Liaisons
After a disaster, the Superintendent may contact designated addressee disaster liaisons representing addressees with the greatest amount of direct written premiums in the disaster area. Disaster liaisons should be prepared to participate in the state’s disaster response plan as follows:
Addressee disaster liaisons should:
2. Post Disaster Coverage Data and Loss Statistics
After a disaster, the Department will contact disaster liaisons, as needed, who should provide the Department with coverage data and claim statistics. The Department may request the data and statistics on an on-going basis as necessary.
C. New York Information Network
On May 3, 2002, the former Insurance Department issued Insurance Circular Letter No. 12 (2002) establishing the New York Information Network (“NYIN”).The NYIN is the main conduit through which the Department will communicate intelligence reports and other critical but sensitive information on terrorism to the New York insurance community.As part of the NYIN, addressees’ chief executive officers (“CEOs”), or their equivalent, should designate a primary and secondary intelligence or information officer using the NYIN Designated Primary and Secondary Intelligence/Information Officers form available on this website.The primary intelligence or information officer will serve as the sole liaison for all terrorism-related intelligence and information.This person will be responsible for providing the Department with any such intelligence or information.In instances where the Department needs to communicate sensitive information to addressees, the Department will initiate the communication through the NYIN and information will be directed to the primary intelligence or information officer only.The secondary intelligence or information officer will serve as the back-up liaison when the primary intelligence or information officer is unavailable. The Department will contact the secondary intelligence or information officer when critical information must be relayed to the addressee and multiple attempts to contact the primary intelligence or information officer have failed.
The primary and secondary intelligence or information officers should be senior-level executives who possess the authority to communicate directly with the addressee’s CEO (or equivalent).A person should not serve as the primary and the secondary intelligence or information officer for the same addressee.For addressees that are a part of a group, the designation of the primary and secondary intelligence or information officer should be done on an individual addressee basis.While the same person may be designated as either the primary or secondary intelligence or information officer for individual addressees within a group, the designation should be entered separately for each addressee at the link provided above.
An addressee should provide the Department with updated information as soon as possible when any previously provided information changes.
This circular letter endeavors to assist addressees with planning and preparing for, and responding to, disasters.An addressee’s cooperation in furnishing timely and accurate responses is essential and appreciated by the Department and the people of New York State.
Please direct questions concerning this circular letter to Ashbert Carrington, Financial Services Examiner 2, by telephone at (212) 480-4702 or by e-mail to [email protected].
Very truly yours,
Linda A. Lacewell
Superintendent of Financial Services