On February 26, 2024, the Connecticut Insurance Department (the CID) adopted Bulletin No. MC-25 on the “Use of Artificial Intelligence Systems in Insurance” (Connecticut Bulletin). This Connecticut Bulletin is similar to the National Association of Insurance Commissioners (NAIC) Model Bulletin regarding the “Use of Artificial Intelligence Systems by Insurers” (Model Bulletin), which was adopted by the NAIC on December 4, 2023. Connecticut is the third state, after Alaska and New Hampshire, to adopt the Model Bulletin, with additional states expected to adopt it in the near future. In addition, New York has released a proposed circular letter for public comment and Colorado has adopted a regulation (and will likely adopt further regulations requiring insurers to test their use of external data and artificial intelligence for bias) that goes beyond the standards set forth in the Model Bulletin.

The Connecticut Bulletin sets forth the expectations of the CID regarding the regulation of insurer’s artificial intelligence systems (AI or AI System) under existing Connecticut insurance law, including the unfair trade practice and unfair discrimination laws. Pursuant to the Connecticut Bulletin, insurers are expected to implement and maintain a written, board-approved program (AIS Program) that will establish a governance framework and risk management controls and specify internal audit’s role in governing the insurer’s use of AI in order to ensure that AI is accurate, reliable, transparent and not being used in an unfairly discriminatory manner.

In substance, the Connecticut Bulletin largely follows the Model Bulletin although, unlike the Model Bulletin, Connecticut domestic insurers must complete an annual Artificial Intelligence Certification, certifying that the insurer is in compliance with the Connecticut Bulletin and that it will make available all information and documentation related to its AI Systems available upon request. The Artificial Intelligence Certification is due on September 1, 2024, and annually thereafter.

OVERVIEW

Purpose. The purpose of the Connecticut Bulletin is to ensure that insurers are aware of CID’s expectations concerning the regulation of AI Systems under existing law. The CID is aware that AI and AI Systems pose unique risks to consumers, including the potential for inaccuracies, unfair discrimination, data vulnerability, lack of transparency and explainability. It expects insurers to take steps to minimize these risks.

Scope. The Connecticut Bulletin requires all authorized insurers to adopt an AIS Program governing their use of AI. The insurer must ensure that the AI System complies with applicable law and regulations, including, at a minimum, that the AI System: (i) does not constitute an unfair and deceptive act and practice; and (2) does not result in excessive, inadequate or unfairly discriminatory insurance rates. The certification requirement referenced above applies only to Connecticut domestic insurers.

Definition of AI. “AI Systems” is defined to mean “machine-based systems designed to simulate human intelligence to perform tasks, such as analysis and decision-making, given a set of human-defined objectives”. This definition treats machine learning as a subset of artificial intelligence.

AI PROGRM GUIDLEINES

General Requirements. Under the Connecticut Bulletin, insurers are required to adopt a written AIS Program that sets out a governance and risk management framework for its AI Systems, including AI Systems developed by third-parties. The AIS Program may be incorporated into the insurer’s Enterprise Risk Management (ERM) program or it may stand alone, and it may rely on standards developed by third parties, such as the National Institute of Standards and Technology (NIST) Artificial Intelligence Risk Management Framework, Version 1.0. In addition, the AIS Program should address the following:

• Ensure compliance with all applicable insurance laws and regulations and mitigate the risk the AI System will result in an adverse consumer outcome that would violate Connecticut’s unfair discrimination or other applicable laws.
• Address internal audit functions.
• Appoint senior management, accountable to the board or committee of the board, responsible for developing, implementing, monitoring and overseeing the AI System.
• Address the use of the AI System across the full range of an insurance product’s life cycle, including product development, marketing, underwriting, case management, claim administration and fraud detection.
• Address all phases of the AI System life cycle, including design, development, validation, implementation, monitoring, updating and retirement.
• Develop policies to provide adequate notice to consumers of the insurer’s use of AI.

Governance. The AI Program requires that the AIS Program include a governance framework which addresses, among other things, the following:

• The policies, processes and procedures to be followed at each stage of the AI System’s life cycle.
• Documentation requirements regarding compliance with insurer’s AI policies, processes and procedures.
• An internal governance accountability structure that may include:
  • The formation of centralized committee to monitor AI compliance;
  • The responsibilities, scope of authority and chain of command for personnel responsible for compliance with the AIS Program;
  • The adoption of reporting and escalation protocol; and
  • The implementation of the ongoing training and supervision of personnel.
• If applicable, the policies and procedures governing the use of predictive models, including the methods used to detect errors, performance issues, outliers or unfair discrimination.

Risk Management. The AI Program should also document the insurer’s risk identification, mitigation and management framework. This risk management framework should address the following, among other things:

• The oversight and approval process for the development, adoption and acquisition of AI Systems.
• Data practices and accountability procedures, including data quality, integrity, bias analysis and minimization, among other items.
• The management and oversight of algorithms and predictive models, including, but not limited to:
  • A description of the predictive models;
  • A detailed documentation on the use algorithms and predictive models; and
  • A regular assessment of the predictive models, including for tuning, reproducibility and evaluation for model drift purposes.
• The validation, testing and retesting of data, algorithms and models, specifically to identify errors and bias in the AI Systems, including the potential for unfair discrimination.
• Data and record retention policies regarding the AI Systems.
• The protection of non-public information, including unauthorized access to the algorithms or models.
• If applicable, a description of the predictive model’s intended goals and how the predictive model is developed to achieve those goals.

Third-Party AI Systems. The AI Program must address the insurer’s process and policies for acquiring, using, relying on and validating any third-party data and AI Systems, which may include, as appropriate, policies and procedures addressing the following:

• The due diligence procedures to assess the third party’s AI Systems, including its governance and risk management protocols.
• The establishment of contractual terms, where appropriate, with the third-party requiring that the third party:
  • Provide audit rights regarding the AI System; and
  • Cooperate with the insurer to address any regulatory inquiries and investigations.

Regulatory Oversight and Examination. Under the Connecticut Bulletin, CID may conduct investigations or market conduct examinations relating to the insurer’s use of AI. Such investigations can include requests for documentation relating to the insurer’s AIS Program, its governance framework, risk management and internal controls, including any third-party AI Systems.

[View source.]