On July 19, 2021, the New York Department of Financial Services (DFS) issued Circular Letters 6 and 7 (2021) (Circular Letters) setting forth DFS’s expectations for all New York-authorized insurers in planning and preparing for, and responding to, disasters that could affect the insurer’s ability to continue doing business and servicing customers in New York State. The Circular Letters require all New York-authorized insurers to submit to DFS by October 8, 2021, a disaster response plan, a response to a disaster response plan questionnaire, and a response to a business continuity plan questionnaire. Separate circular letters were issued for property/casualty and life and health insurers. Property/casualty insurers that wrote certain lines of business in New York in 2020 are also required to respond to a pre-disaster data survey by August 20, 2021. Copies of the questionnaires and instructions for submitting the requested information are available here.
The Circular Letters follow March 2020 Industry Letters in which DFS reminded all DFS-regulated institutions of their obligations to maintain disaster preparedness plans and requested assurance that all regulated entities have preparedness plans to address the operational risk, and are identifying, monitoring, and managing the financial risk, posed by the COVID-19 pandemic. The Circular Letters repeal and replace DFS Circular Letters 5 and 6 (2019), which also addressed disaster planning, preparedness, and response requirements for New York-authorized insurers.
The Circular Letters state that DFS expects all New York-authorized insurers to establish and maintain business continuity and disaster recovery plans that meet specified standards (discussed below). The Circular Letters acknowledge that “size, lines of business, and corporate structure var[y]” among insurers, and therefore “business continuity and disaster response plans should be appropriate for the nature, scale, and complexity of the [insurer] and the business it writes or conducts.” Insurers that are part of a group may be covered under a business continuity or disaster response plan established by another member of the group, but insurers should be prepared to demonstrate to DFS that the group plan provides for the needs of the insurer and its customers. If “in DFS’s judgment” the plan, as applied to the insurer, is inadequate, then DFS may ask the insurer to establish its own business continuity or disaster response plan. In all events, an insurer’s business continuity and disaster recovery plans should be reviewed and approved on at least an annual basis by either the insurer’s or the group member’s (as applicable) board of directors, or an appropriate committee thereof (or other governing body).
DFS also expects insurers to conduct at least annually (a) a business impact analysis to predict the consequences of disruption of any business function and process as a result of a disaster and gather information needed to develop recovery strategies, and (b) a risk-based analysis of its capacity to assist customers in New York State affected by a disaster occurring anywhere in the world, including in New York State. The results of these reviews should be used to update the business continuity and disaster recovery plans as necessary.
Business Continuity Plans
The business impact analysis that supports the business continuity plan should identify the operational and financial impacts of the disruption of business functions and processes and should consider the following, at a minimum, as relevant: (a) the point in time when a business interruption would have a greater impact, such as a particular season or the end of the month or quarter; (b) the amount of time before which the business interruption would have an operational or financial impact; (c) the operational and financial impact of physical damage to buildings; damage to or breakdown of machinery, systems, or equipment; restricted access to a site or building; a utility outage; damage to or loss or corruption of information technology; and absenteeism of essential employees; (d) resources needed for the business to continue to function at varying levels of disruption; and (e) potential for dissatisfaction of or defection by policyholders (or policy owners for life policies), contract holders, insureds (or annuitants, payees, and beneficiaries for life policies), and health service providers (collectively, “customers”).
The Circular Letters provide that a business continuity plan should, at a minimum, address the following items, as relevant:
- Define the scope, objectives, and assumptions of the business continuity plan;
- Address all significant business activities, including financial functions, underwriting and claims functions, telecommunication services, data processing, network services, and security and remote access, and assign a restoration priority to each significant business activity;
- Define the roles and responsibilities of employees;
- Identify the lines of authority, succession of management, and delegation of authority;
- Address communication and interaction with employees, customers, insurance producers, independent adjusters, and other external business entities, including contractors and vendors, and any contingency plans in the event that the insurance producers, independent adjusters, and other external business entities experience a business interruption;
- Include results of a business impact analysis;
- Identify recovery time objectives for business processes and information technology;
- Identify the recovery point objective for data restoration;
- Set forth detailed procedures, resource requirements, and logistics for execution of all recovery strategies;
- Set forth detailed procedures, resource requirements, and logistics for relocation to alternate work sites;
- Set forth detailed procedures; resource requirements, including a list of critical computer programs, operating systems, and data files; and a data restoration plan for the recovery of information technology, such as networks and required connectivity, servers, computers, wireless devices, applications, and data;
- Document all forms and resource requirements for all manual workarounds;
- Define procedures for incident detection and reporting, alerts and notifications, business continuity plan activation, emergency operations center activation, damage assessment and situation analysis, and the development and approval of an incident action plan;
- Describe a training curriculum for business continuity team members;
- Set forth a periodic review of the business continuity plan, including testing schedule, procedures, and forms for business and information technology recovery strategies; and
- Set forth a corrective action program to address deficiencies discovered as a result of testing or deployment of the business continuity plan.
The Circular Letters note that insurers located in the same geographic area may find it cost-effective to pool their resources and establish shared facilities, such as shared alternate work sites, in the event that their business functions and processes are disrupted as a result of a disaster. DFS encourages this kind of cooperative approach, provided that (a) insurers maintain separate management and operations; (b) insurers do not disclose confidential customer information without appropriate consent; and (c) insurers maintain records in compliance with New York law.
Disaster Recovery Plans
The Circular Letters provide that a disaster response plan should, at a minimum, address the following items, as relevant:
- The jurisdiction in which the insurer is domiciled;
- The addresses of the insurer’s offices where the following is handled for policies or contracts issued or delivered in New York: (a) claims; (b) policy or contract changes; (c) premium payments; (d) for life and annuity business, (i) cash value surrenders or withdrawals, (ii) policy loans, and (iii) changes to annuity payouts or separate account transfers; and (e) any other policy or contract holder services or administration.
- The kinds of insurance products sold or administered by the insurer;
- The methodology the insurer uses for identifying a disaster and determining whether the insurer should activate all or part of its disaster response plan;
- The name and title of the person responsible for activating the disaster response plan and for deactivating the plan;
- The name and title of the person responsible for monitoring the disaster response plan;
- The responsibilities and reporting authority of the disaster response team;
- The names of and contact information for the insurer’s primary and secondary employees who are available during and after a disaster to relay information between the insurer and DFS (“disaster liaisons”);
- The names of and contact information for the insurer’s primary and secondary employees who have control of the insurer’s disaster operations (“disaster leaders”);
- The way in which the insurer trains its employees and agents to assist customers during and after a disaster;
- The way in which the insurer prepares staff for their responsibility to respond to changing circumstances that, as a disaster enters varying stages, will necessitate activation of different phases and parts of the disaster response plan;
- The way in which the insurer will provide additional or alternative claims and customer service handling capacity and procedures, including ensuring that there are adequate personnel and information technology systems;
- If the insurer uses an independent adjuster or managing general agent (“MGA”), then the way in which the independent adjuster or MGA will provide additional or alternative claims and customer service handling capacity and procedures, including when the independent adjuster or MGA may be located in the disaster-affected area;
- Whether the insurer has a local or toll-free number for customers to report claims;
- Whether the insurer requires that there be legal counsel available to advise on coverage or claims issues;
- The steps the insurer will take to notify, in a timely manner, the insurer’s customers of any procedural changes;
- The additional or alternative communication channels the insurer will use to communicate with insurance producers or independent adjusters located in or servicing a disaster-affected area;
- If an insurer supplies facilities and equipment for insurance producers, then the alternate facilities or equipment the insurer will provide for producers affected by the disaster;
- The forms of personnel identification the insurer issues to independent adjusters and insurance producers to permit access to areas affected by a disaster;
- Whether mobile response vehicles may be deployed to a New York State disaster site;
- The additional or alternative procedures an insurer will use for detecting a fraudulent insurance act during and after a disaster; and
- The methodology the insurer uses to test the disaster response plan and the frequency of testing.
Pre-Disaster Survey for Property/Casualty Insurers
New York-authorized insurers that reported New York direct written premium on page 19 of their 2020 annual statement for any of the following lines of business are required to complete a pre-disaster data survey by August 20, 2021:
2.1 Allied Lines
2.2 Multiple Peril Crop
2.3 Federal Flood
3 Farmowners Multiple Peril
4 Homeowners Multiple Peril
5.1 Commercial Multiple Peril (Non-Liability Portion)
21.1 Private Passenger Auto Physical Damage
21.2 Commercial Auto Physical Damage
The survey requests the amount of insurance (gross exposure, not premiums) and policies in force, and for commercial and personal lines auto insurance, the number of vehicles covered by comprehensive insurance and the number of policies in force, for each county in New York State. Circular Letter 6 states that this information is being requested because the insurance industry has been identified as a key resource in providing early assessments following a disaster and that DFS will use the information to determine which insurers are the largest insurance writers in each New York county so that DFS knows which insurers to contact in the event of a disaster.
The Circular Letters also outline steps that should be taken following a disaster, including participation of disaster liaisons in New York State’s disaster response plan and post-disaster reporting; issuance of temporary independent adjuster licenses for property/casualty business; reporting requirements when insurers activate, or intend to activate, a hurricane or windstorm deductible; and designation of an insurer’s primary and secondary intelligence or information officers as part of the New York Information Network.