N.Y. Updates Insurance Company Disaster Response, Recovery Plan Requirements
The New York Department of Financial Services (DFS) has issued updated disaster response and recovery plan requirements for all insurance companies licensed to conduct business in New York state.
It issued these updated requirements in light of disasters that may occur outside of New York, such as hurricanes, terrorist attacks or cybersecurity breaches, which could affect an insurer’s ability to serve New York consumers.
“When disaster strikes, as it did when Hurricanes Maria and Irma devastated Puerto Rico and the Virgin Islands last year, it is important for all insurers to be able to respond quickly and to be able to continue operations to ensure they can serve the increased needs of consumers resulting from the emergency, whether it’s a storm, a data breach or a terrorist attack,” said New York DFS Superintendent Maria Vullo in a DFS press release.
DFS is directing all insurers to submit updated disaster response and recovery plans and responses to online questionnaires by June 29, 2018. It also directed property and casualty companies to file responses to a Pre-Disaster Data Survey by May 19, 2018. The updated guidance for property and casualty companies now additionally requires mortgage insurers and title insurers to file a disaster response plan and questionnaire by Sept. 28, 2018.
Through the issuance of two updated circular letters, DFS advised insurers of their disaster related obligations under New York’s insurance law. The first circular letter was directed to property and casualty insurers, including mortgage guaranty insurers, title insurers and captive insurers.
The second circular letter was directed to life insurers, as well as entities such as health insurers, fraternal benefit societies and employee welfare funds. The second circular letter was also updated to add student health plans, which are required submit a disaster response plan and responses to the disaster response plan and business continuity questionnaires by Sept. 28, 2018.
In addition to filing a disaster response and recovery plan, insurers licensed in New York state are required to have a business continuity plan and regularly perform a business impact analysis to predict the consequences of disruption of a business function.
The guidance issued by DFS clarifies requirements for the business analysis. It should identify the operational and financial impacts resulting from the disruption of business functions and processes, and include, at a minimum, the following:
- The point in time when a business interruption would have a greater impact, such as a particular season or the end of the month or quarter;
- The amount of time before which the business interruption would have an operational or financial impact;
- The operational and financial impact of physical damage to buildings, damage to or breakdown of machinery, systems or equipment, restricted access to a site or building, a utility outage, damage to, loss or corruption of information technology and absenteeism of essential employees;
- Resources needed for the business to continue to function at varying levels of disruption;
- The potential for dissatisfaction or defection by policy owners, policyholders, contract holders, insureds, annuitants, payees, beneficiaries, third-party claimants and health service providers.
The circular letters also outline what an insurer’s business continuity plan should include at a minimum, such as:
- Defining the scope, objectives and assumptions of the business continuity plan;
- Defining the roles and responsibilities of employees;
- Identifying the lines of authority, succession of management and delegation of authority;
- Addressing interaction with external business entities, including contractors and vendors;
- Including results of a business impact analysis;
- Identifying recovery time objectives for business processes and information technology;
- Identifying the recovery point objective for data restoration;
- Setting forth detailed procedures, resource requirements and logistics for execution of all recovery strategies.
Electronic templates for responses to the pre-disaster survey and disaster response plan and business continuity plan questionnaires, and instructions for their completion and submission, are available on the DFS website.