Audit Questions Security of Louisiana Citizens’ Computer Systems

Louisiana’s property insurer of last resort allowed too much access to computer systems, opening the door for potential fraud, and failed to take enough steps to make sure that policy applicants were eligible for coverage, according to a state audit released Jan. 25.

The Legislative Auditor’s Office said it found enough problems with Louisiana Citizens Property Insurance Corp. that it could not issue an opinion on the accuracy of the insurer’s records.

In a response to the audit, which covered 2008, Citizens management concurred at least in part with most of the findings and said corrective action was being taken, including reducing computer access sharply and developing a written access policy.

Citizens, a nonprofit, taxpayer-backed insurer established in 2003 by the Legislature, provides property insurance for businesses and homeowners unable to get coverage from standard insurance companies, mostly in storm-vulnerable areas. It has struggled with its financial records since hurricanes Katrina and Rita hit in 2005.

CEO John Wortman, in an interview, said that much of the audit “pointed out what we already knew, that we had a faulty system.” Wortman, who has been chief executive for about three years, said the insurer was making good progress at fixing a slate of problems involving computer systems and producing accurate financial reports.

Among problems identified by the audit:

• Citizens employees and non-employees were given excessive access to computer systems, one that handles policies and claims processing and another used for disbursements and financial statement preparation. The insurer lacked proper controls over the granting and termination of user IDs. As a result, data could be changed, exposing Citizens to fraud.

In a response, Citizens said the amount of access to both systems had been reduced to a handful of people and a new policy regarding system access was being developed. The insurer also said it had never had unauthorized access or changes to the systems.

• Citizens did not follow state law to ensure that all applicants were eligible for coverage. Thirty-four of 35 applications reviewed did not disclose – as required by law – whether the applicant had been denied coverage by at least one standard insurer.

Citizens eventually is supposed to place all of its policyholders in the private insurance market. “If Citizens issues coverage to those who could get coverage elsewhere, then legislative intent for Citizens to be the insurer of last resort would not be met,” the audit said.

Citizens said it was installing a new system to prohibit issuance of new policies to property owners who have not been denied private coverage.

• Citizens did not comply with requirements of a program to place its policyholders with private insurers. Instead of bundling the policies, private companies were allowed to determine selectively which customers they wanted to assume, the audit said.

Citizens says it had about 131,000 policies at the end of 2009 and hopes to cut that number to about 120,000 by the end of the year. Citizens had 167,000 policies in 2007.

In a response, Citizens said it believes its program meets the intent of the law and is successfully steering its policyholders to private insurers.

• Citizens submitted an inaccurate and incomplete fiscal report to the state for 2008, including inaccurate statements of assets and liabilities.

Wortman said the insurer had been struggling with incomplete financials, and filed all quarterly financial statements on time in 2009 for the first time. Wortman also said Citizens is now producing monthly financial statements and an annual budget that have to be approved by the board.

In a finding briskly objected to by Wortman, the audit said Citizens had an inadequate process for developing loss reserves – money set aside to pay out future claims. Wortman said the auditor’s office “does not understand property casualty insurance reserving practices,” as well as claim handling.