NU Online News Service

Washington --The insurance industry is prepared to resumecritical operations promptly following a terrorist attack, butstate insurance regulators should work to ensure that systems arein place to deal with such a disruption, the GovernmentAccountability Office said today.

In a report, the GAO recommended that state regulators, workingthrough the National Association of Insurance Commissioners andappropriate state officials, ensure capabilities are put in placefor recovering critical functions following a disruption.

The report was sought by Rep. Mike Oxley, R-Ohio, chairman ofthe House Financial Services Committee. It was sent to Rep. OxleyNov. 18 but released a month later, in line with GAO policy.

GAO examiners voiced concern over the fact that among the stateregulators they spoke to one had no backup computer systems, onehad no business continuity plans, and one had neither.

Current federal and state regulations, as well as NAICexamination guidelines, require insurers to have informationsecurity programs and business continuity plans but do not requireminimum recovery times, GAO noted.

In its report, GAO officials "suggested" the NAIC act on itsdecision to have more frequent independent testing of itsinformation security environment.

Further, the GAO said, state regulators, as they review theadequacy of their examination processes, consider whether changesare needed for content examination and structure related tobusiness continuity, recovery time objectives and outsourcing.

The report said that while a disruption to a large insurer couldpotentially affect millions of policyholders, "any effects wouldlikely not spread throughout the insurance sector because oflimited interdependencies among insurers and, unlike the securitiesmarkets, the lack of a single point through which insurancetransactions must pass."

The report also said that while state insurance regulators andthe NAIC provide important services to consumers and insurers,"such services are generally not time sensitive and a disruption ofone or two weeks would not have a significant effect."

For insurers, these actions typically included establishinggeographically dispersed backup sites and conducting criticaloperations at multiple geographically dispersed facilities.

Among property-casualty and life insurers, the highest prioritywas generally to recover investment and cash management functions,while among health insurers it was customer service and claimsprocessing, GAO said.

Most insurers said they could recover their highest priorityoperations within one day, and most other operations within threedays.

Regarding its concerns about NAIC policies, GAO said that stateinsurance examinations review information security and businesscontinuity as part of the larger objective of reviewing insurers'internal controls and insurer solvency, but do not require insurersto meet specific recovery objectives.

While state regulators stated they had informal expectationsthat insurers would recover certain critical operations, such asclaims processing, within two days after a disruption, "half of theinsurers GAO spoke with had set recovery goals for their claimsprocessing operations that would appear not to meet theseexpectations."

The GAO also said that it is not clear whether currentexamination guidelines and practices adequately address the trendamong insurers to outsource certain functions, especiallyinformation technology functions.

"For example," the report said, "some of the insurers GAO spokewith were outsourcing their computer system backup functions orportions of their claims-processing operations, but only one of theregulators said they had ever conducted audit work at such aservice provider."