The insurance industry is prepared to resume critical operations promptly following a terrorist attack, but state regulators should work to ensure that systems are in place to deal with such a disruption, the U.S. Government Accountability Office has warned.
In a report, GAO recommended that state regulators, working through the National Association of Insurance Commissioners and appropriate state officials, ensure that capabilities are put in place for recovering critical insurance functions following a terrorism disruption. The report was sought by Rep. Mike Oxley, R-Ohio, chair of the House Financial Services Committee.
GAO examiners voiced concern over the fact that among state regulators they spoke to, one had no backup computer systems, one had no business continuity plans, and one had neither.
Current federal and state regulations, as well as NAIC examination guidelines, require insurers to have information security programs and business continuity plans but do not require minimum recovery times, GAO noted. In its report, GAO officials “suggested” the NAIC act on its decision to have more frequent independent testing of its information security environment.
Further, the GAO said, state regulators, as they review the adequacy of their exam processes, should consider whether changes are needed to assess business continuity, recovery time objectives and outsourcing.
The report said that while a disruption to a large insurer could potentially affect millions of policyholders, “any effects would likely not spread throughout the insurance sector because of limited interdependencies among insurers and, unlike the securities markets, the lack of a single point through which insurance transactions must pass.”
The report also said that while state insurance regulators and the NAIC provide important services to consumers and insurers, “such services are generally not time-sensitive and a disruption of one or two weeks would not have a significant effect.”
For insurers, these actions typically included establishing geographically dispersed backup sites and conducting critical operations at multiple facilities.
The highest priority among property-casualty and life insurers was generally to recover investment and cash management functions, while among health insurers it was customer service and claims processing, GAO said. Most insurers said they could recover their highest priority operations within one day, and most other operations within three days.
Regarding its concerns about NAIC policies, GAO said state examinations review information security and business continuity as part of the larger objective of reviewing insurer internal controls and solvency, but do not require insurers to meet specific recovery objectives.
While state regulators stated they had informal expectations that insurers would recover certain critical operations, such as claims processing, within two days after a disruption, “half of the insurers GAO spoke with had set recovery goals for their claims processing operations that would appear not to meet these expectations.”
The GAO also said it is not clear whether current examination guidelines and practices adequately address the trend among insurers to outsource certain functions, especially those relating to information technology.
“For example,” the report said, “some of the insurers GAO spoke with were outsourcing their computer system backup functions or portions of their claims-processing operations, but only one of the regulators said they had ever conducted audit work at such a service provider.”
© Touchpoint Markets, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.