Insurance Coverage Law Center: What insurance legislative and regulatory trends were significant throughout 2021?

Dinallo: Policymakers continue to work on better ways to protect businesses against the financial devastation caused by a pandemic. Several state legislatures have open bills regarding business interruption insurance policies, and at the federal level, where I am working as part of a task force on this issue, ideas being considered include the creation of a federal backstop to cover business interruption losses arising from a pandemic, similar to way the Terrorism Risk Insurance Act and its extensions have addressed physical terrorism. There is also the Pandemic Risk Insurance Act of 2021 ("PRIA"), proposed by Rep. Carolyn Maloney (D-NY), which would make coverage available for pandemic-related business interruption losses via a public/private solution. In this scenario, private insurers would be mandated to participate in the market, but the federal government would pay for 95% of the covered losses.  Other solutions proposed by companies involve semi-private pooling schemes, public/private reinsurance schemes, and public funds for noninsurable risks.

Another major regulatory focus has been artificial intelligence ("AI") and potential proxy discrimination relating to insurance underwriting, particularly with respect to life insurance. Since the New York Department of Financial Services ("DFS") issued Circular Letter No. 1 (2019) providing guidance on potential unfair discrimination in the use of insurance algorithms and how insurers might test for such discrimination, we have seen Colorado's legislature and Connecticut's Insurance Department take steps requiring insurers to investigate whether their AI models or use of external data might unfairly discriminate based on certain protected characteristics.  These states are strongly telegraphing that policymakers care about this issue and will be scrutinizing it in the coming years.

Related to this, the National Association of Insurance Commissioners (the "NAIC") voted unanimously in August to study the underlying causes of racial discrimination in the insurance industry, including how the use of credit scores in determining rates disadvantages people of color.  This followed another vote to approve a proposal by the NAIC's Special Committee on Race and Insurance to study the intersection of data and race, including identifying which variables may serve as proxies for race and examining data for biases and potential disparate impact considerations.  Recognizing that AI can amplify potential biases, the Special Committee is coordinating with the NAIC's Big Data and AI Working Group to address "issues affecting people of color and/or historically underrepresented groups, particularly in predictive modeling, price algorithms, and artificial intelligence (AI)."  We are watching the work of these NAIC groups very closely, as we expect that the intersection of AI and discrimination will remain a major focus for regulators – and an area where companies would be well served to get in front of these issues by proactively assessing and mitigating risk.

Climate risk is another major area of focus.  In November, the DFS issued final guidance (the "Guidance") for how New York domestic insurers should manage the financial risks of climate change, following up on the DFS's prior draft proposed guidance, circular letter, and report.  The Guidance sets forth expectations of NY Insurers in the following areas: (1) governance, (2) risk management decision-making processes, (3) scenario analysis, and (4) disclosure.  The Guidance generally urges significant implementation over the next two or three years but sets an August 15, 2022, deadline for New York domestic insurers to meet expectations regarding board governance and to have specific plans in place regarding their organizational structures.  DFS expects each insurer to designate both "a member or committee(s) of its board" and "one or more members of its senior management as responsible for the oversight of the insurer's management of climate risks."

In 2021, the DFS also issued guidance on diversity, equity and inclusion ("DEI") and corporate governance to the insurance industry and financial institutions emphasizing that DEI is a strategic business priority for diverse leadership teams and decision-making and developing DEI talent.

The DFS is also conducting targeted cybersecurity investigations for compliance with Part 500 (its cybersecurity regulation).  The DFS has been finding violations, including failure to implement multi factor authentication ("MFA"), failure to report cybersecurity events, filing of false annual certification of compliance certificates, and lack of adequate third-party provider policies.  The DFS also just issued new detailed guidance emphasizing the importance of MFA.

Additional trends include increased pricing for cybersecurity policies due to the increase in cybersecurity attacks, incomplete information for insurers underwriting and pricing cybersecurity policies (including the full extent of damages still to be seen), and disputes about cybersecurity coverage in existing policies (including, e.g., silent cyber risk in crime and liability policies).

Insurance Coverage Law Center: What kinds of insurance litigation do you expect to see more of in 2022?

Eric Dinallo: As regulators begin to provide more guidance on the intersection of AI and discrimination, we believe we could see more targeted exams and enforcement actions around potential proxy discrimination involving large data sets or advanced modeling techniques.  As we have mentioned above and throughout our Debevoise webcasts, we are working with insurers to face complex, ongoing challenges regarding which factors they may use in their underwriting and which frameworks should be followed in integrating complex or novel technologies.

We also expect that insurers will need to be vigilant in the areas of ESG, including regarding climate risks in assets and liabilities, and in DEI issues.

Regarding cybersecurity, the DFS has stated that it intends to reopen Part 500 for refinement to take into account the changing landscape of cybersecurity in the five years since the DFS promulgated the regulation (e.g., the greatly increased incidence of ransomware).  Also, cyber insurance is now sought by a much broader array of businesses and will be tested against losses and policyholder expectations.

Insurance Coverage Law Center: Is there anything else about the transition between 2021 and 2022 that you think will have an impact on the insurance industry?

Eric Dinallo: We believe the next year will see the insurance industry and regulators strongly focus on determining what constitutes proxy discrimination and what does not, better defining appropriate practices in this area.  Additionally, regulators and insurers will continue to assess ESG issues.  There is serious work to be done by regulators and insurers, which have been collaborating more and more on complex challenges that need to be addressed more and more swiftly.