Insurance Sector Preparedness:

Insurers Appear Prepared to Recover Critical Operations Following Potential Terrorist Attacks, but Some Issues Warrant Further Review

GAO-06-85: Published: Nov 18, 2005. Publicly Released: Dec 20, 2005.

Additional Materials:

Contact:

Orice M. Williams
(202) 512-5837
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The insurance sector is a key part of the U.S. financial sector, particularly following a terrorist attack or other disaster where there has been loss of life and damage to property. To determine the insurance sector's preparedness to protect and recover critical insurance operations, GAO was asked to (1) describe the potential effects of disruptions to the operations of insurers, state insurance regulators, and the National Association of Insurance Commissioners (NAIC); (2) identify actions taken by those organizations to protect and restore their operations; and (3) assess the extent to which regulations require reviews of insurer efforts in these areas.

Adequate business continuity capabilities are necessary to prevent terrorist attacks or natural disasters from severely disrupting the operations of large insurers and leaving the companies unable to provide important services to policyholders when needed. And while a disruption to a large insurer could potentially affect millions of policyholders, any effects would likely not spread throughout the insurance sector because of limited interdependencies among insurers and, unlike the securities markets, the lack of a single point through which insurance transactions must pass. Further, while state insurance regulators and NAIC provide important services to consumers and insurers, such services are generally not time sensitive and a disruption of 1 or 2 weeks would not have a significant effect. All of the 18 insurers and most of the five state regulators GAO spoke with, as well as NAIC, indicated that they had taken actions designed to protect their operations from disruption and recover critical operations should a disruption occur. For insurers, these actions typically included establishing geographically dispersed backup sites and conducting critical operations at multiple geographically dispersed facilities. Among property/casualty and life insurers, the highest priority was generally to recover investment and cash management functions, while among health insurers it was customer service and claims processing. Most insurers said they could recover their highest priority operations within 1 day, and most other operations within 3 days. While all of the state regulators GAO spoke with had processes in place to back up critical data, one had no backup computer systems, one had no business continuity plans, and one had neither. NAIC has also taken steps to protect critical data and has implemented business continuity capabilities designed to recover critical operations within 24 hours. Current federal and state regulations, as well as NAIC examination guidelines, require insurers to have information security programs and business continuity plans, but do not require minimum recovery times. For example, state insurance examinations review information security and business continuity as part of the larger objective of reviewing insurers' internal controls and insurer solvency, and do not require insurers to meet specific recovery objectives. However, while state regulators stated they had informal expectations that insurers would recover certain critical operations, such as claims processing, within 2 days after a disruption, half of the insurers GAO spoke with had set recovery goals for their claims processing operations that would appear not to meet these expectations. Further, it is not clear whether current examination guidelines and practices adequately address the trend among insurers to outsource certain functions, especially information technology functions. For example, some of the insurers GAO spoke with were outsourcing their computer system backup functions or portions of their claims-processing operations, but only one of the regulators said they had ever conducted audit work at such a service provider.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: As of July 2009, the National Association of Insurance Commissioners (NAIC) has shared best practices and held training sessions on disaster recovery and business continuity planning with state insurance regulators. In addition, the functions NAIC currently performs related to financial solvency, market regulation, rate and forms filing, producer licensing, company licensing and others in support of key regulatory activities also help ensure states can recover critical functions in times of need.

    Recommendation: In order to ensure that state insurance regulators can continue to provide insurers and consumers with important services within a reasonable time following a potential disruption at a state insurance regulator, state regulators, working through NAIC, as well as other appropriate state officials, should take steps to ensure that state insurance regulators implement consistent, appropriate capabilities for recovering critical functions following a potential disruption.

    Agency Affected: National Association of Insurance Commissioners

  2. Status: Closed - Implemented

    Comments: As of July 2009, the National Association of Insurance Commissioners (NAIC) has implemented independent audits to ensure NAIC periodically test its information security systems.

    Recommendation: In addition, in order to help ensure that NAIC continues to adequately protect its information systems, NAIC should follow through with its commitment to have an independent organization more frequently test NAIC's information security controls and the overall vulnerability of its computer environment.

    Agency Affected: National Association of Insurance Commissioners

  3. Status: Closed - Implemented

    Comments: As of July 2009, the National Association of Insurance Commissioners (NAIC) has recognized the need for regulators to review insurers' business impact analyses to determine through examination processes whether the maximum recovery times companies set for themselves appear appropriate. Similarly, if critical functions are being outsourced and examiners determine that evidence provided by the company in the Service Provider Questionnaire is inadequate for reliance, NAIC's position is that the examiner should consider a visit to the outsourcing location for further examination. In 2008, additional guidance was added to the NAIC Financial Condition Examiners Handbook to assist state financial examiners in assessing the effectiveness of an insurer's processes over business continuity planning and outsourcing of critical functions. If weaknesses are found in an insurer's processes in these areas, the examination team will be expected to resolve these issues either through informal recommendations to the insurer, formal recommendations (through the use of a management letter), or through findings to be included in an examination report (if the weakness is determined to be significant enough for such inclusion).

    Recommendation: Finally, although we visited a limited number of state insurance regulators, and did not observe any specific problems as a result of current examination guidelines and practices, state regulators, working through NAIC, should use their regular review of the adequacy of state examination guidelines and practices as an opportunity to consider whether any changes are warranted to (1) the manner and extent to which current examinations review insurers' business continuity capabilities, including the placement of business continuity within the examination guidelines and the minimum recovery time objectives for certain insurer services; and (2) current examination guidelines and practices related to the review of insurers' outsourcing of critical functions.

    Agency Affected: National Association of Insurance Commissioners

 

Explore the full database of GAO's Open Recommendations »

Sep 18, 2014

Sep 17, 2014

Sep 10, 2014

Sep 9, 2014

Sep 8, 2014

Jul 31, 2014

Jul 29, 2014

Looking for more? Browse all our products here