Insurance Sector Preparedness: Insurers Appear Prepared to Recover Critical Operations Following Potential Terrorist Attacks, but Some Issues Warrant Further Review

GAO-06-85 Published: Nov 18, 2005. Publicly Released: Dec 20, 2005.
Jump To:
Skip to Highlights

The insurance sector is a key part of the U.S. financial sector, particularly following a terrorist attack or other disaster where there has been loss of life and damage to property. To determine the insurance sector's preparedness to protect and recover critical insurance operations, GAO was asked to (1) describe the potential effects of disruptions to the operations of insurers, state insurance regulators, and the National Association of Insurance Commissioners (NAIC); (2) identify actions taken by those organizations to protect and restore their operations; and (3) assess the extent to which regulations require reviews of insurer efforts in these areas.

Skip to Recommendations


Recommendations for Executive Action

Agency Affected Recommendation Status
Other In order to ensure that state insurance regulators can continue to provide insurers and consumers with important services within a reasonable time following a potential disruption at a state insurance regulator, state regulators, working through NAIC, as well as other appropriate state officials, should take steps to ensure that state insurance regulators implement consistent, appropriate capabilities for recovering critical functions following a potential disruption.
Closed – Implemented
As of July 2009, the National Association of Insurance Commissioners (NAIC) has shared best practices and held training sessions on disaster recovery and business continuity planning with state insurance regulators. In addition, the functions NAIC currently performs related to financial solvency, market regulation, rate and forms filing, producer licensing, company licensing and others in support of key regulatory activities also help ensure states can recover critical functions in times of need.
Other In addition, in order to help ensure that NAIC continues to adequately protect its information systems, NAIC should follow through with its commitment to have an independent organization more frequently test NAIC's information security controls and the overall vulnerability of its computer environment.
Closed – Implemented
As of July 2009, the National Association of Insurance Commissioners (NAIC) has implemented independent audits to ensure NAIC periodically test its information security systems.
Other Finally, although we visited a limited number of state insurance regulators, and did not observe any specific problems as a result of current examination guidelines and practices, state regulators, working through NAIC, should use their regular review of the adequacy of state examination guidelines and practices as an opportunity to consider whether any changes are warranted to (1) the manner and extent to which current examinations review insurers' business continuity capabilities, including the placement of business continuity within the examination guidelines and the minimum recovery time objectives for certain insurer services; and (2) current examination guidelines and practices related to the review of insurers' outsourcing of critical functions.
Closed – Implemented
As of July 2009, the National Association of Insurance Commissioners (NAIC) has recognized the need for regulators to review insurers' business impact analyses to determine through examination processes whether the maximum recovery times companies set for themselves appear appropriate. Similarly, if critical functions are being outsourced and examiners determine that evidence provided by the company in the Service Provider Questionnaire is inadequate for reliance, NAIC's position is that the examiner should consider a visit to the outsourcing location for further examination. In 2008, additional guidance was added to the NAIC Financial Condition Examiners Handbook to assist state financial examiners in assessing the effectiveness of an insurer's processes over business continuity planning and outsourcing of critical functions. If weaknesses are found in an insurer's processes in these areas, the examination team will be expected to resolve these issues either through informal recommendations to the insurer, formal recommendations (through the use of a management letter), or through findings to be included in an examination report (if the weakness is determined to be significant enough for such inclusion).

Full Report