State insurance regulators should work to ensure systems are in place to deal with a terrorist attacks, the Government Accountability Office warns.[@@]

In a report released today, the GAO says the insurance industry is prepared to recover critical operations promptly following a terrorist attack. But state regulators may not be ready.

GAO recommends state regulators, working through the National Association of Insurance Commissioners and appropriate state officials, ensure they establish capabilities for recovering critical functions if there were a disruption by terrorists.

The report was sought by Rep. Mike Oxley, R-Ohio, chairman of the House Financial Services Committee. It was sent to Rep. Oxley Nov. 18 but released only a month later, in line with GAO policy.

GAO examiners voiced concern that while many state regulators had processes to back up critical data, one had no backup computer systems, one had no business continuity plans and one had neither.

Current federal and state regulations, as well as NAIC examination guidelines, require insurers to have information security programs and business continuity plans but do not require minimum recovery times, GAO explained.

GAO suggested the NAIC act on its decision to have more frequent independent testing of its information security.

Further, the GAO said, state regulators, as they review the adequacy of their examination processes, consider whether changes are needed to provisions for business continuity, recovery time objectives and outsourcing.

The report says that while a disruption to a large insurer could potentially affect millions of policyholders, “any effects would likely not spread throughout the insurance sector because of limited interdependencies among insurers and, unlike the securities markets, the lack of a single point through which insurance transactions must pass.”

The report also said while state insurance regulators and the NAIC provide important services to consumers and insurers, “such services are generally not time-sensitive, and a disruption of 1 or 2 weeks would not have a significant effect.”

For insurers, precautions typically included establishing geographically dispersed backup sites and conducting critical operations at a variety of geographically dispersed facilities.

Among life insurers, the highest priority was generally to recover investment and cash management functions, while among health insurers it was customer service and claims processing, GAO said.

Most insurers said they could recover their highest priority operations within 1 day and most other operations within 3 days.

As for its concerns about NAIC policies, GAO noted state insurance examinations review information security and business continuity as part of the larger objective of reviewing insurers’ internal controls and insurer solvency. But they do not require insurers to meet specific recovery objectives.

While state regulators had informal expectations that insurers would recover certain critical operations, such as claims processing, within 2 days after a disruption, “half of the insurers GAO spoke with had set recovery goals for their claims processing operations that would appear not to meet these expectations,” the report states.

The GAO also said that it is not clear whether current examination guidelines and practices adequately address the trend among insurers to outsource certain functions, especially information technology functions.

“For example,” the report said, “some of the insurers GAO spoke with were outsourcing their computer system backup functions or portions of their claims-processing operations, but only one of the regulators said they had ever conducted audit work at such a service provider.”