State insurance regulators should work to ensure systems are in place to deal with a terrorist attacks, the Government Accountability Office warns.[@@]
In a report released today, the GAO says the insurance industry is prepared to recover critical operations promptly following a terrorist attack. But state regulators may not be ready.
GAO recommends state regulators, working through the National Association of Insurance Commissioners and appropriate state officials, ensure they establish capabilities for recovering critical functions if there were a disruption by terrorists.
The report was sought by Rep. Mike Oxley, R-Ohio, chairman of the House Financial Services Committee. It was sent to Rep. Oxley Nov. 18 but released only a month later, in line with GAO policy.
GAO examiners voiced concern that while many state regulators had processes to back up critical data, one had no backup computer systems, one had no business continuity plans and one had neither.
Current federal and state regulations, as well as NAIC examination guidelines, require insurers to have information security programs and business continuity plans but do not require minimum recovery times, GAO explained.
GAO suggested the NAIC act on its decision to have more frequent independent testing of its information security.
Further, the GAO said, state regulators, as they review the adequacy of their examination processes, consider whether changes are needed to provisions for business continuity, recovery time objectives and outsourcing.
The report says that while a disruption to a large insurer could potentially affect millions of policyholders, “any effects would likely not spread throughout the insurance sector because of limited interdependencies among insurers and, unlike the securities markets, the lack of a single point through which insurance transactions must pass.”