Summary

The insurance sector is a key part of the U.S. financial sector, particularly following a terrorist attack or other disaster where there has been loss of life and damage to property. To determine the insurance sector's preparedness to protect and recover critical insurance operations, GAO was asked to (1) describe the potential effects of disruptions to the operations of insurers, state insurance regulators, and the National Association of Insurance Commissioners (NAIC); (2) identify actions taken by those organizations to protect and restore their operations; and (3) assess the extent to which regulations require reviews of insurer efforts in these areas.

Adequate business continuity capabilities are necessary to prevent terrorist attacks or natural disasters from severely disrupting the operations of large insurers and leaving the companies unable to provide important services to policyholders when needed. And while a disruption to a large insurer could potentially affect millions of policyholders, any effects would likely not spread throughout the insurance sector because of limited interdependencies among insurers and, unlike the securities markets, the lack of a single point through which insurance transactions must pass. Further, while state insurance regulators and NAIC provide important services to consumers and insurers, such services are generally not time sensitive and a disruption of 1 or 2 weeks would not have a significant effect. All of the 18 insurers and most of the five state regulators GAO spoke with, as well as NAIC, indicated that they had taken actions designed to protect their operations from disruption and recover critical operations should a disruption occur. For insurers, these actions typically included establishing geographically dispersed backup sites and conducting critical operations at multiple geographically dispersed facilities. Among property/casualty and life insurers, the highest priority was generally to recover investment and cash management functions, while among health insurers it was customer service and claims processing. Most insurers said they could recover their highest priority operations within 1 day, and most other operations within 3 days. While all of the state regulators GAO spoke with had processes in place to back up critical data, one had no backup computer systems, one had no business continuity plans, and one had neither. NAIC has also taken steps to protect critical data and has implemented business continuity capabilities designed to recover critical operations within 24 hours. Current federal and state regulations, as well as NAIC examination guidelines, require insurers to have information security programs and business continuity plans, but do not require minimum recovery times. For example, state insurance examinations review information security and business continuity as part of the larger objective of reviewing insurers' internal controls and insurer solvency, and do not require insurers to meet specific recovery objectives. However, while state regulators stated they had informal expectations that insurers would recover certain critical operations, such as claims processing, within 2 days after a disruption, half of the insurers GAO spoke with had set recovery goals for their claims processing operations that would appear not to meet these expectations. Further, it is not clear whether current examination guidelines and practices adequately address the trend among insurers to outsource certain functions, especially information technology functions. For example, some of the insurers GAO spoke with were outsourcing their computer system backup functions or portions of their claims-processing operations, but only one of the regulators said they had ever conducted audit work at such a service provider.

Recommendations

Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Implemented" or "Not implemented" based on our follow up work.

Recommendations for Executive Action