Novarica and Locke Lord’s recent quarterly webinar on regulatory changes affecting insurance technology discussed changes stemming from the pandemic, emerging state “best interest” industry sales standards, and third-party risk management. Following certain technology best practices will help insurers keep abreast of these and future regulatory changes.
COVID-19 Legal/Regulatory Changes in Insurance Technology
The insurance industry, regulators, and legislators have taken, or are considering, several remedial actions in response to COVID-19. Responses have included restrictions on collections, cancellations, and the use of credit scores for underwriting if these were affected by the pandemic. Some states have mandated premium refunds. The courts are also looking into business interruption coverage disputes, liability immunity cases, and COVID-related workers’ compensation claims. On the plus side, regulators are working to enable remote electronic notarization and virtual claims adjusting.
Insurers must consider the end-to-end processes behind customer interactions during the pandemic. They will also need to consider how to up-skill or re-skill people, convert remaining “analog” processes in a way that complies with regulations when most are working from home, and accelerate the use of analytics, AI, and machine learning to reduce loss expense while remaining compliant with new regulations.
Emerging State Best Interest Industry Sales Standards
“Suitability” and “best interest” regulations have changed repeatedly since 2003. Since the DOL’s Fiduciary Rule was struck down in 2018, state insurance regulators have been playing catch up to ensure that consumers remain protected during the sale of certain life insurance and annuity products. Amendments to NYS Reg. 187 require life insurance and annuity recommendations issued in NY to be in the best interest of the consumer. The NAIC Model Act, though less stringent than NY Reg. 187, still requires producer and insurer recommendations to be “suitable” and in the best interest of consumers.
As states adopt “best interest” regulations, how insurers manage data, security, and the books and records systems will be key to compliance. Regulations also allow consumers to know what data organizations are collecting and be able to adjust it. This point requires data to be identifiable to a person, which requires insurers to encrypt, transmit, and store it properly.
These requirements, coupled with the sheer volume of data, create security challenges that insurers must tackle proactively.
Third-Party Risk Management: NY DFS and the NAIC Model
It is not always easy to determine which entities qualify as TPSPs. Insurers must scrutinize contracts for provisions that would grant access to non-public information (NPI). The NY DFS Reg. and NAIC Model contain varying provisions for managing third-party risk. Insurers must ask, “Who is in scope?” by examining the definitions in the NY DFS Reg and the NAIC Model.
Insurers cannot take the position that an organization is not a TPSP because it does not have access to NPI if the contract states otherwise. Insurers should also consider the volume and sensitivity of NPI that the TPSP holds or can access and conduct due diligence accordingly. Once insurers complete these steps are complete, they should carefully consider contractual provisions specific to cybersecurity risk and, in many cases, monitor and audit TPSPs for compliance.
CIOs should include auditing and indemnification clauses in contracts with TPSPs. CIOs and CISOs must also mind the necessary provisions within their organizations and among their distribution networks. For example, they should perform event simulations that include representatives of third-party organizations. Independent agents must comply with NYS regulations and perform their own filings with their own infrastructure, all of which should be in scope from a security and data perspective.
Finally, insurers should consider updating distribution agreements to mandate multi-factor authentication, data encryption at rest and in-transit, and audit log proof that they treat NPI and PII confidentially.
For more information on these topics, check out the most recent Novarica/Locke Lord joint report: Insurance Technology Strategy and Regulatory Compliance, Vol. 4, and view the recorded webinar here.
Add new comment