New York Requests Preparedness Plans to Manage COVID-19 Risk

This Letter requests that each insurance entity regulated by the NYDFS create and submit to the NYDFS at insurance.covid19@dfs.ny.gov as soon as possible, and no later than 30 days from the date of the Letter (i.e., April 9, 2020), a response describing the regulated entity’s plans of preparedness to manage the risk of disruption to its operations, and the financial risk to the entity, arising from COVID-19.

A regulated entity’s preparedness plan should be sufficiently flexible to effectively address a range of possible effects that could result from COVID-19 and reflect the entity’s size, complexity, and activities. The entity’s plan, at a minimum, should include the following:

1. Preventative measures tailored to the entity’s specific profile and operations to mitigate the risk of operational disruption, which should include identifying the impact on consumers and vendors;
2. A documented strategy addressing the impact of the outbreak in stages, so that the entity’s efforts can be appropriately scaled, consistent with the effects of a particular stage of the outbreak;
3. Assessment of facilities, systems, policies, and procedures necessary to continue critical operations and services if members of the staff are unavailable for longer periods or are working off-site, including the effectiveness and security of remote access;
4. Employee protection strategies, critical to sustaining an adequate workforce during the outbreak, including employee awareness and steps that employees can take to reduce the likelihood of contracting COVID-19;
5. Assessment of the preparedness of critical third-party service providers and suppliers;
6. Development of a communication plan to effectively communicate with consumers and vendors, and to deliver important news and instructions to employees, along with establishing forums for questions to be asked and addressed;
7. Testing of the plan to ensure that the policies, processes, and procedures are effective; and
8. Governance and oversight of the plan, including identifying the critical members of a response team, to ensure ongoing review and updates to the plan, including the tracking of relevant information from government sources and the entity’s own monitoring program.

Circular Letter No. 5 also notes that, from a financial perspective, regulated entities may be impacted by COVID-19 in a number of ways. For example, regulated entities may be exposed, as a result of the impact of the virus on consumers, counterparties, and vendors, to declining revenues, stock market declines and interest rate changes, increased claims, increased credit risks and defaults, supply chain and service disruptions, and decreases in the value of assets and investments. Accordingly, to ensure that a regulated entity’s risk management programs include a plan to assess and monitor the financial risk that may arise from COVID-19, its preparedness plan should at least include the following assessments:

1. Assessment of the overall impact of COVID-19 on reserve requirements, consumers’ ability to make timely premium payments, and resources required to timely process claims;
2. Assessment of the credit risk of counterparties and business sectors impacted by COVID-19;
3. Assessment of the credit exposure to counterparties and business sectors impacted by COVID-19 arising from investing and other financial transactions;
4. Assessment of the scope and the size of admitted assets or other investments adversely impacted by COVID-19 that currently are in, or potentially may move to, non-performing/delinquent status, including consideration of stress testing and/or sensitivity analysis of such assets or investments;
5. Assessment of the valuation of assets and investments that may be, or have been, impacted by COVID-19; and
6. Assessment of the overall impact of COVID-19 on earnings, profits, capital, and liquidity.

The board of directors or the equivalent of each regulated entity is responsible for ensuring that appropriate plans are in place and that sufficient resources are allocated to implement such plans. The senior management of each regulated entity is responsible for ensuring that effective policies, processes, and procedures are in place to execute the plan, and for communicating the plan throughout the entity to ensure consistency in approach so that employees understand their roles and responsibilities.

We note that the preparedness plan filing required by Insurance Circular Letter No. 5 is separate and apart from the NYDFS cybersecurity filing requirements, which were recently modified by order of the NYDFS as a result of COVID-19. Due to the outbreak of COVID-19, the deadline for Certification of Compliance for calendar year 2019 has been extended from its original deadline of April 15, 2020, to June 1, 2020. All Covered Entities and licensed persons who are not fully exempt from the cybersecurity regulations are required to submit a Certification of Compliance no later than June 1, 2020, attesting to their compliance for the 2019 calendar year.