Preproposal statement of inquiry was filed as WSR 10-13-142.
Title of Rule and Other Identifying Information: Business continuity plans for domestic insurers.
Hearing Location(s): OIC Tumwater Office, Training Room 120, 5000 Capitol Boulevard, Tumwater, WA, http://www.insurance.wa.gov/about/directions.shtml, on September 27, 2010, at 10:00 a.m.
Date of Intended Adoption: November 1, 2010.
Submit Written Comments to: Kacy Scott, P.O. Box 40258, Olympia, WA 98504-0258, e-mail email@example.com, fax (360) 586-3106, by September 26, 2010.
Assistance for Persons with Disabilities: Contact Lorie Villaflores by September 26, 2010, TTY (360) 586-0241 or (360) 725-7087.
Purpose of the Proposal and Its Anticipated Effects, Including Any Changes in Existing Rules: A business continuity plan establishes and identifies procedures that an insurer must comply with to ensure that the insurer is able [to] meet its existing obligations to policyholders in the event of a local, state, or national emergency.
The commissioner considered relevant standards adopted by the National Association of Insurance Commissioners, other states, and other regulatory authorities that regulate financial institutions in the drafting [of] these proposed rules.
Reasons Supporting Proposal: RCW 48.07.205, enacted during the 2009 legislative session, requires the commissioner to adopt by rule the standards for domestic insurers to follow in the preparation of their business continuity plans.
Statutory Authority for Adoption: RCW 48.02.060 and 48.07.205.
Statute Being Implemented: RCW 48.07.205.
Rule is not necessitated by federal law, federal or state court decision.
Name of Proponent: Mike Kreidler, insurance commissioner, governmental.
Name of Agency Personnel Responsible for Drafting: John Jacobson, P.O. Box 40255, Olympia, WA 98504-0255, (206) 389-2911; Implementation and Enforcement: Jim Odiorne, P.O. Box 40255, Olympia, WA 98504-0255, (360) 725-7214.
No small business economic impact statement has been prepared under chapter 19.85 RCW. Many insurers already have adopted business continuity plans as an important and necessary business practice in order to meet the requirements of clients or investors. Based on industry estimates, the cost of putting together a business continuity plan in order to comply with this proposed business continuity rule will be a minor cost - less than 0.3% of annual revenues - even for those domestic insurers who fit the definition of small business under RCW 19.85.020. Making a business continuity plan operational on an annual basis, whether through use of internal company resources or contracting with external resources, also appears to be possible within the minor cost definition found in RCW 19.85.020. Therefore, in accordance with RCW 19.85.030, no SBEIS statement is required.
A cost-benefit analysis is required under RCW 34.05.328. A preliminary cost-benefit analysis may be obtained by contacting Kacy Scott, P.O. Box 40258, Olympia, WA 98504-0258, phone (360) 725-7041, fax (360) 586-3109, e-mail firstname.lastname@example.org.
August 18, 2010
BUSINESS CONTINUITY PLANS
WAC 284-16-700 Definitions. For purposes of this regulation, the following definitions apply:
(1) "Financially significant activities and applications" means computer software, including system programs and application programs, which are used to perform automated processing of a financially significant account balance or set of transactions. This includes financially significant e-business systems.
(2) "Regulatory reporting" includes filing of quarterly and annual statements, holding company filings, submission of financial payments for fees and taxes, rate and form filings and licensing appointments and renewals.
(a) Enable the insurer to meet its existing obligations to insurance beneficiaries, policyholders, claimants, subscribers;
(b) Address the insurer's existing relationships with affiliates, third-party service providers, the National Association of Insurance Commissioners and the office of insurance commissioner; and
(c) Be made available upon request to the office of insurance commissioner.
(2) Each domestic insurer must update its business continuity plan in the event of any material change to the insurer's operations, structure, business or location.
(3) Each domestic insurer must conduct an annual review and test of its business continuity plan to determine whether modification is necessary in light of changes to the insurer's operations, structure, business or location.
(4) The elements that comprise a business continuity plan are flexible and may be tailored to the size and needs of an insurer. Each plan must at a minimum, address:
(a) Data back-up and recovery (hard copy and electronic);
(b) Information system disaster recovery (main site and alternate site);
(c) All financially significant activities and applications;
(d) Restoration priority based upon a business impact analysis;
(e) Alternate communications between policyholders or subscribers and the insurer;
(f) Alternate communications between the insurer, its employees and producers;
(g) Alternate physical location of employees;
(h) Regulatory reporting;
(i) Communications with regulators; and
(j) How the insurer will assure policyholders' prompt access to funds and securities due in the event that the insurer determines that it is unable to continue its business.
(5) If any of the categories in subsection (4) of this section are not applicable, the insurer's business continuity plan does not need to address the category but the insurer's business continuity plan must include the rationale for not including such category. If an insurer relies on an affiliate or third-party service provider for any of the categories in subsection (4) of this section or any financially significant system, application or activities, the insurer's business continuity plan must address this relationship.
(6) Each domestic insurer must clearly describe senior management roles and responsibilities associated with the declaration of an emergency and implementation of the business continuity plan.
(7) Each domestic insurer must designate a member of senior management to approve the plan and he or she shall be responsible for conducting the required annual review and test.