PERMANENT RULES
INSURANCE COMMISSIONER
Effective Date of Rule: January 1, 2011.
Purpose: The purpose of this new rule is to explain to domestic insurers the standards that they must follow in the preparation of their business continuity plans as required by RCW 48.07.205. The commissioner considered relevant standards adopted by the National Association of Insurance Commissioners, other states, and other regulatory authorities that regulate financial institutions in the development of this new rule.
Statutory Authority for Adoption: RCW 48.02.060 and 48.07.205.
Adopted under notice filed as WSR 10-17-109 on August 18, 2010.
A final cost-benefit analysis is available by contacting Kacy Scott, P.O. Box 40258, Olympia, WA 98504-0258, phone (360) 725-7041, fax (360) 586-3109, e-mail kacys@oic.wa.gov.
Number of Sections Adopted in Order to Comply with Federal Statute: New 0, Amended 0, Repealed 0; Federal Rules or Standards: New 0, Amended 0, Repealed 0; or Recently Enacted State Statutes: New 1, Amended 0, Repealed 0.
Number of Sections Adopted at Request of a Nongovernmental Entity: New 0, Amended 0, Repealed 0.
Number of Sections Adopted on the Agency's Own Initiative: New 0, Amended 0, Repealed 0.
Number of Sections Adopted in Order to Clarify, Streamline, or Reform Agency Procedures: New 0, Amended 0, Repealed 0.
Number of Sections Adopted Using Negotiated Rule Making: New 0, Amended 0, Repealed 0; Pilot Rule Making: New 0, Amended 0, Repealed 0; or Other Alternative Rule Making: New 1, Amended 0, Repealed 0.
Date Adopted: November 1, 2010.
Mike Kreidler
Insurance Commissioner
OTS-3428.4
BUSINESS CONTINUITY PLANS
NEW SECTION
WAC 284-16-700
Definitions.
For purposes of this
regulation, the following definitions apply:
(1) "Financially significant activities and applications" means computer software, including system programs and application programs, which are used to perform automated processing of a financially significant account balance or set of transactions. This includes financially significant e-business systems.
(2) "Regulatory reporting" includes filing of quarterly and annual statements, holding company filings, submission of financial payments for fees and taxes, rate and form filings and licensing appointments and renewals.
[]
(a) Enable the insurer to meet its existing obligations to insurance beneficiaries, policyholders, claimants, subscribers;
(b) Address the insurer's existing relationships with affiliates, third-party service providers, the National Association of Insurance Commissioners and the office of insurance commissioner; and
(c) Be made available upon request to the office of insurance commissioner.
(2) Each domestic insurer must update its business continuity plan in the event of any material change to the insurer's operations, structure, business or location.
(3) Each domestic insurer must conduct an annual review and test of its business continuity plan to determine whether modification is necessary in light of changes to the insurer's operations, structure, business or location.
(4) The elements that comprise a business continuity plan are flexible and may be tailored to the size and needs of an insurer. Each plan must at a minimum, address:
(a) Data back-up and recovery (hard copy and electronic);
(b) Information system disaster recovery (main site and alternate site);
(c) All financially significant activities and applications;
(d) Restoration priority based upon a business impact analysis;
(e) Alternate communications between policyholders or subscribers and the insurer;
(f) Alternate communications between the insurer, its employees and producers;
(g) Alternate physical location of employees;
(h) Regulatory reporting;
(i) Communications with regulators; and
(j) How the insurer will assure policyholders' prompt access to funds and securities due in the event that the insurer determines that it is unable to continue its business.
(5) If any of the categories in subsection (4) of this section are not applicable, the insurer's business continuity plan does not need to address the category but the insurer's business continuity plan must include the rationale for not including such category. If an insurer relies on an affiliate or third-party service provider for any of the categories in subsection (4) of this section or any financially significant system, application or activities, the insurer's business continuity plan must address this relationship.
(6) Each domestic insurer must clearly describe senior management roles and responsibilities associated with the declaration of an emergency and implementation of the business continuity plan.
(7) Each domestic insurer must designate a member of senior management to approve the plan and he or she shall be responsible for conducting the required annual review and test.
[]