(1) Each domestic insurer must create and maintain a written business continuity plan identifying procedures relating to a local, state or national emergency or significant business disruption. Such procedures must be reasonably designed to:
(a) Enable the insurer to meet its existing obligations to insurance beneficiaries, policyholders, claimants, subscribers;
(b) Address the insurer's existing relationships with affiliates, third-party service providers, the National Association of Insurance Commissioners and the office of insurance commissioner; and
(c) Be made available upon request to the office of insurance commissioner.
(2) Each domestic insurer must update its business continuity plan in the event of any material change to the insurer's operations, structure, business or location.
(3) Each domestic insurer must conduct an annual review and test of its business continuity plan to determine whether modification is necessary in light of changes to the insurer's operations, structure, business or location.
(4) The elements that comprise a business continuity plan are flexible and may be tailored to the size and needs of an insurer. Each plan must at a minimum, address:
(a) Data back-up and recovery (hard copy and electronic);
(b) Information system disaster recovery (main site and alternate site);
(c) All financially significant activities and applications;
(d) Restoration priority based upon a business impact analysis;
(e) Alternate communications between policyholders or subscribers and the insurer;
(f) Alternate communications between the insurer, its employees and producers;
(g) Alternate physical location of employees;
(h) Regulatory reporting;
(i) Communications with regulators; and
(j) How the insurer will assure policyholders' prompt access to funds and securities due in the event that the insurer determines that it is unable to continue its business.
(5) If any of the categories in subsection (4) of this section are not applicable, the insurer's business continuity plan does not need to address the category but the insurer's business continuity plan must include the rationale for not including such category. If an insurer relies on an affiliate or third-party service provider for any of the categories in subsection (4) of this section or any financially significant system, application or activities, the insurer's business continuity plan must address this relationship.
(6) Each domestic insurer must clearly describe senior management roles and responsibilities associated with the declaration of an emergency and implementation of the business continuity plan.
(7) Each domestic insurer must designate a member of senior management to approve the plan and he or she shall be responsible for conducting the required annual review and test.