Kathleen McCain Education Committee Co-Chair IAIR ISSUES FORUM - - PowerPoint PPT Presentation

Kathleen McCain Education Committee Co-Chair

IAIR ISSUES FORUM

Risk Corridor Litigation/Options Denver, CO. April 9, 2017

Panelists

• Frank O’Loughlin and Cindy Oliver-Lewis Roca Rothgerber Christie-

Moderators

• Mike Conway-Deputy Commissioner of Consumer and Compliance

Service, Colorado Division of Insurance

• Kevin Baldwin-General Counsel and Director of Receivership

Operations, Illinois Office of Special Deputy Receiver

Risk Corridor Agenda

• Litigation Update
• Pros and Cons-
• Class Action Opt-in Decision
• Individual Litigation
• Sale of Risk Corridor Receivable
• Wait and Watch
• Set Off Issues
• Instigate Litigation
• Administrative Appeal

Risk Corridor Litigation Update

• 22 Suits in Federal Claims Court
• Land of Lincoln
• U.S. MTD Granted-Nov. 10, 2016
• On Appeal
• Moda Health
• U.S. MTD Denied
• Moda MSJ Granted-Feb. 9, 2017
• $209 Million Judgment Entered-March 6, 2017
• Appeal Deadline-May 5, 2017

Litigation Update (continued)

• Health Republic Class Action
• Class Definition
• Class Certified-Jan. 3, 2017
• MTD Denied-Feb. 24, 2017
• Health Republic MSJ Filed-March 1, 2017
• Response to MSJ Due-April 12, 2017
• Opt in Decision-May 12, 2017

Class Action Lawsuit

Potential Pros:

• Experienced Law Firm
• The Contingency Fee is 5% or Less of Any Net Recovery
• Favorable Rulings by Court
• Motion for Summary Judgment Filed 3-1-17

Potential Cons:

• Significant Control of the Litigation is Ceded to the Class Action Attorneys
• How to Deal With Estate Offset Issues

Commence Individual Litigation

Potential Pros:

• More Individual Control and Direction of the Litigation.
• Various Firms are Offering to Match Contingency fee of 5%.
• Other Firms Offering Hourly or Fixed Fee Approaches

Potential Cons:

• Assignment of Judge is Unknown-Could be Good or Bad
• Case Not Yet Filed-May be Months to Get MSJ Filed

Sell the Risk Corridor Receivable to Investors

Potential Pros:

• Liquidation of an Illiquid Asset
• The Proceeds Could Be Used to Distribute to Creditors
• May Allow for Earlier Closure of Estate

Potential Cons:

• Substantial Discount Applied to the Risk Corridor Receivable
• Smaller Distribution to Creditors Compared to Full Recovery
• Purchaser Likely to Insist on Receiver Pursuing Litigation

Sit on the Fence

Potential Pros:

• No Fees or Expenses Incurred by Estate
• Not Bound by An Adverse Decision in Class Action
• However, U.S. May be Bound by a Favorable Decision in the Class Action or

Other Action Potential Cons:

• Statute of Limitation issues
• A Litigating Estate May Be in a Better Legal Position if Congress Attempts to

Limit Payments from the Judgment Fund

Set et Off Issue ues Offset Amounts Due to U.S. Against Amounts U.S. Owes Estate

• Notice to U.S.
• Pursue Offset in Receivership Court
• Pursue Offset in Federal Court
• Administrative Appeal-CMS

Discussion

• Questions/Ideas from Audience

Commissioner Marguerite Salazar

Colorado Division of Insurance

James Kennedy

Counsel, Texas Department of Insurance Chair, Receivership Model Law Working Group

Receivership Insolvency Task Force Update

Networking Break

Chad Anderson President Western Guaranty Fund Services

MULTI-STATE GUARANTY ASSOCIATION MANAGEMENT

HISTORY

Paul Gulko Godfather of GFMS

¡ New England Association of Insurance Guaranty Funds

§ 1970 – 1975 Informal arrangement between NH, ME, VT, RI, CT and MA § 1976 – Arrangement was formalized and MA provided support § 1981 GFMS was formed § 1982 DC joined, 1984 VA joined

HISTORY

HISTORY

HISTORY

George Hatchell CIGA Chair 1972-1984 WGFS President 1984-1990

¡ 1980 George Hatchell identifies a need to combine efforts of GAs ¡ 1984 WGFS is formed with Paul Gulko’s help

§ CO, WY, OK, ID, and MT were the charter members

¡ 1985 KS joined WGFS, 1986 OK left, 1995 WA joined, 2014 NE joined ¡ Staff has flexed from 4 in 1999 up to nearly 40 in 2004

HISTORY

HOW’S IT WORK?

Office building since 1991

Western Guaranty Fund Services A Non-Profit Association Providing Management Services for the Guaranty Associations in: Ø Colorado Ø Idaho Ø Kansas Ø Montana Ø Nebraska Ø Washington Ø Wyoming

HOW’S IT WORK? WGFS Boards of Directors

WGFS CIGA IIGA KIGA MIGA WAGA WYGA NPLIGA

GA CASH FLOW

GUARANTY ASSOCIATION BANK AND INVESTMENT ACCOUNTS LOSSES & UNEARNED PREMIUMS PAID TO CLAIMANTS ASSESSMENTS RECEIVED FROM MEMBERS RECOVERIES FROM LIQUIDATORS INTEREST & INCOME FROM INVESTMENTS GENERAL AND ADMINISTRATIVE EXPENSES PAID TO WGFS CLAIM HANDLING EXPENSES PAID TO PROVIDERS

WGFS CASH FLOW

WGFS CHECKING ACCOUNT

GUARANTY ASSOCIATIONS PAY ONE TIME ADVANCE TO WGFS WGFS PAYS ALLOCATED OPERATING EXPENSES FOR THE MONTH WGFS PAYS DIRECT EXPENSES FOR THE MONTH CAPITALIZED EXPENSES - PAID BY WGFS

WGFS CASH FLOW

WGFS CHECKING ACCOUNT

GUARANTY FUNDS REIMBURSE ALLOCATED EXPENSES

GUARANTY FUNDS REIMBURSE FOR DIRECT EXPENSES CAPITALIZED EXPENSES – REIMBURSED IN EQUAL SHARES

BOARD MEETINGS

¡ Life and Health / Property and Casualty

§ GA, MO, IN, WI

¡ State Affiliated

§ AZ, AR, NY . . . . Others?

¡ Other Combinations

§ FL, NJ, SC, NC

¡ OH/WV + OH-Life and Health ¡ Other Life and Health

COST SHARING CONCEPT

¡ GFMS - Guaranty Fund Management Services ¡ WGFS - Western Guaranty Fund Services

COST SHARING CONCEPT CONTINUED

WGFS Provides GA Management for . . . ¡ 7 State Guaranty Associations GFMS Provides GA Management for . . . ¡ 8 State Guaranty Associations ¡ 7 States and DC ¡ 5 States, 2 Commonwealths, and DC

GFMS AND WGFS CONNECTION

MAYBE SOMETHING MORE MEANINGFUL

State U.S. Rank Assessable P & C Premium Virginia 13 11,371,588,849 Massachusetts 12 12,247,003,037 Connecticut 25 7,349,849,021 Maine 44 1,832,434,065 New Hampshire 40 2,101,528,271 Rhode Island 43 1,833,714,336 District of Columbia 49 1,229,213,393 Vermont 50 1,114,009,391 44,596,755,319 Washington 19 9,227,740,495 Colorado 21 8,572,305,568 Kansas 29 5,196,859,941 Nebraska 36 3,376,849,366 Idaho 39 2,209,645,872 Montana 45 1,726,744,060 Wyoming 51 969,004,440 31,279,149,742

P & C INSOLVENCIES

Of the 48 insolvencies since 2010, 11 impacted WGFS states.

P & C INSOLVENCIES

Coordinating Committee Liquidations indicate large, multistate insolvencies.

Significant Estates

• 2000- Superior Cos. $3.4B
• 2001- Reliance $5.35B
• 2002- PHICO $.98B
• 2003- Legion $2.6B Home $2.4B,

Fremont $2.0B

• 2013- Lumbermens $1.4B

CONSOLIDATION AND ECONOMY OF SCALE

JUGGLING

QUESTIONS?

Impact of NAIC Cybersecurity Model Act & NY DFS Cybersecurity 2017

Jenny Jeffers

Jennan Enterprises, LLC

Michael Morrissey

Morrissey Consultants, LLC

2016 Breaches Up Again

Focus: Requirements for Insurers

• What’s new and proposed
• State and Federal regulations
• Trends
• What to know and do?
• Who is affected
• Management changes
• Infrastructure changes
• Incident Response
• Breach response rules

NAIC Model Law Overview

• Definitions: PII, “encryption”, “breach”, “3rd party,

“consumer”

• Licensee Requirements:
• Security Program - but not if one exists in compliance with

state or fed.

• Risk Assessment – the basis for all controls
• Risk Management - including multi-factor authentication,

incident response plan, vendor (3rd Party) oversight.

• “Breach” Reporting

NAIC Model Law – 3rd Parties

“a person or entity, that contracts with a Licensee to maintain, process, store or otherwise have access to Nonpublic Personal Information under the Licensee’s possession, custody or control.” All the same security measures that derive from the risk assessment must include 3rd Parties: agents, brokers, IT vendors. Who else?

NAIC Model Law Breaches – Investigate and Notify

• Defined: “the acquisition of unencrypted Personally

Identifiable Information by an unauthorized person.”

• Responsibility to investigate the breach - including a

breach by 3rd Party

• Notification of Breach
• "within 3 days"
• Consumer Reporting Agencies
• Consumers - by mail and electronic
• Beaches may be reported by insurer or 3rd party
• Reinsurers must also be notified
• Independent producers also notified

State Reg Changes

• NY – First major cybersecurity

regulation for banks and insurers

• 2016 – New breach notification

laws states went into effect in CA, NE, OR, RI, TN

• 20+ other states with proposals

New York’s New Rules

• Effective March 1, 2017, phased in over two years.
• Companies with < $5 million in revenues and < $10 million in assets

are exempt from more costly aspects

• ALL companies must implement and document a security policy and

program.

• Third Parties are included as extensions of the company.
• Compliance attestations with tight breach reporting timelines.
• NY’s law is considered by many to be a baseline for other states.

https://www.governor.ny.gov/sites/governor.ny.gov/files/atoms/files/Cybersecurity_Requirements_Financial_Services_23NYCRR500.pdf

New York: Cybersecurity Policy

• CISO and qualified

individuals

• Risk Assessment
• Records - destroy data,

keep automated logs

• Oversight of 3rd parties
• Multi-factor

authentication

• Compliance attestation
• Control access to data

inside and outside the Co.

• Training of employees
• Annual Penetration Test
• Bi-annual Vulnerability Test
• Incident Response Plan
• Report the Event in 72

hours

NY Phase-In for Non-Exempt Insurers

• March 2018: Pen testing, Risk Assessment, and

multifactor authentication practices must be in place.

• Sept. 2018: Audit trail capabilities, application

security, data retention (five years for financial, three years for non-financial), and encryption.

• Requirements for 3rd parties, phased in over 2 yrs.:
• Identification and risk assessment of 3rd Party Service Providers;
• Cybersecurity practices required to do business with the Insurer
• Due diligence processes to evaluate 3rd Party practices
• Periodic assessment of 3rd Parties based on the risk assessment.

Who’s A Third Party?

“Third Party Service Provider(s) means a Person that

(i)

is not an Affiliate of the Covered Entity,

(ii) (ii) provides services to the Covered Entity, and (iii) (iii) maintains, processes or otherwise is permitted

access to Nonpublic Information through its provision of services to the Covered Entity.”

3rd Party Compliance Challenges

• 3rd Party SP’s access controls, including its use of Multi-

Factor Authentication to limit access to relevant Information Systems and Nonpublic Information;

• 3rd Party SP’s use of encryption as required to protect

Nonpublic Information in transit and at rest;

• Notice in the event of a Cybersecurity Event directly

impacting the Insurer’s Systems or Nonpublic Information being held by the 3rd Party

• Representations and warranties addressing the 3rd Party

Service Provider’s cybersecurity policies and procedures that relate to the security of the Insurer’s Systems or Nonpublic Information.

NY Encryption Standards

• Based on its Risk Assessment, implement

encryption, to protect Nonpublic data held or transmitted over external networks and at rest.

• Should the insurer’s CISO determine that

encryption is infeasible, alternative compensating controls may be applied.

• The CISO must review and recertify such alternative

controls annually

NY Multifactor Authentication

At least two of the following types of authentication factors:

• 1. Knowledge factors, such as a password; or
• 2. Possession factors, such as a token or text

message on a mobile phone; or

• 3. Inherence factors, such as a biometric

characteristic

What’s a Breach ? When is Notification Required?

• Definitions of a breach vary by state; so do notification

requirements

• NY Cybersecurity Event: any act or attempt, successful or

unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System.

• NY Reportable: As required [by law]… OR reasonable

likelihood of harming operations.

• NAIC: “Data Breach” means the acquisition of

unencrypted PII …does not include the unauthorized acquisition of Encrypted Personally Identifiable Information if the encryption, process or key is not also acquired, released or used without authorization.

Comparison

Rule NAIC Exh C NAIC Model NY DFS

CISO in Charge Partial Partial Yes Risk Assessment Yes Yes Yes Encryption with Key Mgt. Partial Yes Yes Data-level access controls No No Yes Audit trails for data No No Yes Log retention Partial No Yes Data retention/destruction Yes Yes Yes Breach/Event Definition* No “Breach “Event” Breach Report 72 hours No Yes Yes

Discussion & Questions ?

Thank You.

Jenny Jeffers

Jennan Enterprises, LLC

Michael Morrissey

Morrissey Consultants, LLC

Revised Professional Designation Program

April 9, 2017

Re Revised Designation Program

• Is

Issues es wit ith Curren ent Des esig ignation ion Prog

• gram

am

• Ob

Objec ectives es/Ben enefi fits of

• f Prop
• pos
• sed

ed Prog

• gram
• El

Elements ts of the the Propo pose sed d Progr gram

• Cu

Current A AIR/CI CIR D Designees a and P Program F Fees

• Co

Continuing E Education A Adju justments

Proposed Designation Program Docu cuments

• Re

Redesigned and Enhanced Designation Program

• IA

IAIR IR Des esig ignation ion Prog

• gram

am Ob Objec ectiv ive e Stan andar ards

• Re

Revised IAIR Designations Program Application

• Dr

Draft IAIR Background Ce Certification Fo Form

• In

Inter ervie iew For

• rma

mat an and Proc

• ced

edure

• CE

CE R Reporting R Requirements a and P Procedure

(T (These d documents c can an be be acces essed ed on n the he “Member embers Onl nly” pa page e of the he IA IAIR IR we website te under “Revised Designation Program Documents”)

ht https:/ ://iair iair.memb member erclic licks.net/p /proposed ed-re revisions-to to-iair iair-de desi signa nations ns-pr program

Is Issues es with Cu Curren ent Des esign gnation Progr gram

• St

Standards s for Desi sign gnation Not Cl Clear

• No

Not t Viewed as Sufficientl tly Rigorous or r Objecti tive

• In

Inad adeq equate e Education ional al Pro rocess for Insura rance Resolutions

• No

No Testi ting Requirement

Object ctives/Benefits of Proposed De Designati tion P Program

• Enhanced Education on Resolutions Exp

xpertise

• Ri

Rigorous us Program and nd Obj bjecti tive Testi ting ng

vDe

Detailed Course Objectives and Materials

vUs

Use of IAIR Subj Subject Matter Ex Expe perts

vPa

Partner with a Re Recognized Academic Institution (U (University of f Connecticut’s Insurance Law Center)

Object ctives/Benefits of Proposed De Designati tion P Program

(c (continued)

• Fi

Financi cially S Self-Su Sustaining

• Pr

Promoting Consistent nt Standards for Administration of In Insuran ance e Res esolu

• lution

ions

El Elements of Propo posed d Designa nation n Program

• Pr

Proposed Designations

vAccr

Accredited Insurance ce Resolutions Direct ctor (AI AIRD RD)

ü Standardized C

Course M Materials

ü Se

Self-Paced S Study P Period

ü In

In-Person R Review C Course ( (Optional)

ü Limited C

Class S Size

ü Standardized T

Test O Offered i in A Accessible L Locations

El Elements of Propo posed d Designa nation n Program

(c (continued)

• Pr

Proposed Designations

vCe

Certified Insurance Resolutions Director (CI CIRD)

ü AIRD D

Designation R Required

ü Experience R

Requirement

ü Interview a

and V Verification o

• f I

IAIR S Standards

ü Specialized D

Designations

Life Non-Life All Lines

□ CIRD-Accounting/Financial Reporting □ CIRD-Accounting/Financial Reporting □ CIRD-Accounting/Financial Reporting □ CIRD-Actuarial □ CIRD-Actuarial □ CIRD-Actuarial □ CIRD-Asset Management □ CIRD-Claims/Guaranty Associations □ CIRD-Claims/Guaranty Associations □ CIRD-Claims/Guaranty Associations □ CIRD-Data Management □ CIRD-Data Management □ CIRD-Data Management □ CIRD-Law □ CIRD-Law □ CIRD-Law □ CIRD-Reinsurance □ CIRD-Reinsurance □ CIRD-Reinsurance □ CIRD-Resolution Management □ CIRD-Resolution Management □ CIRD-Resolution Management

Cu Curren ent Des t Design gnees ees a and F Fees ees

• Cu

Current A AIR/CI CIR D Designees

vGr

Grandfathered for 5 Years

vDi

Discounted Application and Testing g Fees

vRe

Regular Maintenance Fees

Co Conti tinuing E g Educati tion Ad Adjustmen tments ts

• Annua

Annual Repo porti ting ng

• Co

Common R Reporting D Dates

• Co

Continuing E Education T Two-Ye Year Hours Requirement

vSam

Same minim inimum um num numbe ber of ho hour urs

vMi

Minimum 5 hours of IAIR Educational Session(s)

I’m lost, can you go over that again?

• Annual Committee Updates in Philadephia
• Annual Meeting to Elect Officers in Hawaii
• Comments on Items that will be distributed soon:

üProposed Mission Statement üIntroduction of Retired Member Status üProposed Designation Program