Insurance Circular Letter No. 9 (2022)

July 22, 2022

TO:	All Domestic Insurers and Licensed U.S. Branches of Alien Insurers Entered Through New York State
RE:	Storing Books and Records Through Electronic Means, Including in the Cloud

STATUTORY AND REGULATORY REFERENCES:  N.Y. Insurance Law §§ 310 and 325; 11 NYCRR Part 243 (Insurance Regulation 152); and 23 NYCRR Part 500

I.    Purpose

Domestic insurers and licensed U.S. branches of alien insurers entered through New York State (collectively, “insurers”) are increasingly conducting business and storing their books and records electronically, including storing their charters, by-laws, and books of account in the cloud, on an internal server hosted by the insurer or one of its affiliates, or externally with a third-party service provider.  The purpose of this circular letter is to advise insurers that they may store their books and records electronically, including in the cloud, on an internal server hosted by the insurer or one of its affiliates, or externally with a third party provider, if such books and records are easily accessible from the insurer’s New York State principal office and the insurer meets certain other requirements, including compliance with all applicable state and federal laws and regulations, such as Insurance Law §§ 310 and 325 and 11 NYCRR Part 243 (Insurance Regulation 152) and 23 NYCRR Part 500.

II.    Background

Insurance Law § 325(a) requires an insurer to keep and maintain at its principal office in New York State its charter and by-laws (in the case of a U.S. branch, a copy thereof) and its books of account.¹   Section 325(a) also requires a domestic stock corporation to keep and maintain at such office a record containing the names and addresses of its shareholders, the number and class of shares held by each, and the dates when they respectively became the owners of record thereof.  In addition, § 325(a) requires a domestic corporation to keep and maintain at its principal office the minutes of any meetings of its shareholders, policyholders, board of directors, and committees thereof.  However, Insurance Law § 325(b) permits an insurer to keep and maintain its books of account outside New York State if, in accordance with a plan adopted by its board of directors and approved by the Superintendent of Financial Services (“Superintendent”), it maintains in New York State suitable records in lieu thereof.

Insurance Law § 310(a)(2) requires an insurer to give the New York State Department of Financial Services (“Department”) convenient access at all reasonable hours to the books, records, files, securities, and other documents of the insurer, including those of any affiliated or subsidiary companies thereof, that are relevant to an examination.

Furthermore, 11 NYCRR § 243.2(a) provides that in addition to any other requirement contained in Insurance Law § 325, an insurer must maintain its claims, rating, underwriting, marketing, complaint, financial, and producer licensing records, and such other records subject to examination by the Superintendent, in accordance with the provisions of Part 243.  Section 243.3(c) requires an insurer to establish and maintain a records retention plan.  The plan must include a description of the types of records being retained, the method of retention, and the safeguards established to prevent alteration of the records, and the insurer must provide the plan to the Superintendent upon request.

Under 11 NYCRR § 243.3(a), an insurer may maintain records and indices of records required to be maintained under Part 243 in any durable medium.  11 NYCRR § 243.1(c) defines “durable medium” as “a medium for maintaining a record where the properties of such medium provide reasonable assurances against tampering with the information contained in the original and degradation of any reproduction generated, and where the reproduction is an exact copy of the original.  The medium may include paper; facsimile; or photographic, micrographic, magnetic, optical, mechanical or electronic media.”  Electronic records constitute a “durable medium” that is an acceptable means of record retention under 11 NYCRR 243 so long as they are easily accessible from the insurer’s principal New York State office.  See Office of General Counsel Opinion No. 09-04-07 (April 16, 2009).

11 NYCRR § 243.3(a) further provides that upon transfer of an original record to a durable medium, the insurer may destroy the original record after assuring that all information contained in the original record, including signatures, handwritten notations, and pictures, is contained in the durable medium.  If the insurer does not retain the original paper record, or if there was no original paper record, the insurer must establish a duplicate or back-up system sufficient to permit reconstruction of the record at a separate location.  The insurer may retain the record in any form permitted by Part 243.

In addition, an insurer must assess whether any storage service being used is set up securely and in compliance with the cybersecurity requirements set forth in 23 NYCRR Part 500 and applicable related guidance.  These requirements or considerations include implementing a cybersecurity program and cybersecurity policies pursuant to §§ 500.2 and 500.3, a third party service provider security policy pursuant to § 500.11, multifactor authentication for all externally exposed enterprise and third-party applications, such as cloud storage services, pursuant to § 500.12, and policies and procedures for the secure disposal on a periodic basis of any nonpublic information that is no longer necessary for business operations or for other legitimate business purposes of the insurer, except where such information is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained, pursuant to § 500.13.  Furthermore, insurers must encrypt nonpublic information during transmission and at rest pursuant to § 500.15.

III.   Discussion

An insurer may store its books and records specified in Insurance Law § 325 electronically, including in the cloud, on an internal server hosted by the insurer or one if its affiliates, or externally with  a third-party service provider so long as they are easily accessible from the insurer’s New York State principal office and the insurer meets certain other requirements.  To qualify as a durable medium as defined in 11 NYCRR § 243.1(c), the information system must have properties that provide reasonable assurances against tampering with the information contained in the original and degradation of any reproduction generated, and any reproduction on the system must be an exact copy of the original. 

If the data being stored electronically in the cloud, on an internal server hosted by the insurer or one of its affiliates, or externally through a third party service provider is fully and easily accessible from the insurer’s principal New York State office, then the insurer does not need to obtain the Superintendent’s prior approval pursuant to Insurance Law § 325(b) because the Department will consider the books and records kept and maintained in the insurer’s principal office pursuant to Insurance Law § 325(a).  However, the insurer must, upon request, provide its records retention plan to the Superintendent pursuant to 11 NYCRR § 243.3(c).  As a best practice, an insurer should store its books and records on information systems located within the continental U.S.  An insurer should not store its books and records on information systems located in a country that has been sanctioned by the U.S. Treasury Department’s Office of Foreign Assets Control.

An insurer must give the Department convenient access at all reasonable hours to the books, records, files, securities, and other documents of the insurer, including those of any affiliated or subsidiary companies thereof, that are relevant to an examination.  Outside of an examination, an insurer should give the Department convenient access at all reasonable hours to such books, records, files, securities, and other documents.

Upon transfer of an original record to the cloud, an internal server hosted by the insurer or one of its affiliates, or externally to a third-party service provider’s information systems, the insurer must ensure any nonpublic information in the record is encrypted while in transit and may destroy the original record after assuring that all information contained in the original record, including signatures, handwritten notations, and pictures, is on the information system.  If the insurer does not retain the original paper record, or if there was no original paper record, the insurer must establish a duplicate or back-up system sufficient to permit reconstruction of the record at a separate location.  Consistent with previous Department cybersecurity guidance, an insurer should maintain comprehensive, segregated backups in accordance with 23 NYCRR §§ 500.03(e), (f), and (n).  To prevent hackers from deleting or encrypting backups, at least one set of backups should be segregated from the network and offline.  It is important that an insurer periodically test backups by restoring critical systems from backups as this is the only way to be sure that the backups will work when needed.

Moreover, pursuant to 23 NYCRR § 500.13, an insurer must ensure the secure disposal on a periodic basis of any nonpublic information that is no longer necessary for business operations or for other legitimate business purposes of the insurer, except where such information is otherwise required to be retained by law or regulation, such as 11 NYCRR 243, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained.  When deleting records, insurers must also ensure that all backups of the data are removed from the cloud or other information system environment too.

Finally, as required by 23 NYCRR § 500.11, an insurer must conduct a risk assessment and based on that assessment, implement multifactor authentication, if necessary, for those users with access to nonpublic information and engage in ongoing oversight and monitoring of the service provider to ensure that services are being managed consistent with contractual requirements and in a safe and sound manner.  Oversight and monitoring must include, at minimum, contractual protections and due diligence guidelines as outlined in 23 NYCRR § 500.11(b), which may include evaluating independent assurance reviews (e.g., audits, penetration tests, and vulnerability assessments) and corrective actions to confirm that any adverse findings are appropriately addressed.

The Department will examine an insurer’s compliance with the foregoing requirements as part of any examination conducted pursuant to Insurance Law § 310.

IV.   Conclusion

The Department recognizes that changes in technology have resulted in insurers increasingly conducting business and storing records electronically, including storing records on information systems in the cloud, on an internal server hosted by the insurer or one of its affiliates, or externally with a third-party service provider.  An insurer may store its books and records on information systems in the cloud, on an internal server hosted by the insurer or one of its affiliates, or externally with a third-party service provider if they are easily accessible from the insurer’s New York State principal office and the insurer meets certain other requirements, including compliance with all applicable state and federal laws and regulations, such as Insurance Law §§ 310 and 325 and 11 NYCRR Part 243 and 23 NYCRR Part 500.

Please direct any questions regarding this circular letter by email to [email protected].

Very truly yours,

 

Kevin J. Bishop
Executive Deputy General Counsel