October 15, 2021

Insurance Companies and the Future of Governance

The role of insurance company boards of directors continues to evolve and become more complex. The recent inclusion of an extensive corporate governance disclosure as an NAIC accreditation requirement, the growing focus Financial Condition Examiners apply in assessing the board of directors, combined with an increased role of the board in cyber-risk oversight means that a well-functioning board is more essential to an insurance company’s success than ever before.

Corporate Governance Annual Disclosure Model Act and Regulation

To aid in standardizing the understanding and assessment of an insurer’s corporate governance, the National Association of Insurance Commissioners (NAIC) adopted the Corporate Governance Annual Disclosure (CGAD) Model Act (#305) and Model Regulation (#306). In 2020 the Models became a requirement for states to maintain NAIC accreditation. Insurers are required to file the confidential CGAD with the state regulator every year by June 1. 

The CGAD must be signed by the Insurer’s CEO or corporate secretary attesting that the disclosed governance practices are implemented and that a copy of the CGAD has been provided to the Board of Directors or its appropriate committee. If the CGAD is completed at the Insurance Group level, then it must be filed with the Lead State.

Examinations of insurance company corporate governance

The control environment and “tone at the top” are influenced significantly by an entity’s board of directors and audit committee. Examiners utilize the CGAD in gaining an understanding of the board’s oversight role, in addition to interviewing directors and committee chairs in their assessment of the board of directors.

The NAIC-adopted “Financial Condition Examiners Handbook” defines key considerations Examiners assess when assessing an Insurer’s corporate governance. 

Insurers are also required to disclose an increased level of compensation information and maintain an effective internal audit function for exceeding premium thresholds. 

This requirement puts additional pressure on insurance company boards of directors—the information is collected to help insurance regulators understand and evaluate the corporate governance practices of insurers. Boards must provide detailed information about their policies and practices, meetings, risk management, oversight, codes of business conduct, succession planning, compensation, and much more.

It underscores the importance of having a well-functioning board of directors that prioritizes transparency.

Cybersecurity and Insurance Company Corporate Governance 

online-board-portalThe CSIS/McAfee report on the economic impact of cybercrime concluded that “cybercrime is relentless, undiminished, and unlikely to stop. It is just too easy and too rewarding, and the chances of being caught and punished are perceived as being too low. Cybercriminals at the high end are as technologically sophisticated as the most advanced IT companies, and, like them, have moved quickly to adopt cloud computing, artificial intelligence, Software-as-a-Service, and encryption.”

Insurance companies are fast becoming the focus of  sophisticated cyber criminals around the world for several reasons, including insufficient cybersecurity protocols and the massive amounts of personal, health, financial, and identity information that they stockpile. In addition to the risk of hackers acquiring consumers’ sensitive data, cyber-attacks also put insurance companies’ intellectual property and confidential business information at risk.

Boards must make cybersecurity a priority. 

The role of the board and cyber-risk oversight 

As corporate fiduciaries, insurance company boards of directors are responsible for overseeing management strategy, as well as for their identification and planned response to enterprise-wide risks.

The leading organization for corporate directors in the U.S. – the National Association of Corporate Directors (NACD) – working in association with AIG and the Internet Security Alliance, outlined five key principles to enhance board oversight of cyber-risk:

  1. Directors need to understand and approach cybersecurity as a strategic, enterprise risk, not just an IT risk.

  2. Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances.

  3. Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on board meeting agendas.

  4. Directors should set the expectation that management will establish an enterprise-wide, cyber-risk management framework with adequate staffing and budget.

  5. Board-management discussions about cyber risk should include identification and quantification of financial exposure to cyber risks and which risks to accept, mitigate, or transfer, such as through insurance, as well as specific plans associated with each approach.

Cybersecurity is a Business and Corporate Governance Challenge

secure-documentsHigh-profile cyber-attacks—on  AXA  Alibaba CNA Financial Sina Weibo Colonial Pipeline and countless others—have many insurance companies focusing on how to create a holistic approach to cybersecurity. They’re prioritizing strict cybersecurity protocols throughout the organization, and counting on strong  corporate governance to establish muscular security strategies.

But individual directors and executives can take personal action too. 

Personal cybersecurity for board directors, executives and corporate governance professionals 

Board, committee and executive management meetings, video calls, messages, and materials contain highly-sensitive information. And the public nature of board appointments can make directors easier targets for cybercriminals. 

Individual board members, chairs and presiding officers, governance professionals and executive assistants have the opportunity to take personal action to help guard against  unauthorised access to information they possess, and protect their own personal information which may be leveraged to aid in a cyber-attack.

  1. Enable multi-factor authentication for everything. Use facial or fingerprint recognition, and one-time codes sent by text message or to a secure app on your phone

  2. Use a dedicated device for board materials; do not use devices shared with family or colleagues, or hotel or public devices

  3. Only connect to trusted WiFi networks or use a VPN when you can’t

  4. Don’t use the same password for multiple sensitive accounts. And use long passwords, or passphrases which are still long but easier to remember

  5. Consider what you post online, such as social media and blogs, which can reveal your travel plans, family relationships, frequent locations 

  6. Turn-on automatic updates for your devices to ensure you have the latest operating systems and software updates, which usually contain security improvements

  7. Subscribe to an identity monitoring service — such as from Karam, AT&T and Verizon  — to alert you if your personal information is found on the internet 

  8. Use password a checkup, such as that from Google, to find out if passwords in your Google Account may have been exposed, are weak, or are used in multiple accounts

  9. Establish guidelines for virtual board and committee meetings:

    • Consider setting multiple hosts for the meeting (e.g. the chair or presiding officer, the corporate secretary, and board assistant) in the event the host is disconnected

    • Enable the waiting room and do not allow participants to join before a host

    • Place meeting guests in separate waiting/breakout rooms, especially where the identity of guests may raise confidentiality concerns (e.g. M&A activity)

    • Lock the meeting once started

    • Only allowing access via apps and websites, not telephone dial-in which is not encrypted

    • Restrict who can share their screen and change their name

    • Generate a new link for each meeting (do not use recurring meeting IDs or personal meeting room IDs)

    • Set a passcode for each meeting and do not reuse passcodes

    • Send links for virtual meetings via a secure board management system such as Govenda’s board management solution, avoid sending via email, especially for independent directors who use often use personal email

    • Consider disabling chat to ensure adherence to document retention policies and electronic discovery practices

     10. Establish guidelines for information security when travelling to certain countries 

    • Ensure your devices (laptop, tablet, smartphone) do not hold sensitive information or minimize the sensitive information they do hold (e.g. only the board papers for the upcoming board meeting; email only from the last day)

    • Monitor your devices at all times

    • Avoid paper based information

    • Make arrangements with a colleague for how you will share and communicate information securely while you are traveling

    • Comply with the requests of customs/immigration to inspect your devices

    • Consider using code words to replace sensitive business languageboard-meeting-tools--worked

Two Challenges for Insurance Company Corporate Governance

Insurance companies’ boards of directors play a  crucial role in the overall success of the company, and from new disclosure requirements to increased risk from cyber attack, the role of the board is becoming increasingly complex. But the fundamental responsibility of a board of directors is to stay focused on the long-term strategic vision for the company. 

Other posts you might be interested in

View All Posts