As we head to the NAIC Spring National Meeting in Denver this weekend, here are just a few of the issues the Dentons IREG team will be engaged in:


On March 1 New York's regulation prescribing numerous cybersecurity requirements took effect. 23 NYCRR Part 500. As we reported in our update on March 10th, the New York Department of Financial Services requires all nonexempt licensees and registrants—including agents, brokers, adjusters, reinsurance intermediaries, utilization review agents, service contract providers and viatical settlement brokers—to conduct a risk assessment, develop appropriate cybersecurity policies and procedures, appoint a chief information security officer, establish a written incident response plan, train employees in cybersecurity measures, implement suitable encryption controls and conduct annual penetration testing and biannual vulnerability assessments.

Beginning next February insurers must certify, in an annual filing, compliance with these and other requirements in the regulation. The only insurers completely exempt from the regulation are New York-domiciled captive insurers that never generate or receive nonpublic information (other than that of their corporate parent or affiliates), accredited or certified reinsurers, foreign risk retention groups and charitable annuity societies. Small businesses may apply for a more limited exemption if they and their affiliates have fewer than 10 employees "including any independent contractors" located in New York, or less than $5 million in New York-based revenue for the entity and all affiliates in each of the prior three years, or less than $10 million in assets, including all affiliated companies.

In other cybersecurity news, the NAIC Cybersecurity Working Group, which reports to the newly created Innovation and Technology Task Force, which works directly under the NAIC's Executive Committee, will meet on Sunday April 9 to consider version 3 of the draft Insurance Data Security Model Law. Although less specific than New York's regulation in some ways, the current draft Model imposes more detailed requirements with respect to notifying insureds and claimants if a breach of nonpublic information occurs. Numerous trade groups, including the ACLI, AIA, IIABA and NAMIC, are seeking significant changes to the current draft, asserting, for example, that its provisions confusingly conflict with existing data breach legislation. And NCOIL has publicly stated that its members are highly unlikely to enact separate cybsecurity laws specific to the insurance industry which may conflict with measures applicable to banks and other financial services firms.

US-EU Covered Agreement

On Sunday April 9 the Reinsurance (E) Task Force will consider the recently finalized covered agreement (the Agreement) on insurance between the United States and the European Union. As we reported in our alert on January 18, the Agreement prohibits every US state from imposing on an EU assuming reinsurer collateral requirements that it does not also impose on a US assuming reinsurer, provided that the EU reinsurer meets specified solvency and claims-handling requirements. Thus, if reinsurers domiciled in the state of Connecticut (referred to as the "host party") are not required to post collateral when assuming risk from Connecticut-based ceding insurers, then the Connecticut insurance regulator cannot require a reinsurer domiciled in Germany (referred to as the "home party) to post collateral when assuming a risk from a Connecticut insurer. The same would be true for any "local presence" requirements imposed by a host party. Thus, Germany (in this case, the host party) cannot require a Connecticut reinsurer to maintain a local presence or office in Germany in order to assume risk from a German insurer if Germany does not also impose that requirement on reinsurers domiciled in Germany.

The Agreement requires the US to encourage every state to promptly adopt measures,

  1. Seeking, in each year following the effective date of the Agreement, a 20 percent reduction of the collateral the state would have otherwise required, and
  2. Implementing relevant state credit for reinsurance laws and regulations consistent with the terms of the Agreement.

No later than 42 months following execution of the Agreement, the US will thereafter be required to begin evaluating potential preemption determinations under its laws and regulations with respect to any state insurance measure that the US determines is inconsistent with the Agreement.

That preemption review will be prioritized to consider those states with the highest gross volume of ceded reinsurance, and must be completed within 60 months following execution of the Agreement, i.e., by January 2022. If it is determined that a state law is preempted by the Agreement, then the US Department of the Treasury is required, among other things, to notify and consult with the affected state insurance regulator, publish the proposed preemption for public comment and, thereafter, establish a reasonable time for the preemption to become effective. A state has the right to challenge that preemption determination in court.

On March 15 the NAIC wrote to Treasury Secretary Mnuchin seeking clarification as to whether the Agreement completely eliminates collateral requirements, which would be totally inconsistent with the recently liberalized rules adopted in New York, California and 30 other states allowing for a reduction in required collateral to qualified reinsurers but not a complete elimination. The NAIC is asking Treasury to obtain written confirmation from EU negotiators that the Agreement, as they interpret it, is not inconsistent with those state law amendments or else to renegotiate the Agreement. On February 16 the Subcommittee on Housing and Insurance of the House Committee on Financial Services held a hearing on the Agreement at which reinsurer representatives disagreed over whether Congress should reject the Agreement by the April 13 deadline. So far Treasury has not taken a position on the Agreement.

Affordable Care Act

Even with the ongoing efforts by the White House and Congressional leaders to resuscitate the American Health Care Act in some form, attention this year will increasingly shift to how the Trump administration will use its regulatory authority to reshape the Affordable Care Act (ACA). Just this week the White House stepped up efforts to try to address concerns from the different parts of the Republican conference in the House in an effort to see if they could still put a package together to repeal and replace the Affordable Care Act that could pass the House of Representatives. However, since the Obama Administration used the broad regulatory authority and flexibility given to HHS by the ACA to implement the law; the Trump administration now has the power to use that same flexibility. Question remains what will they do with it.

The current million dollar question before the new Republican administration which is now tasked with administering the ACA is will they use their regulatory authority to address market stability and other ACA problems; or will they 'let the ACA be the ACA' and see the current insurance and market trends of the past few years continue.

If Price and HHS use their administrative authority to put forth policies that will help stabilize the market, they might look to continue to pay the cost-sharing subsidies to insurers, address the discrepancies with the risk adjustment formula and the other ACA risk programs, increase flexibility around the definition of essential health benefits to allow more products to come to market, and allow states more flexibility to bring more insurers and competition into the market.

On the other hand, if the administration decides instead to 'let the ACA be the ACA' you might see HHS stop enforcing the individual mandate, cut off payments to cost-sharing subsidies, continue underfunding the risk programs and keep the current level of federal regulations that dictate specific plan design in the exchange market.

At the NAIC, the Health Insurance and Managed Care (B) Committee will grapple with these issues by selecting a hearing a panel that includes representatives of various stakeholder groups, including consumers and industry. The Health Risk-Based Capital (E) Working Group will likewise discuss the ACA, as well as Medicaid pass-through payment treatment.