Insurance Data Security Act – All Companies

All insurers should check on the status of their state’s (state of domicile) progress on adopting the NAIC’s Data Security Model Law into their state laws and the provisions adopted and possible exemptions provided in your state. For Wisconsin domiciled companies, the Wisconsin Insurance Data Security Law (Act 73) was signed into law by Governor Evers on July 15, 2021. The Act establishes requirements to provide data security to protect nonpublic information for licensees regulated by the Wisconsin Office of the Commissioner of Insurance (OCI), which includes insurance companies, agents, and public adjusters.

The Act dictates that licensees take preventative measures to address the potential for cybersecurity events through risk assessment procedures, implementing an Information Security Program (ISP), developing an incident responses plan, and providing immediate notifications of any cybersecurity events to the OCI (within 3 days). Reporting to the OCI is required if either: (1) the information breached has a reasonable likelihood of causing material harm to a consumer or normal operations of the entity; or (2) if the breach involves nonpublic information of at least 250 Wisconsin residents and; (1) there is a reasonable likelihood of harm to consumers or the entity’s operation, or (2) the licensee is required to report the event to another government body by state or federal law. Licensees are obligated to notify both consumers and producers of record within a “reasonable” time, but no later than 45 days after receiving knowledge that a breach has occurred.

Licensees are also obligated to notify the OCI of breaches involving third-party service providers within 3 days after receiving knowledge that a breach has occurred at the third party.

There are some exemptions to the law, including organizations that are already obligated to comply with other data security regulations. In addition, any entities that have any of the following criteria are not required to establish an ISP, but are obligated to report any cybersecurity event: less than $10M in total assets, less than $5M in gross premium/revenue, or less than 50 employees.

The Act is effective on November 1, 2021, in Wisconsin, but licensees have until November 1, 2022, to conduct a risk assessment and develop and implement their ISP, and have until November 1, 2023 to establish a 3rd Party compliance program. The Act includes specific requirements for the ISP, but the ISP should be tailored to each entity. An annual certification must be made to the Insurance Commissioner no later than March 1st, with the first certification due by March 1, 2023. More information on the procedure for providing the annual certification will be provided by the OCI in the future.

Through August 2021, the following states have adopted data security regulations using the NAIC Data Security Model Law as a base: Alabama, Connecticut, Delaware, Hawaii, Indiana, Iowa, Louisiana, Maine, Michigan, Minnesota, Mississippi, New Hampshire, North Dakota, Ohio, South Carolina, Tennessee, Virginia and Wisconsin. For more information for Wisconsin, see 2021 Act 73 and this OCI bulletin.

Group Capital Calculation – All Company Groups

In December 2020, the NAIC adopted the Group Capital Calculation (GCC) template, instructions, and proposed revisions to the Insurance Holding Company System Act. The purpose of the GCC is a filing requirement for insurance groups to help regulators evaluate solvency at the group level. State legislatures and insurance departments must adopt the holding company system revisions with the hope of having the GCC in place for year-end 2022.

The NAIC had requested a group of test companies to file the GCC calculations in July 2021. Insurance departments reviewed/discussed the filings and the trial was to be completed by October 1, 2021. The results/questions from the trial will be discussed at the NAIC National Meeting this fall.

Who must file: All companies subject to the Insurance Holding Company System Model Regulation must make an initial filing. An important exemption applies if an insurance holding company system that has only one insurer within its holding company structure, and is licensed in and writes business in its state of domicile, and assumes no business from any other insurer. Other exceptions include if a group capital calculation is filed with either the Federal Reserve Board, or files in a Reciprocal Jurisdiction outside of the U.S. After the initial filing, the holding group can request an exemption from subsequent filings from their lead state, but there are various requirements to request this exemption including having written premium of less than $1B.

What companies must be included in the filing: All entities within the group in alignment with the Insurance Holding Company System Model Regulation – Schedule Y should be the starting point. Seven types of entities are described and have various rules for capital and capital requirement calculations:

1. US Insurer
2. Non-US Insurer
3. US Captive Insurers
4. US Insurers not subject to RBC
5. Non-insurer financial entities subject to regulatory capital requirements
6. Non-insurer financial entities not subject to regulatory capital requirements
7. Non-insurer/non-financial entities (including non-operating holding companies)

Filers can work with Lead-State regulators to reduce or limit the scope of entities.

Insurer groups should review the GCC template and instructions to become familiar with them, and consider the following:

• • Determine which entities will need to be listed separately and have a plan to discuss exclusion of entities that do not pose a material risk with the lead state regulator once filing requirements are finalized (mainly type #6 & #7 entities). Insurance agencies are considered type #7 per the NAIC’s Q&A issued on August 16, 2021.
  • Entities that are required to be listed separately will need to be “de-stacked” (removed from capital and capital requirements) from the parent company and have separate calculations for capital and capital requirements. The starting point for insurance companies will be the individual company RBC filings, after eliminating the impacts from any downstream subsidiaries that are listed separately.

The GCC Instructions, Q&A, and draft Template can be found here.

New Look for 2021 Audit Reports

This may seem like lackluster news, but in the world of accountants and auditors, it is extremely exciting! For 2021 audit reports – the audit opinion letters included in your audited financial statements – the wording and format of the audit opinion will be modified. Statements on Auditing Standards Number 134 (SAS 134) issued by the AICPA’s Auditing Standards Board has updated the auditor opinion letter to move the auditor’s opinion to the beginning of the letter, and adopted wording intended to increase transparency into the basis for the auditor’s opinion, as well as the responsibilities of both the auditors and entity management. Some of these exciting changes include:

• • Presenting the auditor’s opinion paragraph first
  • “Basis for Opinion” paragraph follows the opinion paragraph
  • Statement that the auditor is required to be independent and meet ethical responsibilities
  • Responsibilities of the auditor and entity management regarding going concern
  • Expanded description of the auditor’s responsibilities

Please look for the new and improved audit report in your 2021 audited financial statements!

Strohm Ballweg New Employees and Promotions

SB is excited to announce a few new additions to the team! We welcome (back) Evan Oppermann, who has interned with us for the past couple of years and is a recent graduate of Edgewood College, as a Staff Accountant. John Vose also joined us in September as part of our team serving Municipal Property Insurance Company and has more than 35 years of personal and commercial insurance experience. Last but not least, Aimee Kent recently came on board as a Senior Accountant to assist with compilation engagements and quarterly filings. Welcome all!

Effective September 1st, Hannah Langworthy, CPA and Ashley Perales, CPA were promoted to Senior Accountants (pictured below, left to right). Congratulations on these well-deserved promotions, which recognize and reward their dedicated and capable service to our clients!