April 25, 2018 A publication of the Pennsylvania Association of Mutual Insurance Companies
Survey: Cybersecurity an Increasingly Important Role for Internal Audit Goodville Mutual Hires Bruce Brizzi as VP of Marketing Pennsylvania Legislative Update
Pamic@pamic.org
1017 Mumma Road, Suite 202 Wormleysburg, PA 17043
(717) 303-0197
Contents Goodville Mutual Hires Bruce Brizzi as VP of Marketing page 10
Survey: Cybersecurity an Increasingly Important Role for Internal Audit As the impact of cybersecurity incidents and data breaches become broader and deeper, more organizations are recognizing cyber risk as an enterprise risk and taking corresponding steps to establish appropriate oversight. But as corporate cybersecurity capabilities mature, how have the roles of the board, audit committee, and internal audit changed, and what can they look forward to in the future?
page 4
Pennsylvania Legislative Update This update provides quick insights into the PA legislature. Find out more about bills moving through committee, Workers Compensation, and current regulations issued by the Department.
page 12
NEWS Cannabis Businessowners Policy Developed for California................................................................................................................................................................ 10 InsurTech Fundamentals and Compliance Strategies for Implementation..................................................................................................................................... 11 Guest Post: Sexual Misconduct Claims: How Charitable is Your D&O Policy?................................................................................................................................. 11
REGULATION Department of Labor and Industry Publishes News & Notes.............................................................................................................................................................. 13
RESOURCES General Regulatory Information............................................................................................................................................................................................................. 14 Legislation Tracker.................................................................................................................................................................................................................................... 15
2
| 360 | April 25 , 2018
EVENTS
Human Resources Seminar When: May 9, 2018
Where: Harrisburg, PA
Time: 8:00 a.m. – 3:00 p.m.
Info Join us as we discuss the expectation of Millennials, handling sexual harassment in the workplace, and the Family and Medical Leave Act at the Human Resources Seminar. This seminar has been approved for 5 CE credits.
Name
Date
Time 2:00 – 3:00 p.m.
Location
Market Regulation Webinar
April 26, 2018
PAMIC Online
Human Resources Seminar
May 9, 2018
8:00 a.m. – 3:00 p.m.
Sheraton Harrisburg Hershey
Branding the Modern Mutual
May 23, 2018
10 a.m. - 11:00 a.m.
PAMIC Online
PAC Summer Golf Outing
June 13, 2018
1:00 p.m.
Omni Bedford Springs
Executive & Board Roundtable
June 13-14, 2018
8:00 a.m.
Omni Bedford Springs
111th Annual Convention
August 5-7, 2018
Multiple
Baltimore Waterfront Marriott
Financial Management Seminar
September 2018
TBD
Hershey Country Club
For more information on PAMIC events please visit our website. Special Thanks to our 2018 Premium Gold Sponsors
| pamic.org |
3
NEWS
Survey: Cybersecurity an Increasingly Important Role for Internal Audit As the impact of cybersecurity incidents and data breaches become broader and deeper, more
organizations are recognizing cyber risk as an enterprise risk and taking corresponding steps to establish appropriate oversight. But as corporate cybersecurity capabilities mature, how have the roles of the board, audit committee, and internal audit changed, and what can they look forward to in the future?
According to a new survey jointly conducted
oversight seems to be taking hold and maturing,
by Compliance Week and Mazars USA, while
but there seems to be a disconnect among the
organizational cybersecurity oversight
roles, especially when it comes to the three
capabilities are maturing, many companies
lines of cybersecurity defense,” Browne says.
still suffer from a lack of formally assigned
“It is very important to make sure that the
roles and responsibilities, and a loosely defined
cybersecurity conversation is happening at the
cybersecurity framework.
board or the committee level.”
“Internal audit departments are playing an
The Three Lines of Cybersecurity Defense
increasing role in achieving cybersecurity goals, and accomplishing them in different
The three lines of cybersecurity defense are
ways. But they need to ensure that their efforts
defined in The Institute of Internal Auditors
are aligned with their companies’ overall
(IIA) Global Technology Audit Guide (GTAG),
cybersecurity oversight approach,” said Brian
“Assessing Cybersecurity Risk—Roles of the
Browne, Principal and Cybersecurity Practice
Three Lines of Defense.”
Leader at Mazars USA. The first line of cybersecurity defense consists “Overall the approach to cybersecurity
4
| 360 | April 25 , 2018
of business units and cybersecurity teams that
manage the processes and controls that are in
for the enterprise’s cybersecurity oversight,
place to manage cyber risks.
followed by the technology committee (22 percent) and the risk committee (15 percent).
The second line consists of risk managers with risk, control, and compliance oversight
Some 10 percent of respondents said
functions for ensuring that the first line
cybersecurity oversight was not formally
processes and controls exist and are operating
assigned anywhere within the enterprise, which
effectively.
Browne sees as an area of concern.
Internal audit acts as the third line of defense,
Is Cybersecurity Discussed Regularly at Audit
providing senior management and the board
Committee Meetings?
with independent and objective assurance of
Nearly 43 percent of respondents said that
the cyber risk management implemented in the
cybersecurity is discussed regularly at audit
first and second lines of defense.
committee meetings as an established agenda item, and another 36 percent said it is not an
The Compliance Week/Mazars Cybersecurity Oversight Survey
established agenda item, but it is discussed
The survey polled more than 150 executives
This is an area where the level of dialogue
responsible for cybersecurity at their
can stand to improve. “More and more, the
organization. The respondents represent a wide
responsibility for cybersecurity oversight is
variety of industries, with nearly a quarter from
falling on the audit committee,” Browne says.
financial services, and another 12.5 percent
“It’s the right place in a lot of organizations
from insurance organizations. The majority
to talk about cyber risk. While many audit
of respondents were chief audit executives,
committee meetings have this as a regular
chief information security officers, or chief
agenda item, we should see that continue to
compliance officers.
grow year over year.”
Who Owns Responsibility for the Enterprise’s
Who Conducts Cybersecurity-Related
Cybersecurity Oversight?
Services?
Nearly 32 percent of respondents said that their
Roughly 20 percent of internal audit
audit committee primarily owned responsibility
departments perform all of their cybersecurity-
occasionally.
| pamic.org |
5
related internal audit services themselves;
Nearly 79 percent of respondents said that
however, almost half (46 percent) co-source
their internal audit department covered
these internal audit services with an external
cybersecurity in some way as cybersecurity was
provider.
rated a high enterprise risk; some 36 per- cent also said it came by way of direct board or audit
What drives co-sourcing, Browne says, is
commit- tee request.
that it allows an organization to marry internal audit organizational knowledge with
“That’s good,” Browne says, “because the
external cybersecurity expertise to provide
board is ultimately responsible for overall
senior management and the board with an
cybersecurity oversight. The fact that they are
independent assessment of the effectiveness
asking internal audit to do something there
of management activities in managing and
is a good thing. I would hope over time, that
mitigating cybersecurity risks and threats.
number goes even higher.”
Usually, companies turn to external providers
But when asked to what degree their
because they lack the time/budget, talent,
organization had adopted the IIA three lines
and/or tools assess their cyber risk. This is all
of cybersecurity defense model approximately
fairly normal, Browne says, but he did find it
60 percent indicated that they have not
concerning that some 27 percent of respondents
formally defined or assigned any roles and
said that their cybersecurity was assessed by
responsibilities across the three lines.
another internal or external assurance provider (i.e., non-internal audit personnel).
Nearly 21 percent of respondents were not even aware of the three lines of cybersecurity
“That’s all well and good, but the role of
defense, which Browne said was disappointing,
internal audit is to be that third line of defense
but not surprising, given the wider lack of
on cybersecurity and independently assess and
formal assignment of cybersecurity roles and
report to the board on how the organization
responsibilities.
is managing its cyber risk,” Browne says. “In a way, you’re saying, ‘somebody else is doing that
When asked how their internal audit
so we don’t have to.’ In reality internal audit
department independently assesses their
should still be responsible as the third line of
organization’s cybersecurity, the most common
defense.”
answers were:
6
| 360 | April 25 , 2018
оо Assessing the cybersecurity control
appropriately to effectively manage your risk.”
framework such as people, process, and technology (57 percent); оо Assessing the compliance status
Browne added that the defined EU GDPR data subject rights will probably drive more
against one or more regulations or
attention to asset inventories of personally
frameworks such as the New York
identifiable data.
Department of Financial Services (NYDFS) Cybersecurity Regulation,
When asked to identify their top cyber security
Health Insurance Portability and
threats, the respondents’ most common
Accountability Act (HIPAA), or the
answers were phishing (63 percent), malware/
European Union (EU) General Data
crime-ware (55 percent), and third-party risk
Protection Regulation (GDPR) (44
(43 percent).
percent); and оо Assessing a specific cybersecurity
This is an opportunity for internal audit to
operational area such as vulnerability
gauge the organization’s overall risk in these
management, logging and monitoring,
areas, especially since things like phishing and
etc. (42 percent).
malware are what Browne considers the “point of the spear” for much larger cyber security
Only 33 percent of respondents said they
issues.
assessed asset inventories such as hardware, software, and sensitive data, which is another
“This is an opportunity for internal audit to ask,
area Browne says should rate higher, but is not
‘Do we have the right protection on mechanisms
a surprising result, given what he has seen in
at the perimeter and on user endpoints, so if
the field.
they do click on a link or open an attachment, there is some countermeasure there to thwart
“Asset inventories are foundational from
the attack?’” Browne says.
security perspective, to understand exactly what hardware and software you have deployed
Third-party risk is trending upward, Browne
in the organization and what sensitive data you
notes, in part because regulators are paying
have,” Browne says. “Without that awareness,
more attention to those risks as well. “Look
you may not be aligning your cybersecurity
at the New York cybersecurity regulations,”
protection and detection mechanisms
Browne says. “Regulators are paying more
| pamic.org |
7
attention because more and more security
your cyber risk, and your results are going to
incidents and data breaches involve third
show that.”
parties. Those all align, so that’s good to see the recognition of that as a risk.”
Some 31 percent of respondents said they felt the overall maturity level of their cyber security
What Standards Do You Measure Your
efforts were “managed”—processes were
Cybersecurity Program Maturity?
monitored and performance was measured.
When it comes to measuring cyber risk
Results steadily fell from there, with 23 percent
programs against a maturity model, some 41
saying their programs were defined (processes
percent of respondents said they leverage the
formally defined with without sophistication
National Institute of Standards and Technology
or monitoring), 21 percent saying their
Cybersecurity Framework (NIST CSF). Other
programs were repeatable (processed follow a
frameworks were mentioned, but none came
recognizable pattern but based on intuition or
close to the prevalence shown for the NIST CSF.
individual knowledge), and 13 percent saying they were initial (processes are ad hoc and
“That is the one most people have heard of,
disorganized).
and is familiar to them,” Browne says. “The challenge with the NIST is that it is so big,
Overall, this shows a trend in the right
intimidating, or even onerous to implement.
direction, Browne says, pointing out that
Organizations tracking to it need to take the
the relatively high number of respondents
time to understand and tailor that framework to
reporting their programs as managed is a very
their organization.”
good result, and higher than expected. Only 3 percent of respondents said their programs
What is surprising, Browne said, was that 25
were optimized—that is, highly refined and
percent of respondents said they did not track
automated—which was not a surprise, given
the maturity of their cyber risk program at all.
that many organizations, once they hit the
“Talking about the control frameworks that
“managed” level feel they have their risk
define the people, processes and technology in
managed to within an acceptable level.
your organization is key to managing cyber risk on an ongoing basis,” Browne cautions. “If you
How Much Do You Feel Your Organization Is
do not have a framework in place, you are going
Managing Its Cyber Risk?
to be haphazard in your approach to managing
Perhaps the most telling result was from the
8
| 360 | April 25 , 2018
survey’s final question, in which respondents
a fruitful partnership between internal audit
noted how much they felt their organization
and external resources when it comes to
was managing its cyber risk. The majority of
managing and assessing cyber- security, Browne
respondents (60 percent) said they felt they
says. “From an internal audit perspective,
were keeping up with their level of risk, while
in order to function as the third line of
21 percent said they were falling behind.
cybersecurity defense, going through some
Surprisingly, 19 percent said they were getting
sort of formalized risk assessment method
ahead of their cyber risk.
or process to determine your cyber risk and corresponding cybersecurity related audits is
“Frankly, I don’t know if I would ever feel
really important.”
comfortable enough to say I am ‘getting ahead’ of my cyber risk,” Browne says. “To say you’re
Once those risks have been identified,
getting ahead, you are truly identifying risks
Browne says, the decision of how much of the
before they’re actually becoming realized. I
performance of those audits can be handled
think that’s a difficult thing to say, and having
in-house. “The vast majority of internal audit
been in this field for over 25 years, I don’t
departments need some external help when it
know if I would ever say I was getting ahead.
comes to cybersecurity because it’s typically not
I am even surprised over that 60 percent of
a core skill set that they are going to maintain
organizations are keeping up with managing
as part of their department. That would be the
their cyber risks.”
key to providing that third line of cybersecurity defense.”
Conclusion The fact that nearly 43 percent companies discuss cybersecurity as an established agenda item audit committee meetings is promising from an oversight perspective, we should see that trend upward moving forward based on the role that many internal audit departments are playing with respect to cybersecurity. In addition, there is much to be gained from
Mazars USA LLP provides insight and specialized skills in accounting, auditing, tax, consulting and advisory services. Since 1921, our dedicated professionals have leveraged technical industry expertise to develop customized solutions for clients, create value, and optimize their performance. As the independent U.S. member firm of Mazars Group, our global reach includes 20,000+ professionals across 86 countries. At local and global levels, we are proud of our value-added services in building lasting relationships with our clients and communities. For more information, visit us at www.mazarsusa.com.
| pamic.org |
9
Goodville Mutual Hires Bruce Brizzi as VP of Marketing Goodville Mutual Casualty Company has hired Bruce Brizzi as Vice President of Marketing.
Beginning this month, Brizzi takes leadership of the Marketing Department. His predecessor Fred Macy retired from the position effective March 29 after more than 10 years filling this role. Brizzi has worked in the property & casualty industry for over 30 years. He most recently held the title of Executive Vice President of Insurance Operations at Northern Neck Insurance Company, serving the Commonwealth of Virginia.
Before his time at Northern Neck, Brizzi worked for Travelers Insurance Company for 17 years, where he led claim center operations in Ohio and Pennsylvania for several years. He later transitioned into the role of Regional Vice President for Personal Insurance, responsible for production, profitability, and agency relationships. Bruce grew up in western Pennsylvania and earned a B.S. degree in Business Management from Clarion University of Pennsylvania. Goodville Mutual works through independent insurance agents in eight states, providing comprehensive property and casualty insurance products for autos, homes, businesses, churches, and farms. For more information, visit www.goodville.com.
Cannabis Businessowners Policy Developed for California The American Association of Insurance Services, a not-for-profit insurance advisory
organization, announced the filing of the first-of-its-kind Cannabis Businessowners Policy (CannaBOP) in the state of California. According to AAIS, CannaBOP program will include property and liability coverage for cannabis dispensaries, storage facilities, distributors, processors, manufacturers and other businesses participating in or supporting the California cannabis industry. Greenwald, Judy. “Cannabis Businessowners Policy Developed for California.� Business Insurance, 20 Apr. 2018, www.businessinsurance.com/article/20180420/NEWS06/912320748/Cannabis-businessowners-policy-for-CaliforniaAmerican-Association-of-Insurance-.
10 | 360 | April 25 , 2018
InsurTech Fundamentals and Compliance Strategies for Implementation Date: May 2, 2018 Time: 8:30 a.m. – 1:30 p.m. Where: Saul Ewing Arnstein & Lehr LLP, Centre Square West 1500 Market Street, 38th Floor Philadelphia, PA (Live stream available for this event)
InsurTech — it’s not just for
startups anymore. Insurance companies are utilizing innovative technology in all stages of the insurance lifecycle. New distribution models are critical for marketing to millennials, which are now the largest living generation. Big data enables insurers to more effectively underwrite policies and detect fraud. Blockchain has the
potential to drastically increase efficiency for administrative functions, and artificial intelligence has tremendous promise in improving claims handling. Failing to keep up with innovation is a serious challenge and enterprise risk that must be met. What initially started as a potentially disruptive force, has transformed into a remarkable opportunity for insurers to reach new clients, create a better customer experience, improve risk selection, reduce expenses and operate more efficiently. Join us for a seminar addressing new technologies that will affect nearly every aspect of insurers’ day-to-day operations — from distribution to claims — and their compliance strategies for implementing these new technologies. Our speakers Jeremy Heinnickel and Jim Gkonos, members of the Firm’s InsurTech Practice, are joined by Alison Beam of the Pennsylvania Insurance Department, Michael Fitzgibbon of Slice, Leonard Steinmetz of Grant Thorton and Christopher McDaniel President of The Institutes RiskBlock Alliance.
Guest Post: Sexual Misconduct Claims: How Charitable is Your D&O Policy? The media spotlight on sexual misconduct has resulted in claims against business executives,
and businesses. D&O policies generally provide coverage for the “wrongful acts” of a company’s directors and officers and, often, its general employees. Many of the policies cover claims against the business but coverage is narrower than for the insured individuals. Businesses and their executives should look carefully at their D&O coverage and take into account that in the scope of sexual misconduct claims corporate liability could become a more serious issue. LaCroix, Kevin. “Guest Post: Sexual Misconduct Claims: How Charitable Is Your D&O Policy?” The D&O Diary, 20 Apr. 2018, www.dandodiary.com/2018/04/articles/director-and-officer-liability/guest-post-sexual-misconduct-claimscharitable-policy/.
| pamic.org |
11
REGULATION
Pennsylvania Legislative Update By Vince Phillips, Phillips Associates
House Passes Insurer Examination Reforms On April 12, the PA House passed House Bill 1851 (Pickett-R-Bradford) 194-0 to provide more certainty to insurance companies when an examination will take place. Among other things, the bill requires: оо An advance consultation оо Estimated costs and completion time оо An additional consultation if the Department concludes that the exam will take more time or be more than 10% more costly than originally projected OR that there have major staffing changes by the examiner оо A yearly report on monies spent by insurance companies for financial and market conduct exams. Since the bill was amended, it has been returned to the Senate for concurrence. This legislation addresses a major concern by insurers that the examination process is opaque and subject to
12 | 360 | April 25 , 2018
longer and more expensive than needed exams. Noteworthy is the inclusion of language that examination options must be considered to make sure that least intrusive options are examined. HB 1851 also sets parameters on invoicing from contractors such as a detailed description of specific exam components broken down in 15-minute increments. Workers’ Compensation Drug Formulary On April 18, the House voted 101-92 to pass Senate Bill 936 (White-R-Indiana). This bill establishes a drug formulary for Workers’ Compensation. One of its purposes is to reduce the amount of opioid prescriptions.. This was vigorously opposed by organized labor and their political allies who maintained that SB 936 would reduce the medical treatment choices for workers. Opposition was not limited to Democrats. This vote came about by a motion to reconsider a February 6 tie vote of 98-98. What made the difference is that two Republicans changed their votes from ‘no’ to ‘yes’ These were Rep. Brian Ellis (R-Butler) and Rep. Harry Lewis (R-Chester). Five Democrats were absent for the final passage vote on April 16. Given the contested nature of this legislation, it is unclear what Governor Wolf will do as there was no word from the Governor’s office over the weekend. He has until April 28 to decide. Rebates and Inducement Bills Senate Bills 877 and 878 (White-R-Indiana) are going to the Governor for his signature this week. They would end the prohibition on offering
rebates and inducements now contained within Act 205 and numerous other statutes. On April 18, the PA Senate concurred with House amendments to finalize their consideration of the legislation. Self Storage Limited Lines License House Bill 504 (Charlton-R-Delaware) permits unlicensed retail clerks in self storage unit companies to sell contents (property) insurance. The House voted 192-0 to pass the bill and send it to the Senate. A limited lines producer license would be issued to a storage unit owner who would then designate unlicensed employees (called ‘authorized service representatives’) as those being able to solicit and sell contents insurance. These authorized service representatives would complete an unspecified length of training on property insurance basics. An important amendment to the bill is that the training must be approved by the Insurance Department. During the sale of contents insurance, the customer must be informed that contents insurance may not be necessary if the customer already has homeowner’s insurance and be provided with a brochure which describes insurance provisions. An owner is not required to have a limited lines producer license if the insurance solicitation is limited to display brochures and other promotional materials created by an insurer. A limited lines self-service storage insurance producer is not required to take continuing education. Travel Limited Lines License On April 18, Senate Bill 630 (Reschenthaler-RAllegheny) permitting unlicensed employees
(called ‘travel retailers’) to sell travel insurance was re-referred to the House Appropriations Committee.. There must be a limited lines insurance producer’s licensee who is responsible for the travel retailer’s actions. Training must take place and the limited line producer licensee must maintain a registry of travel retailers. The legislative update is provided by Vince Phillips of Phillips Associates. For more detailed info on issues facing the PA legislature please contact Vince at xenobun@aol.com.
Department of Labor and Industry Publishes News & Notes The Department of Labor and Industry
recently published their Spring 2018 newsletter that includes important updates and educational resources that are available from the Department. This edition of the newsletter covers recent judgments and legislative changes to Workers’ Compensation. The newsletter also covers upcoming events and important changes within the department. Included in this publication is also an introduction to the OLCAM Building Workplace Safety Committee, and the steps they regularly take to ensure workplace safety for all Pennsylvanians. View the full Spring 2018 Department of Labor and Industry News & Notes.
| pamic.org |
13
RESOURCES
General Regulatory Information
Use this table to discover important links to information on Insurance Department’s that affect PAMIC members.
Pennsylvania Insurance Department Bulletins Notices SOP’s
Regulations
Title 40 Statutes Unconsolidated Statutes
Press Releases PID Newsletter Consumer Alerts News & Notes
Title 18 Statutes
News
Title 11 Statutes
General Info
Statutes
News
Title 38.2 Statutes
News
Delaware Department of Insurance Bulletins
Regulations
NJ Department of Banking & Insurance Bulletins
Regulations
Maryland Insurance Administration Bulletins
Regulations
Virginia SCC - Bureau of Insurance Admin Letters Admin Orders
Regulations
West Virginia Office of the Insurance Commissioner Info Letters
Regulations
Statutes
Consumer Advocate
Statutes
News Releases Newsletters
Ohio Department of Insurance Bulletins
Regulations
New York Department of Financial Services - Insurance Opinions Circular Letter
Regulations
Statutes
Press Releases Statements
Michigan Department of Insurance and Financial Services Bulletins
Regulations
Statutes
Press Releases
Maine Department of Professional & Financial Regulation Bulletins
Regulations
Statutes
Press Releases
Statutes
Press Releases
California Department of Insurance Bulletins
Regulations
14 | 360 | April 25 , 2018
Legislation Tracker Below is a list of bills that the association is currently tracking. For a full list visit our PA Bill Information Page.
Bill #
Sponsor
Description
HB 1335
Tina Pickett
Amends Title 40 (Insurance), in preliminary provisions, providing for Insurance Regulation and Oversight Fund; and making a related repeal.
HB 1840
Rob Kauffman
Amends the Workers’ Compensation Act, in liability & compensation, further providing for schedule of compensation and for physical examination or expert interview.
HB 1848
Tina Pickett
Amends Title 40 (Insurance), in regulation of insurers and related persons generally, providing for corporate governance annual disclosure.
HB 1851
Tina Pickett
Amends the Insurance Department Act, in examinations, further providing for purpose & providing for scheduling conference, for budget estimate & revisions, for billing invoices and for annual examination & analysis report.
SB 936
Donald White
Amends the Workers’ Compensation Act, in liability and compensation, further providing for prescription drugs and the treatment of workrelated injuries; and, in procedure, further providing for peer review.
SB 956
Daniel Laughlin
Amends the Insurance Regulation and Oversight Fund Act, providing for annual report to General Assembly.
HB 1823
Kurt Masser
Amends the Insurance Company Law, in casualty insurance, further providing for billing.
HB 1841
Mike Tobash
Amends the Insurance Company Law, in general provisions relating to insurance companies, associations & exchanges, further providing for rebates and inducements prohibited, revocations of licenses, and penalties.
HB 1842
Mike Tobash
Amends Insurance Department Act, in insurance producers, further providing for rebates and for inducements prohibited.
SB 877
Donald White
Amends the Insurance Department Act, in insurance providers, further providing for rebates prohibited and for inducements prohibited.
| pamic.org |
15
Market Regulation: Insurance Department Perspective April 26, 2018
PAMIC Online
Info
Pamic@pamic.org
1017 Mumma Road, Suite 202 Wormleysburg, PA 17043
(717) 303-0197