Current through Register Vol. 46, No. 45, November 2, 2024
Section 82.2 - Enterprise risk management(a) Pursuant to Insurance Law sections 1503(b), 1604(b), and 1717(b), an entity shall adopt a formal enterprise risk management function that identifies, assesses, monitors, and manages enterprise risk. Except as provided in subdivision (c) of this section, a domestic insurer that is not a member of a holding company system, an article 16 system, or an article 17 system also shall adopt such a formal enterprise risk management function. The enterprise risk management function shall be appropriate for the nature, scale, and complexity of the risk and shall adhere to the following, as relevant: (1) have an objective enterprise risk management function headed by an appropriately experienced individual with the requisite authority and who has access to the board of directors, or if there is no board of directors, then the governing body, and senior management;(2) have a written risk policy adopted by the respective board or a committee thereof, or if there is no board of directors, then the governing body, that delineates the insurer's, holding company system's, article 16 system's, or article 17 system's risk/reward framework, risk tolerance levels, and risk limits;(3) provide a process for the identification and measurement of risk under a sufficiently wide range of outcomes using techniques that are appropriate to the nature, scale, and complexity of the risks the insurer, holding company system, article 16 system, or article 17 system bears and are adequate for capital management and solvency purposes;(4) have a process of risk identification and measurement supported by documentation that provides appropriately detailed descriptions and explanations of risks identified, the measurement approaches used, key assumptions made, and outcomes of any plausible adverse scenarios that were run;(5) use prospective solvency assessments, including scenario analysis and stress testing;(6) incorporate risk tolerance levels and limits in the policies and procedures, business strategy, and day-to-day strategic decision-making processes;(7) consider a risk and capital management process to monitor the level of financial resources relative to economic capital and regulatory capital requirements;(8) incorporate investment policy, asset-liability management policy, effective controls on internal models, longer-term continuity analysis, and feedback loops to update and improve the enterprise risk management function continuously;(9) address all reasonably foreseeable and relevant material risks including, as applicable, insurance, cybersecurity, climate change, epidemic, pandemic, underwriting, asset-liability matching, credit, market, operational, reputational, liquidity, and any other significant risks;(10) include an assessment that identifies the relationship between risk management and the level and quality of financial resources necessary as determined with quantitative and qualitative metrics; and(11) identify, quantify, and manage any risks to which the insurer may be exposed by transactions or affiliations with any other member of the holding company system, article 16 system, or article 17 system of which the insurer is a member.(b)(1) Pursuant to Insurance Law sections 1503(b), 1604(b), and 1717(b), an entity shall file electronically a confidential enterprise risk report with the superintendent by April 30 of each year and shall, to the best of such entity's knowledge and belief, identify therein the material risks within the holding company system, article 16 system, or article 17 system that could pose enterprise risk to the insurer. Except as provided in subdivision (c) of this section, a domestic insurer that is not a member of a holding company system, an article 16 system, or an article 17 system shall file electronically such a confidential enterprise risk report with the superintendent by April 30th of each year.(2) The report required to be filed by paragraph (1) of this subdivision shall describe the entity's or domestic insurer 's enterprise risk management function, including its risk culture and governance; risk identification and prioritization; risk appetite, tolerances, and limits; risk management and controls; and risk reporting and communication. The report also shall provide information regarding the following areas that could produce enterprise risk, provided that the information has not already been disclosed in a registration statement filed pursuant to Insurance Law sections 1503(a), 1604(a), or 1717(a) during the prior 12 months: (i) any material developments regarding strategy, internal audit findings, compliance or risk management affecting the insurer, holding company system, article 16 system, or article 17 system;(ii) any acquisition or disposal of insurance entities and reallocation of existing financial or insurance entities with regard to the insurer, holding company system, article 16 system, or article 17 system;(iii) any changes in the shareholders of the insurer, holding company system, article 16 system, or article 17 system exceeding ten percent or more of voting securities;(iv) developments in any investigations, regulatory activities, or litigation that could have a significant bearing or impact on the insurer, holding company system, article 16 system, or article 17 system;(v) the business plan of the insurer, holding company system, article 16 system, or article 17 system, and a summary of the insurer's or system's strategies for the next 12 months;(vi) the identification of any material concerns regarding the insurer, holding company system, article 16 system, or article 17 system by a supervisory college, if any, held during the last year;(vii) the identification of capital resources and material distribution patterns with regard to the insurer, holding company system, article 16 system, or article 17 system;(viii) the identification of any negative movement, or any discussions with nationally recognized statistical rating organizations, that may have caused, or may cause, potential negative movement in the credit ratings and individual insurer financial strength ratings assessment of the insurer, holding company system, article 16 system, or article 17 system (including both the rating and outlook);(ix) information on any corporate or parental guarantees throughout the holding company system, article 16 system, or article 17 system, and the expected source of liquidity should the guarantees be called upon; and(x) the identification of any material activity or development of the insurer, holding company system, article 16 system, or article 17 system that, in the opinion of senior management, could adversely affect the insurer, holding company system, article 16 system, or article 17 system.(3) The report required to be filed pursuant to paragraph (1) of this subdivision shall include: (i) with regard to an entity, a signature of the entity's chief risk officer or other executive having responsibility for the oversight of the enterprise risk management function attesting to the best of his or her knowledge and belief that the report identifies any material risks within the holding company system, article 16 system, or article 17 system that could pose enterprise risk to any insurer within the system, and that a copy of the report has been provided to the entity's board of directors or the appropriate committee thereof, or if there is no board of directors, then to the entity's governing body; or(ii) with regard to a domestic insurer, a signature of the domestic insurer's chief risk officer or other executive having responsibility for the oversight of the enterprise risk management function attesting to the best of his or her knowledge and belief that the report identifies any material risks within the domestic insurer that could pose enterprise risk to the domestic insurer, and that a copy of the report has been provided to the domestic insurer's board of directors or the appropriate committee thereof, or if there is no board of directors, then to the insurer's governing body.(4) The entity or domestic insurer required to file a report pursuant to paragraph (1) of this subdivision may attach the appropriate form most recently filed with the United States Securities and Exchange Commission, provided that such entity or domestic insurer includes specific references to those areas listed in paragraph (2) of this subdivision for which the form provides responsive information. If the entity is not domiciled in the United States, then it may attach its most recent public audited financial statement filed in its country of domicile, provided that the entity includes specific references to those areas listed in paragraph (2) of this subdivision for which the financial statement provides responsive information.(5) If the entity or domestic insurer required to file a report pursuant to paragraph (1) of this subdivision has not disclosed any information pursuant to paragraph (2) of this subdivision, then such entity or domestic insurer shall include a statement affirming that, to the best of its knowledge and belief, it has not identified enterprise risk subject to disclosure pursuant to paragraph (2) of this subdivision.(c) A domestic insurer shall be exempt from the requirements of this section if it is not a member of a holding company system, an article 16 system, or an article 17 system, and has annual direct written premium and unaffiliated assumed premium, including international direct and assumed premium, but excluding premiums reinsured with the Federal Crop Insurance Corporation and Federal Flood Program, of less than $500 million.N.Y. Comp. Codes R. & Regs. Tit. 11 § 82.2
Adopted, New York State Register, Volume XXXVI, Issue 25, effective 6/25/2014Amended New York State Register July 14, 2021/Volume XLIII, Issue 28, eff. 8/13/2021