Curious about if A.I. will work for your Agency, or if it's currently putting you at risk?

Find out with a free consultation

Key Regulations and What They Mean for Insurance Agencies

As artificial intelligence (AI) becomes a staple in the insurance industry, regulatory bodies are taking steps to ensure it doesn’t lead to unfair practices, discrimination, or breaches of consumer privacy. The New York Department of Financial Services (NY DFS) and the National Association of Insurance Commissioners (NAIC) are among those leading the charge with new guidelines and regulations. Here’s what insurance agencies need to know. 

NY DFS and AI Regulation

In January 2024, NY DFS issued a circular letter to gather feedback on how insurers use AI, especially in underwriting and pricing. It highlighted concerns about “unfair adverse” effects from AI and external consumer data. Here’s what agencies should focus on: 

  • Governance and Risk Management: Agencies should ensure they have robust systems to manage AI and external consumer data, complying with all relevant laws. 
  • Fairness Principles: AI and external data sources should not lead to discrimination, particularly against protected classes. 
  • Data Validation: Agencies must use accepted standards to validate external data and confirm its accuracy and relevance to risk. 
  • Testing and Analysis: Regular risk assessments and testing of AI systems are essential to ensure they don’t lead to unfair or unlawful discrimination. 
  • Documentation: Agencies should keep detailed records of AI use, including risk management processes and testing. 

The NY DFS also expects insurance agencies to maintain oversight of third-party vendors and ensure proper disclosure to consumers if AI is used in underwriting or pricing. This includes providing reasons for adverse decisions and explaining the data sources used. 

23 NYCRR 500 Cybersecurity Law

Cybersecurity is another area where insurance agencies must stay vigilant. The NY DFS’s amendments to its cybersecurity regulations, finalized in November 2023, require stricter measures, including: 

  • Annual board approval of cybersecurity policies 
  • Enhanced multifactor authentication 
  • Expanded risk assessments 
  • Encryption and threat detection 
  • Annual penetration testing 

NAIC's Model Bulletin on AI

The NAIC’s Model Bulletin on AI, ratified at its 2023 Fall National Meeting, provides a framework for AI implementation in insurance. It calls for: 

  • Written AI Program: Agencies should develop and maintain a documented program for responsible AI use. 
  • Data Governance: Implement policies for data management and internal controls. 
  • Third-Party Oversight: Ensure third-party AI systems comply with the regulations. 
  • Avoiding Proxy Discrimination: Take proactive measures to ensure AI systems do not result in discriminatory outcomes. 

State-by-State Variability

One challenge for insurance agencies is that not all states follow the same rules. As of April 2024 over 22 states follow the NAIC model laws for Insurance Data Security, and 8 states have adopted the NAIC guide for AI systems in insurance: 

  • Alaska 
  • Connecticut 
  • Illinois 
  • Nevada 
  • New Hampshire 
  • Rhode Island 
  • Vermont 
  • California separately issued a bulletin addressing racial bias and unfair discrimination in insurance practices. 
  • Colorado passed a bill regulating life insurers’ use of algorithms and predictive models and has plans for similar regulations in auto and health insurance.  
  • New York’s circular letter focused on AI’s potential for “unfair adverse” effects in underwriting and pricing. 

Additional Compliance Challenges for Agencies

The NAIC’s new Insurance Consumer Privacy Protection Model Law #674, expected to be adopted in 2024, also suggests a stricter approach to data privacy, emphasizing the need for robust data management practices. 

Insurers will need to adapt to the changing regulatory landscape to ensure compliance with stricter data privacy requirements. 

The model law may establish a standard of care that insurance businesses owe their customers with respect to data privacy, regardless of whether it is adopted by all states. 

The publication of Model Law #674 was anticipated for fall 2023, but its final adoption date was pushed back to sometime in 2024.

SEC Rule on Risk Management

The Securities and Exchange Commission (SEC) has implemented a rule on cybersecurity risk management for public companies, effective from September 5, 2023. 

  • Report material cybersecurity incidents within four business days of determining if the incident is material.  
  • Disclose their processes for managing cybersecurity risks 
  • Including the board’s oversight and management’s role in addressing these risks. 

Next Steps for Agencies

The insurance industry’s move toward AI brings new opportunities but also new challenges. It’s crucial for insurance agencies to ensure they have strong governance, comply with evolving regulations, and adopt robust cybersecurity and data protection practices. 

Currently, agencies should adopt AI cautiously and be highly selective about the information shared with AI applications. Client data and personally identifiable information—such as names, policy information, and pricing details—should not be used within AI applications at this time. Public AI applications should not be used for underwriting or policy decisions without adequate data governance, risk management systems, and thorough testing to prevent biases or discriminatory outcomes. 

Agencies should also consider discussing AI usage policies with their employees and consult with IT providers about the options for restricting or removing access to AI applications until proper governance is established. While AI can be a valuable tool, it is still in its early stages, and governance is being developed through state and federal guidance. It’s important to consider a wide range of information and data points before deciding to implement AI in your agency. 

Claim your FREE Complete IT and Cybersecurity Assessment and gain the in-depth knowledge you need to keep your Agency above water. Your digital security is not just a necessity; it’s a right. Take action today. CLICK HERE to schedule.