AI in Insurance: What Agencies Need to Know About Evolving Regulations
Key Regulations and What They Mean for Insurance Agencies
As artificial intelligence (AI) becomes a staple in the insurance industry, regulatory bodies are taking steps to ensure it doesn't lead to unfair practices, discrimination, or breaches of consumer privacy. The New York Department of Financial Services (NY DFS) and the National Association of Insurance Commissioners (NAIC) are among those leading the charge with new guidelines and regulations. Here’s what insurance agencies need to know.
NY DFS and AI Regulation
In January 2024, NY DFS issued a circular letter to gather feedback on how insurers use AI, especially in underwriting and pricing. It highlighted concerns about "unfair adverse" effects from AI and external consumer data. Here's what agencies should focus on:
- Governance and Risk Management: Agencies should ensure they have robust systems to manage AI and external consumer data, complying with all relevant laws.
- Fairness Principles: AI and external data sources should not lead to discrimination, particularly against protected classes.
- Data Validation: Agencies must use accepted standards to validate external data and confirm its accuracy and relevance to risk.
- Testing and Analysis: Regular risk assessments and testing of AI systems are essential to ensure they don’t lead to unfair or unlawful discrimination.
- Documentation: Agencies should keep detailed records of AI use, including risk management processes and testing.
The NY DFS also expects insurance agencies to maintain oversight of third-party vendors and ensure proper disclosure to consumers if AI is used in underwriting or pricing. This includes providing reasons for adverse decisions and explaining the data sources used.
23 NYCRR 500 Cybersecurity Law
Cybersecurity is another area where insurance agencies must stay vigilant. The NY DFS's amendments to its cybersecurity regulations, finalized in November 2023, require stricter measures, including:
- Annual board approval of cybersecurity policies
- Enhanced multifactor authentication
- Expanded risk assessments
- Encryption and threat detection
- Annual penetration testing
NAIC's Model Bulletin on AI
The NAIC’s Model Bulletin on AI, ratified at its 2023 Fall National Meeting, provides a framework for AI implementation in insurance. It calls for:
- Written AI Program: Agencies should develop and maintain a documented program for responsible AI use.
- Data Governance: Implement policies for data management and internal controls.
- Third-Party Oversight: Ensure third-party AI systems comply with the regulations.
- Avoiding Proxy Discrimination: Take proactive measures to ensure AI systems do not result in discriminatory outcomes.
State-by-State Variability
One challenge for insurance agencies is that not all states follow the same rules. As of April 2024 over 22 states follow the NAIC model laws for Insurance Data Security, and 8 states have adopted the NAIC guide for AI systems in insurance:
- Alaska
- Connecticut
- Illinois
- Nevada
- New Hampshire
- Rhode Island
- Vermont
- California separately issued a bulletin addressing racial bias and unfair discrimination in insurance practices.
- Colorado passed a bill regulating life insurers’ use of algorithms and predictive models and has plans for similar regulations in auto and health insurance.
- New York’s circular letter focused on AI’s potential for “unfair adverse” effects in underwriting and pricing.
Additional Compliance Challenges for Agencies
The NAIC’s new Insurance Consumer Privacy Protection Model Law #674, expected to be adopted in 2024, also suggests a stricter approach to data privacy, emphasizing the need for robust data management practices.
Insurers will need to adapt to the changing regulatory landscape to ensure compliance with stricter data privacy requirements.
The model law may establish a standard of care that insurance businesses owe their customers with respect to data privacy, regardless of whether it is adopted by all states.
The publication of Model Law #674 was anticipated for fall 2023, but its final adoption date was pushed back to sometime in 2024.
SEC Rule on Risk Management
The Securities and Exchange Commission (SEC) has implemented a rule on cybersecurity risk management for public companies, effective from September 5, 2023.
- Report material cybersecurity incidents within four business days of determining if the incident is material.
- Disclose their processes for managing cybersecurity risks
- Including the board’s oversight and management’s role in addressing these risks.
Ensuring Cybersecurity and Data Protection
As insurers adopt AI, verifying cybersecurity measures and data protections becomes critical. The NY DFS’s proposed amendments to its cybersecurity regulations highlight the need for robust cybersecurity practices. Insurers must implement risk management policies, obtain annual board approval for cybersecurity policies, and ensure that multifactor authentication and other cybersecurity measures are in place.
The NAIC’s Model Bulletin also emphasizes the importance of responsible governance and oversight. Insurers must be prepared to address potential data vulnerabilities and ensure that AI systems do not lead to discrimination or unfair outcomes.
The insurance industry’s move toward AI brings new opportunities but also new challenges. Insurance agencies must ensure they have strong governance, comply with evolving regulations, and adopt robust cybersecurity and data protection practices.
Staying informed about regulatory changes and adapting policies and procedures is crucial for Agencies to successfully navigate this evolving landscape
Walter Contreras
Walter Contreras has over 25 years of experience in information technology, including cybersecurity, with a focus on the Insurance Industry. As both a computer scientist and a graduate of the Columbia University Business School’s Executive MBA program, Walter understands how the world’s digital transformation is impacting small and medium businesses. His mission is to deploy information technology to protect and empower entrepreneurs.
