Encrypted Phishing Email

We received an interesting phishing email attack this weekend – something I had never seen before.  One of the property managers at our building sent a number of us at NCIGF an encrypted email with the subject line: “New Message from your email contact  9801210”.  The body of the email contained an encrypted email message with a link to click to get the message – very standard stuff.  Looking at the link, it went to a microsoft.com domain that prompted you to enter your credentials.  The good news is that no one here did that, primarily thanks to the quarterly cyber training and monthly phishing tests.  Presumably, the phishing attack was either an attempt to harvest credentials (username and password) or – and this is the theory I find more plausible – the encrypted email, once decrypted, contained some kind of malware/virus payload.  We don’t know for sure because by the time we started doing analysis, the initial “open message” link redirected to “page not found”.

We reached out to the sender this morning and they confirmed their email had been compromised over the weekend.

I’ve never seen a legitimately encrypted email be used as a vector for phishing.  While we do communicate to the building manager via email from time to time, we’ve never had cause to send PII.  No one in the office was expecting documents or messages from the building that would necessitate encryption.  This is a clever attack because it hijacks the notion that encryption=safe.  That said, if you receive an encrypted email from someone out of the blue, it’s always a good policy to be skeptical.  Reach out to the sender by phone (not email!) and verify that they sent it.

I’ve included a screenshot of the email in question with names redacted to protect the guilty.

 

Company Division Statutes Gain Steam in the States

Company Division Statutes, also known as restructuring statutes or business transfer mechanisms, are gaining steam in the state legislatures. These are statutes that permit an ongoing insurance company to divest itself of certain liabilities, along with a calculated amount of assets, and relinquish any ongoing responsibility for this business. The business divested would be put into an existing or newly created insurance company.   The statutes proposed typically call for a plan to be filed with and approved by the state’s commissioner of insurance.  Sometimes review and approval by the court is also required.  Requirements for notice to policyholders vary from state to state.  The most current proposals do not limit lines of business that can be subject to divisions.  Hence, types of insurance such as personal lines, workers compensation and long- term care could be involved.

This concept began to take shape many years ago when Rhode Island adopted Chapter 14.5 of its insurance code known as “Voluntary Restructuring of Solvent Insurers.”  The mechanism was narrowly crafted and applies to “insuring of any line(s) of business other than life, workers’ compensation, and personal lines insurance.”  (See RI Statute s. 27-14.5-1(6)).

Pennsylvania also had a related law (PA Bus Corp. Law § 1951 (repealed)) that provided for division of a solvent company. The statute was used most notably in 1996 by Cigna to divide the business of its Insurance Company of North America (“INA”) unit.  The newly formed entity, known as Brandywine, assumed certain run‐off blocks of business while INA continued to write new business. The law has since been repealed and replaced with the more generalized Associations Transaction Act (15 Pa.C.S.A. § 361) though its application to insurance policyholders is unclear.

In 2014, Vermont passed its Legacy Insurance Management Act (LIMA). According to the RunOff Re.Solve website (runoffresolve.com), LIMA allows a non-admitted insurer to transfer its discontinued commercial business to a third‐party company.  Such a division would require approval from the Vermont regulator, but the law does not mandate court approval. Personal lines coverages are excluded and policyholders can opt out of the transfer process.

Most recently, a litany of division statutes have been proposed in the following states and have progressed in the 2017 and 2018 sessions.  The current status of the proposals in these states is as follows:

Connecticut:  Division statute enacted in 2017

Georgia: Passed both houses and recently vetoed by the governor.

Illinois:  Division statute enacted in 2018.

Iowa: “Study” bill floated in 2018.

Oklahoma:  Division statute enacted May 2018.

Michigan:  Enacted in late 2018

Nebraska:  Proposal introduced in 2019

Again, these most recent proposals are not limited to certain lines of business nor is policyholder approval required. Whether there is guaranty fund coverage for the divided entity is also an issue of concern.  The NCIGF will be monitoring the issue closely and providing updates as things develop.

For additional details on division statutes please go to https://www.ncigf.org/library/ and search for “division.”

UDS 3.0 – JSON Based Layout

The UDS TSG seems poised to take up the task of revising the existing UDS standard. For those not familiar with the layout of UDS, they are fixed width, position delimited files, like you’d typically find on old mainframe type systems. They are not easy to work with and virtually impossible to modify. It’s not a stretch to say that the process of modifying a UDS file is nearly as complicated as completely revamping the standard because each row in a UDS file is a fixed length. Adding an additional field or increasing the length of a data element “breaks” any existing validation processes. Not only that, but any data that is longer than the spec allows gets lost/truncated. If a field is 30 characters long, but the data you want to put into it is 65 characters long, you’re going to lose 35 characters. There’s simply not a place for this data to go. The structure also has the unintended consequence of making UDS files virtually impossible to read and understand without a program to parse them for you.

Here’s a dummy A record we created for automated testing of the UDS Data Mapper:

HEADER02 55555AIN01IN99210201205082012050820120508P&CN 
A55555IN99135005111111 1234567 Joe Blow foo 3829 Coconut Palm Drive Indianapolis IN46201000020090622200805012010011800001Blow Joe 285 Fishpond Road Chicago IL606010000S12345678910000001200098+ 8UU 309 19990304 N 90 28 UBale of rags fell on employee, knocking her down,landing on top UU
A55555IN99105010222222 1234568 John Smith foo 3829 Coconut Palm Drive Indianapolis IN46201000020090622200805012010011800001Smith John 2709 Rifle Range Rd Chicago IL606010000S98765432110000001200098+ 8UU 309 19990304 N 90 28 UBale of rags fell on employee, knocking her down,landing on top UU
A55555IN99105010333333 1234569 Ralph Steadman foo 129 E Springbrook Dr Indianapolis IN46201000020090604200805012010011800001Steadman Ralph 285 Fishpond Road Chicago IL606010000S23456789010000001200098+ 8UU 312 19990304 N 61 52 UClmt stacking 2330 lb boxes up to the ceiling and felt pain in UU
A55555IN99105010444444 1234560 Bob Dylan foo 511 Benjamin Way Suite 113 Indianapolis IN46201000020090604200805012010011800001Dylan Bob 204 Nelsay Street Chicago IL606010000S34567890110000001200098+ 8UU 329 19990304 N 42 52 UCart ledged on trailer, while pulling on it, pulled musle in bac UU
A55555IN99105010555555 1234561 Django Rheinhart foo 511 Benjamin Way Suite 112 Indianapolis IN46201000020090606200805012010011800001Rheinhart Django 4403 Davidson Road Chicago IL606010000S45678901210000001200098+ 8UU 329 19990304 N 35 10 UWhile unloading trailer, a cart became loaded while attempting t UU
TRAILER 55555AIN01IN99210201205082012050820120508P&C00000000500000006000490+

Even knowing the UDS spec, it’s hard to tell what’s going on here. You really need a piece of software to break up the elements and tell you what’s what. Now, let’s contrast this with how this file might be represented in JSON:

{
  "record_type": "A", 
  "naic_number": 12345,
  "fund_location": "IN",
  "fund_type": 10,
  "date": 20190214,
  "coverage_code": [965005, 965010], //array of coverages
  "insolvent_company_claim_num": 123456789,
  "receiver_claim_number": 88888888,
  "insured":{ //insured structure encapsulates all the insured info in one place
    "name": "Bob Smith",
    "phone_number": 3175551212,
    "insured_address": {
       "street_address": "1234 Fake St.",
       "city": "Indianapolis",
       "state": "IN",
       "zip": 46202
    },
  },
  "policy_number": 99999999999,
  "date_of_loss": 20190101,
  "policy_effective_date": 20190101,
  "policy_expiration_date": 20191201,
  "claimants": [ //this is an array of claimants - no more counting claimants!  
  {
    "name": "Ralph Steadman",
    "claimant_address":{
      "street_address": "1234 Vegas St.",
      "city": "Indianapolis",
      "state": "IN",
      "zip": 46202,
      "birth_date": 20000101,
      "ssn": 1234567789,
      "coverages": [965005]
      },
  }, 
  {
    "name": "Inigo Montoya",
    "claimant_address":{
      "street_address": "1234 Princess St.",
      "city": "Indianapolis",
      "state": "IN",
      "zip": 46202,
      "birth_date": 19900101,
      "ssn": 1234567789,
      "coverages": [965005, 965010]
      },
  },
  {
    "name": "Robert Zimmerman",
    "claimant_address":{
      "street_address": "1234 Desolation Row",
      "city": "Indianapolis",
      "state": "IN",
      "zip": 46202,
      "birth_date": 19900101,
      "ssn": 1234567789,
      "coverages": [965010]
      },
  }
  ],
  "claim_reported_date": 20190130,
  "transaction_code": 123,
  "transaction_amount": -12345.00,
  "catastrophic_loss_code": 1234,
  "recovery_indicator_code": 88888,
  "pending_litigation": "Yes",
  "second_injury_fund_indicator": "N/A",
  "tpa_claim_number": 11111111,
  "issuing_company_code":,
  "wico_data": {  //struct for encapsulating all the wcio data in one location
    "injury_code":,
    "part_of_body":,
    "nature_of_injury":,
    "cause":,
    "act":,
    "type_of_loss":,
    "recovery":,
    "coverage":,
    "settlement":,
    "vocational_rehab":
  },
  "wcab_number": ,
  "employer_phone": 3195551212,
  "miscellanea": {
    "cell_phone_number": 123456789,
    "bank_info": "Chase",
    "maiden_name": "Karamazov",
    "location_of_goonie_treasure": "-77.0364,38.8951",
    "tpa_name": "Pat Nat",
    "tpa_location": "Florida"
  },
  "description_of_injury":"Lorem ipsum dolor sit amet, blandit persecuti eu cum, ne usu magna delicata consulatu. Elitr aperiam aliquid at eam, eu integre tractatos pro, ut diam debitis eos. Pro sint nobis vitae cu. Atqui lucilius iudicabit qui in.

In verear vituperata mea, sea ea aperiri vulputate. Dicat accusata inciderint cum te, brute euismod iudicabit vim et. Id quodsi disputationi cum, et adipiscing incorrupte per. Ancillae detraxit in eum, usu exerci dicunt ex, bonorum appetere democritum nam an.

Ex zril cotidieque has, eum ex vero legimus, nam iudicabit instructior eu. Ei sed altera suscipiantur, ubique noster an sed. Mei ne putant nostrum, et has causae eripuit. Sale graece antiopam ea mel. Cu verear habemus dignissim duo, ei omnes tibique mei.

Posse sonet qui ea, at nihil utinam maluisset sit. Nam posse intellegat ex, utamur probatus aliquando et per, mea oratio adolescens no. Mazim omnesque accusata eu has, ei quidam percipit interpretaris nam. Eius principes consequat no nec, graeci vivendo an sit, eum diam debitis explicari ut. His sint postea minimum ne. In modo alienum nec, mel sapientem forensibus te, ut audiam conclusionemque has.

Doctus efficiendi per ei, duo ad altera tractatos urbanitas, sed posse viris erroribus id. Ea saepe omittam iracundia mel. Nec ex facer neglegentur, in has quot verterem voluptatibus. Vim purto menandri et. Sed oporteat sententiae at, at omnis nominavi nec, nam purto habemus ne. Sed laboramus instructior voluptatibus ad.",
}

That’s a lot clearer. Everything is defined for you in a series of name/value pairs, so you know what data are what. It’s also not limited by length, so the full accident description and other fields that are typically longer than the UDS spec contemplates don’t get lost. Also, we’re able to encapsulate data that goes together: all the claimant data is in one block, addresses are consistently represented irrespective of who’s address it is, and data are nested instead of denormalized. Finally, perhaps the most exciting feature is that there’s a section for miscellaneous data not contemplated by the spec. Virtually anything can be added in there and it won’t break the spec. If you want it, it’s there. And if not, it can be ignored.

This is a clear win over the existing spec. I know adoption won’t be easy – all the funds and liquidators will have to change their systems. But I think the improvements are worth the investment. UDS, in its current incarnation (fixed files) is over 20 years old. It’s in dire need of a facelift.

New Year, New Faces

We will see several new commissioners across the country in 2019.  Here is a high-level summary of the commissioner changes, followed by a listing of the NAIC committee leadership for 2019. 

New Commissioners:

Arizona: Arizona’s Keith Schraad appears to have received a full-blown appointment as Director of Insurance (he had been interim director).  Schraad has over 25 years of both private‐ and public‐sector experience in the areas of insurance, healthcare, technology and government.

California: Commissioner Ricardo Lara won a close race against a well-funded former commissioner. Commissioner Lara has noted that his priority is “protecting consumers, patients, hard-working families, seniors, and the most vulnerable communities in [California].”

Colorado: Michael Conway, who had been serving as Interim Commissioner, has been appointed Commissioner of Colorado. Conway has extensive regulator experience; he served as the Deputy Commissioner of Insurance for Consumer and Compliance Services prior to taking the Commissioner role.

Georgia: Former Department Chief of Staff Jim Beck narrowly defeated insurance industry veteran Janice Laws. Beck has already prioritized fighting insurance fraud against seniors and bringing stability to auto insurance rates during his time as Commissioner.

Kansas: State Senator Vicki Schmidt was elected Insurance Commissioner.  As a State Senator, Schmidt served as Chair of the Senate Public Health and Welfare Committee. With substantial experience as a pharmacist, coupled with her legislative leadership background, Commissioner-elect Schmidt will bring a unique perspective and expertise to the NAIC.

Michigan: Anita Fox, a lawyer with over 30 years of experience, has been appointed Director of the Department of Insurance and Financial Services. 

Minnesota: Governor Walz has nominated former state Senator Steve Kelley as Commissioner of the Department of Commerce. Kelley was most recently a Senior Fellow at the Humphrey School of Public Affairs, University of Minnesota.

New York: Governor Andrew Cuomo has formally nominated Linda Lacewell to be the new Superintendent of the New York DFS. Lacewell, a former prosecutor, currently serves as Cuomo’s Chief of Staff and has been with his office in various capacities since 2007. 

Oklahoma: Glen Mulready was elected as Commissioner of the Oklahoma Department.  Mulready has chaired Oklahoma’s House Insurance Committee and was active at the National Conference of Insurance Legislators. He also has industry experience as a producer, so he hits the ground running. Mulready has announced Tyler Laughlin, a senior staffer with former Commissioner Doak, as his Chief of Staff, helping to ensure continuity in the transition.

Wisconsin: Mark Afable, an American Family executive, has been appointed Insurance Commissioner. Afable has voiced a desire to tackle the availability and affordability of health insurance once his term begins.

In Connecticut and Illinois, commissioner seats remain open under new administrations as of mid-January.  The Nevada governor-elect’s transition has not made any announcements regarding future leadership of its department.

The NAIC has announced committee leadership for 2019:

Life Insurance and Annuities (A) Committee
Chair: Doug Ommen, Commissioner, Iowa Insurance Division
Vice Chair: Stephen C. Taylor, Commissioner, District of Columbia Department of Insurance, Securities and Banking

Health Insurance and Managed Care (B) Committee
Chair: Jessica Altman, Commissioner, Pennsylvania Insurance Department
Vice Chair: Lori K. Wing-Heier, Director, Alaska Department of Commerce, Community and Economic Development, Division of Insurance

Property and Casualty Insurance (C) Committee
Chair: Elizabeth Kelleher Dwyer, Superintendent, State of Rhode Island Department of Business Regulation, Division of Insurance
Vice Chair: Scott A. White, Commissioner, Virginia State Corporation Commission Bureau of Insurance

Market Regulation and Consumer Affairs (D) Committee
Chair: Chlora Lindley-Myers, Director, Missouri Department of Insurance, Financial Institutions and Professional Registration
Vice Chair: Allen W. Kerr, Commissioner, Arkansas Insurance Department

Financial Condition (E) Committee
Chair: David Altmaier, Commissioner, Florida Office of Insurance Regulation 
Vice Chair: Tom Glause, Commissioner, Wyoming Insurance Department

Financial Regulation Standards and Accreditation (F) Committee
Chair: Todd E. Kiser, Commissioner, Utah Insurance Department 
Vice Chair: Jillian Froment, Director, Ohio Department of Insurance

International Insurance Relations (G) Committee
Chair: Julie Mix McPeak, Commissioner, Tennessee Department of Commerce and Insurance
Vice Chair: Gary Anderson, Commissioner, Massachusetts Office of Consumer Affairs and Business Regulation Division of Insurance

NCIGF CEO ELECTED CHAIR OF GLOBAL POLICYHOLDER PROTECTION GROUP

INDIANAPOLIS, IN, January 14, 2019 – Roger H. Schmelzer, president of the National Conference of Insurance Guaranty Funds (NCIGF), has been selected to serve as chairman of the International Forum of Insurance Guarantee Schemes (IFIGS). 

Schmelzer, along with Peter Gallanis, president of the National Organization of Life and Health Insurance Guaranty Associations (NOLHGA), NCIGF’s life and health counterpart, together have represented the United States as members of IFIGS since 2012.

Schmelzer, who has led the NCIGF since 2006, will be joined on the IFIGS Management and Support Committees by representatives from Canada, Chinese Taipei, Germany, Greece, Korea, Kenya, Romania, Singapore, Spain, Thailand and the United Kingdom.  He has served as IFIGS secretary for the past year.

“Insurance customers, industry and the economy are best-served when the insurance promise is secured,” said Schmelzer upon his election. “I’m enthusiastic about working with our global partners to further advance that objective.”

IFIGS facilitates and promotes international cooperation between insurance guarantee schemes and other stakeholder organizations with an interest in policyholder protection. The IFIGS is made up of 25 full and associate members, 22 of which are Insurance Guarantee Schemes (IGS) from Africa, Asia, Europe and North America. There are more than 30 IGS worldwide.

IGS protect policyholders of insurance companies that fail. Many IGS provide expertise in stabilization or restructuring resolutions, and all IGS can provide expertise and some form of insurance protection and/or financial support to assist in the liquidation of an insolvent insurer.

An international platform will elevate the U.S. guaranty system’s value to domestic solvency regulators, according to Schmelzer. “This is timely because the NAIC is undertaking its own initiatives that could affect the U.S. system,” he said.  “The broader our expertise, the more impactful we can be on behalf of the state guaranty funds, the carriers who belong to the state associations and most importantly to individual policyholders and claimants.”

Schmelzer noted the efforts of the NCIGF and NOLHGA as part of IFIGS have already made a difference, citing recent changes to international regulatory drafts which underscore the primacy of policyholder protection, the importance of pre-insolvency cooperation, collaboration between the guaranty system and regulators as well as clearing up any misconceptions that a guaranty association could spread financial risk.

NCIGF and NOLHGA will host the IFIGS annual conference in late 2019.

NCIGF Sees Progress at NAIC on LD and Troubled Co Regulation

NCIGF closed out 2018 on a very high note.  Regulators adopted very positive recommendations governing large deductible insolvencies, including that states be encouraged to adopt statutes that grant the receiver the authority to collect deductible recoveries.  If no statute is in place receivers are encouraged to execute an agreement with the guaranty funds to enable this process.  The Working Group noted that two large deductible model statutes are available – the NAIC and the NCIGF versions. 

While the issue is not quite wrapped up (NCIGF will be involved in continued discussions regarding the ultimate ownership of the deductible asset and the drafting of specific language for the Receivers Handbook) this progress is attributable the hard work of a number of our members.

Likewise, financial regulators invited NCIGF and NOLHGA to comment on the NAIC Troubled Company Handbook.  Our comments were supportive (and included some fine-tuning based on member liquidation experience) because the proposed revisions to the Handbook would improve guidance to regulators on issues NCIGF members have found especially challenging:

  • early communication with guaranty funds and pre-liquidation planning,
  • regulator attention to the condition and availability of digital data in a troubled company,
  • info on service arrangements (TPAs and MGAs),
  • gathering information on the type and location of collateral, such as that intended to secure large deductible obligations  

Especially impressive is the attention given to the importance of digital data in contemporary insolvencies.  There now appears to be universal agreement that this is a very critical element to a successful liquidation process and key to the collaboration between guaranty funds and receivers.

To be successful, NCIGF served as the “trusted expert” and the definitive source of information on insurance insolvency and its consequences.   As a result, we have enjoyed great cooperation from regulators on these issues, both of which matter to on a daily basis to NCIGF members and the policyholders you serve.  We will build on these developments in the coming year!

NAIC Chief Endorses Web of Trust

I recently received a report from an international insurance regulatory meeting in which U.S. insurance commissioners were participating.  The urgency and assertiveness of our regulators hit me like a ton of bricks.

NAIC president, Eric Cioppa—the Maine director of insurance– opined that cybersecurity regulation cannot be prescriptive, but instead must be principles based because it is too hard for the supervisors to keep pace with industry.  First, cybersecurity engagement must come from the very top of the company.  A culture that prioritizes cybersecurity is critical due to the weakest link phenomenon.  Second, an insurer must focus on total preparedness for when a breach occurs.  Without engaging in table topping, a breach could be devastating to the company.  The supervisors are not looking to second guess a company’s program, but are trying to focus on broad cybersecurity themes.

As we continue to push forward in implementing the Web of Trust, it’s not for nothing to understand how U.S. regulators are approaching the same problems at an industry level and to recognize that it’s not all that different from the work we have been doing and are prepared to do more of.  Given that our members’ claims-paying function is an extension of the insurance industry, what regulators think on the topic should very much matter to us. 

In my view the reasoning transfers to NCIGF’s role in making certain that our members are at the most effective level of cyber security; f regulators can require carriers to “open their kimonos” as part of their consumer protection mission when a company is in business, we should be doing the same on security, also for the purpose of protecting policyholders and claimants. Our goals are even more narrow than the regulator’s.

Beyond the cybersecurity piece, the report should provide a flavor for the scope of discussions at the IAIS and the active role U.S. regulators are playing in it.  This is a global version of the NAIC (and as Keith Bell reminds us, the NAIC actually created the IAIS).  I point this out because while some of our colleagues continue to digest the “international” aspect of insurance regulation and its application to the U.S., this report gives a tiny peek into its tangibility, importance and durability. 

NCIGF Launches Updated Web Site

I’m pleased to announce that we’ve completed our reorganization and update of the public facing web site.  We’ve taken pains to preserve all of the existing content, but organized in a clearer way with a robust search functionality.  There are a couple of new features I’d like to point out:

  • Search.  There’s a search bar on the menu to the right.  If you’re looking for something in the menu structure and can’t find it, search is the place to go.  In fact, I’d recommend starting there first.  
  • Events.  We’ve changed how events are organized and added more information to individual events.
  • Laws & Law Summaries.  These are organized in a searchable, sortable table format.
  • The Library.  The old site had a number of word, pdf and excel files in different places.  We’ve tried to organize all the existing documents into one sortable, searchable list.

We hope you like the new look and organization of the site.  That said, I know there are things we’ve missed or overlooked.  There might be a broken link or two, or language that needs some wordsmithing.  Going through the conversion process from the old site to the new was very much like seeing something new again, for the first time.  If you find things that need revision, please don’t hesitate to reach out and let me know.  

We’re also in the process of revising the Members Only site and you should expect to see those changes at the mid-point of next year. 

NCIGF Releases 4th Quarter Assessment Liability Report

By Amy Clark

The NCIGF Accounting department has released the 4th Quarter Assessment Liability Report. Download it by clicking here.

The Assessment Liability Report includes – by a statutory account of each property and casualty (P&C) guaranty fund – the maximum assessment (capacity), net assessable premium, actual and projected assessment/refund information, lines of business, recoupment provisions, assessment types, and procedures. The NCIGF publishes the Assessment Liability Report – which is compatible with the assessment reporting guideline – SSAP 35R – prior to each quarter-end to assist insurers in estimating their P&C guaranty fund assessment liabilities. Also included is a “5-year History of Assessments.”

More information about Guaranty Fund Assessment info can be found on the Assessment Liability Page.