GAO examiners voiced concern over the fact that among the state regulators they spoke to one had no backup computer systems, one had no business continuity plans, and one had neither.

Current federal and state regulations, as well as NAIC examination guidelines, require insurers to have information security programs and business continuity plans but do not require minimum recovery times, GAO noted.

In its report, GAO officials "suggested" the NAIC act on its decision to have more frequent independent testing of its information security environment.

Further, the GAO said, state regulators, as they review the adequacy of their examination processes, consider whether changes are needed for content examination and structure related to business continuity, recovery time objectives and outsourcing.

The report said that while a disruption to a large insurer could potentially affect millions of policyholders, "any effects would likely not spread throughout the insurance sector because of limited interdependencies among insurers and, unlike the securities markets, the lack of a single point through which insurance transactions must pass."

The report also said that while state insurance regulators and the NAIC provide important services to consumers and insurers, "such services are generally not time sensitive and a disruption of one or two weeks would not have a significant effect."

For insurers, these actions typically included establishing geographically dispersed backup sites and conducting critical operations at multiple geographically dispersed facilities.

Among property-casualty and life insurers, the highest priority was generally to recover investment and cash management functions, while among health insurers it was customer service and claims processing, GAO said.

Most insurers said they could recover their highest priority operations within one day, and most other operations within three days.

Regarding its concerns about NAIC policies, GAO said that state insurance examinations review information security and business continuity as part of the larger objective of reviewing insurers' internal controls and insurer solvency, but do not require insurers to meet specific recovery objectives.

While state regulators stated they had informal expectations that insurers would recover certain critical operations, such as claims processing, within two days after a disruption, "half of the insurers GAO spoke with had set recovery goals for their claims processing operations that would appear not to meet these expectations."

The GAO also said that it is not clear whether current examination guidelines and practices adequately address the trend among insurers to outsource certain functions, especially information technology functions.

"For example," the report said, "some of the insurers GAO spoke with were outsourcing their computer system backup functions or portions of their claims-processing operations, but only one of the regulators said they had ever conducted audit work at such a service provider."