Audit of the Division of Insurance (March 19, 2024)
March 19, 2024 · Division of Insurance · Read the full official report on mass.gov ↗
source
“Below is a summary of our findings and recommendations, with links to each page listed.”
Read the plain-English breakdown
This is a state performance audit of the Massachusetts Division of Insurance covering July 1, 2021 through December 31, 2022.
“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the Division of Insurance (DOI) for the period July 1, 2021 through December 31, 2022.”
Auditors checked whether DOI’s website met accessibility rules and whether its technology policies covered continuity, disaster recovery, incident response, and cybersecurity training.
“In this performance audit, we determined the following:”
If DOI’s website or emergency technology plans do not work well, residents may have trouble getting insurance information or services, especially during disruptions or emergencies.
“Without an updated business continuity plan or a disaster recovery plan, DOI cannot ensure that it has procedures for protecting information assets or a plan to recover critical operations when an interruption or disaster occurs.”
For residents, this audit is about whether people can use DOI’s online services fairly and whether the agency is prepared to keep operating when technology problems happen.
“They can also limit some users from having equitable access to critical information and key online services offered by DOI (e.g., insurance-related complaint submission).”
The auditor found three main issues: DOI’s website was not fully accessible, its business continuity and disaster recovery planning was lacking, and its incident response plan was incomplete.
“DOI’s website is not fully accessible for all Massachusetts residents.”
DOI said it is working with state technology officials to update its plans and improve accessibility and language access.
“The DOI is working in conjunction with EOTSS to update its current business continuity plan in accordance with all applicable requirements and will issue it as soon as possible.”
Website accessibility is not a minor technical issue: many Massachusetts adults have disabilities, so broken links or language problems can affect real access to government services.
“The impact of these standards can be significant, as the federal Centers for Disease Control and Prevention estimates that 1,348,913 adults (23% of the adult population) in Massachusetts have a disability, as of 2021.”
IT governance means the rules and planning an agency uses to manage technology, including backup plans, disaster recovery, security incidents, and employee cybersecurity training.
“IT governance refers to the processes that state agencies use to manage their IT resources.”
What the Auditor checked
- Did not comply Did DOI’s website meet the Executive Office of Technology Services and Security’s (EOTSS’s) Enterprise Information Technology Accessibility Policy and the Web Content Accessibility Guidelines (WCAG) 2.1 for user accessibility, keyboard accessibility, navigation accessibility, language, error identification, and color accessibility?
- Did not comply Did DOI establish information technology (IT) governance policies and procedures over business continuity and disaster recovery plans, information security incident response plan and procedures, and cybersecurity awareness training?
What the Auditor found
Why it matters: Broken or faulty hyperlinks can make relevant information and online services harder to find, and inaccurate language attributes can prevent translation software or screen readers from presenting content correctly.
Standard: EOTSS’s Enterprise Information Technology Accessibility Policy and Web Content Accessibility Guidelines 2.1 Success Criteria 2.4.5 and 3.1.1. ( EOTSS’s Enterprise Information Technology Accessibility Policy; Web Content Accessibility Guidelines 2.1 Success Criterion 2.4.5 Multiple Ways (Level AA); Web Content Accessibility Guidelines 2.1 Success Criterion 3.1.1 Language of Page (Level A) )
2 recommendations
- DOI should review its webpages to ensure that all hyperlinks lead to related information to provide equitable access to critical information and services offered online by DOI to all Commonwealth residents.agency: agreed
- DOI should review web content that appears in other languages to ensure that the pages have accurate language attributes to facilitate effective translation and provide a user experience that is inclusive to all Commonwealth residents.
Agency response & Auditor reply
Agency: "The DOI agrees that continuous review of our website is important."
Auditor: "Based on its response, DOI has taken measures to address our concerns on this matter."
Why it matters: DOI cannot ensure that it has procedures to protect information assets or recover critical operations when an interruption or disaster occurs.
Standard: EOTSS’s Business Continuity and Disaster Recovery Standard IS.005, Sections 6.1.1.4 and 6.2.1. ( EOTSS’s Business Continuity and Disaster Recovery Standard IS.005, Section 6.1.1.4; EOTSS’s Business Continuity and Disaster Recovery Standard IS.005, Section 6.2.1 )
2 recommendations
- DOI should update its business continuity plan annually and whenever a major organization change occurs.
- DOI should develop and implement a disaster recovery plan.
Agency response & Auditor reply
Agency: "The DOI is working in conjunction with EOTSS to update its current business continuity plan in accordance with all applicable requirements and will issue it as soon as possible."
Auditor: "Based on its response, DOI is taking measures to address our concerns on this matter."
Why it matters: DOI cannot ensure that it takes sufficient containment measures and completes proper documentation, investigation, risk analysis, and impact analysis after a security incident.
Standard: EOTSS’s Information Security Incident Management Standard IS.009, Sections 6.5.1 and 6.5.2. ( EOTSS’s Information Security Incident Management Standard IS.009, Section 6.5.1; EOTSS’s Information Security Incident Management Standard IS.009, Section 6.5.2 )
1 recommendation
- DOI should rely on an information security incident response plan and procedures that include all required elements.
Agency response & Auditor reply
Agency: "DOI relies on and follows the information security incident response plan and procedures adopted by the Executive Office of Economic Development (“EOED”)."
Auditor: "Based on its response, DOI is taking measures to address our concerns on this matter."
More audits of this entity
Other Office of the State Auditor reports on Division of Insurance .
-
Audit of Settlement Agreements and Confidentiality Clauses Across Multiple State Agencies - Division of Insurance (January 28, 2025)State Agency / Office · January 28, 2025 - Audit of the Division of InsuranceState Agency / Office · August 21, 2019