Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of the Division of Insurance (March 19, 2024)

March 19, 2024 · Division of Insurance · Read the full official report on mass.gov ↗

Published March 19, 2024 Audit covers July 1, 2021 – December 31, 2022 Under Diana DiZoglio · 2023–present

In plain English
The audit found that the Division of Insurance had problems with website accessibility and some missing or incomplete technology planning documents.
source
“Below is a summary of our findings and recommendations, with links to each page listed.”
Read the plain-English breakdown
What is this?

This is a state performance audit of the Massachusetts Division of Insurance covering July 1, 2021 through December 31, 2022.

“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the Division of Insurance (DOI) for the period July 1, 2021 through December 31, 2022.”
Why was it audited?

Auditors checked whether DOI’s website met accessibility rules and whether its technology policies covered continuity, disaster recovery, incident response, and cybersecurity training.

“In this performance audit, we determined the following:”
Why it matters

If DOI’s website or emergency technology plans do not work well, residents may have trouble getting insurance information or services, especially during disruptions or emergencies.

“Without an updated business continuity plan or a disaster recovery plan, DOI cannot ensure that it has procedures for protecting information assets or a plan to recover critical operations when an interruption or disaster occurs.”
What's in it for me?

For residents, this audit is about whether people can use DOI’s online services fairly and whether the agency is prepared to keep operating when technology problems happen.

“They can also limit some users from having equitable access to critical information and key online services offered by DOI (e.g., insurance-related complaint submission).”
The bottom line

The auditor found three main issues: DOI’s website was not fully accessible, its business continuity and disaster recovery planning was lacking, and its incident response plan was incomplete.

“DOI’s website is not fully accessible for all Massachusetts residents.”
What happens next

DOI said it is working with state technology officials to update its plans and improve accessibility and language access.

“The DOI is working in conjunction with EOTSS to update its current business continuity plan in accordance with all applicable requirements and will issue it as soon as possible.”
Why it's significant

Website accessibility is not a minor technical issue: many Massachusetts adults have disabilities, so broken links or language problems can affect real access to government services.

“The impact of these standards can be significant, as the federal Centers for Disease Control and Prevention estimates that 1,348,913 adults (23% of the adult population) in Massachusetts have a disability, as of 2021.”
Jargon, unpacked

IT governance means the rules and planning an agency uses to manage technology, including backup plans, disaster recovery, security incidents, and employee cybersecurity training.

“IT governance refers to the processes that state agencies use to manage their IT resources.”

What the Auditor checked

What the Auditor found

The Division of Insurance’s website was not fully accessible because some tested webpages had broken hyperlinks and inaccurate language attributes.
recordkeeping/documentationinternal controls

Why it matters: Broken or faulty hyperlinks can make relevant information and online services harder to find, and inaccurate language attributes can prevent translation software or screen readers from presenting content correctly.

Standard: EOTSS’s Enterprise Information Technology Accessibility Policy and Web Content Accessibility Guidelines 2.1 Success Criteria 2.4.5 and 3.1.1. ( EOTSS’s Enterprise Information Technology Accessibility Policy; Web Content Accessibility Guidelines 2.1 Success Criterion 2.4.5 Multiple Ways (Level AA); Web Content Accessibility Guidelines 2.1 Success Criterion 3.1.1 Language of Page (Level A) )

2 recommendations
  • DOI should review its webpages to ensure that all hyperlinks lead to related information to provide equitable access to critical information and services offered online by DOI to all Commonwealth residents.agency: agreed
  • DOI should review web content that appears in other languages to ensure that the pages have accurate language attributes to facilitate effective translation and provide a user experience that is inclusive to all Commonwealth residents.
Agency response & Auditor reply
Agency: "The DOI agrees that continuous review of our website is important."
Auditor: "Based on its response, DOI has taken measures to address our concerns on this matter."
The Division of Insurance did not update its business continuity plan and did not have a disaster recovery plan.
cybersecurityinternal controls

Why it matters: DOI cannot ensure that it has procedures to protect information assets or recover critical operations when an interruption or disaster occurs.

Standard: EOTSS’s Business Continuity and Disaster Recovery Standard IS.005, Sections 6.1.1.4 and 6.2.1. ( EOTSS’s Business Continuity and Disaster Recovery Standard IS.005, Section 6.1.1.4; EOTSS’s Business Continuity and Disaster Recovery Standard IS.005, Section 6.2.1 )

2 recommendations
  • DOI should update its business continuity plan annually and whenever a major organization change occurs.
  • DOI should develop and implement a disaster recovery plan.
Agency response & Auditor reply
Agency: "The DOI is working in conjunction with EOTSS to update its current business continuity plan in accordance with all applicable requirements and will issue it as soon as possible."
Auditor: "Based on its response, DOI is taking measures to address our concerns on this matter."
The Division of Insurance relied on an information security incident response plan and procedures that lacked required elements.
cybersecurityinternal controls

Why it matters: DOI cannot ensure that it takes sufficient containment measures and completes proper documentation, investigation, risk analysis, and impact analysis after a security incident.

Standard: EOTSS’s Information Security Incident Management Standard IS.009, Sections 6.5.1 and 6.5.2. ( EOTSS’s Information Security Incident Management Standard IS.009, Section 6.5.1; EOTSS’s Information Security Incident Management Standard IS.009, Section 6.5.2 )

1 recommendation
  • DOI should rely on an information security incident response plan and procedures that include all required elements.
Agency response & Auditor reply
Agency: "DOI relies on and follows the information security incident response plan and procedures adopted by the Executive Office of Economic Development (“EOED”)."
Auditor: "Based on its response, DOI is taking measures to address our concerns on this matter."

More audits of this entity

Other Office of the State Auditor reports on Division of Insurance .

See this entity's page with all 3 audits →