This is a tooltip for the edit command button
John E. Hintz, Esq.
Quarles & Brady LLP


The National Association of Insurance Commissioners (NAIC) adopted the Corporate Governance Annual Disclosure (CGAD) model act and regulation after a study that compared existing governance requirements for U.S. insurers with established best practices, international standards, and U.S. regulatory needs. The models became a required element for a state to maintain NAIC accreditation effective in 2020.  

 The NAIC study showed that corporate governance practices - the internal policies and procedures of an entity or group that set up a governance structure and provide oversight and accountability within that structure [1] - play a key role in maintaining solvency. For example, the International Association of Insurance Supervisors adopted principles and guidance related to corporate governance, and the 2010 Financial Sector Assessment Program [2] review of the U.S. financial sector and the 2013 Federal Insurance Office Insurance Modernization Report included recommendations for U.S. regulators regarding corporate governance matters.

 With the move to risk-focused financial examinations, regulators began to collect a significant amount of information on corporate governance practices. However, those examinations usually occur only once every three to five years, and the CGAD allows regulators to monitor changes in such practices between onsite examinations. Upon adoption of the model act by a state, [3] the holding company system of each insurer domiciled or licensed in the state [4] must submit a CGAD to its lead state each year by June 1. [5]

 I.  CGAD Filing Issues

Identification of Level of Reporting.  The insurer or its system chooses to provide CGAD information based upon how it has structured its system of corporate governance, and is encouraged to make disclosures at the level where: i) its risk appetite is determined; ii) the earnings, capital, liquidity, operations, and reputation of the insurer are overseen collectively and the supervision of those factors are coordinated and exercised; or iii) legal liability for failure of general corporate governance duties would be placed. [6]  If the insurer or its system uses these criteria, it must indicate which of them are used and explain any subsequent changes in level of reporting. [7]  The three levels of reporting available are ultimate controlling parent, intermediate holding company, and/or individual legal entity, [8] but the NAIC expects most CGAD reporting to be at the ultimate controlling parent or intermediate holding company levels. [9]

Use of Existing Documents.   An insurer or insurance group may comply with CGAD filing requirements by referencing other existing documents (e.g., ORSA Summary Report, Holding Company Annual Registration Statement (Form B), Enterprise Risk Report (Form F), Securities and Exchange Commission (SEC) Proxy Statements, foreign regulatory reporting requirements, etc.) if such documents provide information that is comparable to the information required in the CGAD as described below. [10]

Customization.   An insurer or insurance group has discretion regarding the format for providing CGAD information, and is permitted to customize its CGAD to provide the most relevant information necessary to promote an understanding of corporate governance structure, policies, and practices. [11] 


Non-Lead States. When the model act requires filing the CGAD with the system's lead state, non-lead states may still request the filed CGAD from a domestic insurer. [12] Before a non‐lead state makes such a request, however, it "should consider obtaining and reviewing the Lead State’s analysis of CGAD to reduce duplication of analysis efforts." [13]

Subsequent Annual Filings of Amended CGAD Versions.  Each year following the initial CGAD filing, the insurer or its holding company system must file an amended version of the previously filed CGAD indicating where changes have been made to the previously filed CGAD (or stating that no changes have been made). [14]

Confidentiality.   The CGAD is recognized as containing confidential and sensitive information related to the internal operations of the insurer and its system, including proprietary and trade secret information with the potential for harm and competitive disadvantage to the insurer or its system if the information is made public. [15]  As a result, the model act contains numerous, stringent confidentiality protections intended to safeguard CGAD information and limit its use and disclosure. [16]

II.  Overview of CGAD Contents [17]  

Fundamentally, CGAD information is intended to provide regulators with a summary of the corporate governance structure, policies, and practices of an insurer and its system in order to convey and maintain an understanding of the filer's corporate governance framework.

A.  Introduction

Although a CGAD introductory section is not technically required under either the model act or the model regulation, its use allows for efficient inclusion of the following required information:  i) identification of the applicable insurer or holding company system and their corporate structure; ii) acknowledgement of the confidential nature of the report; iii) identification of the levels at which the report is completed (holding company or insurer); and iv) the criteria used to determine such level of disclosure. [18]  Use of an introductory section also provides an opportunity to reference any existing documents that are used to describe applicable corporate governance, as referenced above. [19]

The insurer or insurance group shall be as descriptive as possible in completing the CGAD, with inclusion of attachments or example documents that are used in the governance process, since these may provide a means to demonstrate the strengths of their governance framework and practices. [20]

B.  Corporate Governance Framework and Structure

Because filers have discretion regarding format when providing CGAD information, following the rule format below and simply repeating and responding to the instructions is acceptable.

The CGAD shall describe the insurer’s or insurance group’s corporate governance framework and structure including consideration of the following.

(1)        The Board and various committees thereof ultimately responsible for overseeing the insurer or insurance group and the level(s) at which that oversight occurs (e.g., ultimate control level, intermediate holding company, legal entity, etc.). The insurer or insurance group shall describe and discuss the rationale for the current Board size and structure; and

(2)        The duties of the Board and each of its significant committees and how they are governed (e.g., bylaws, charters, informal mandates, etc.), as well as how the Board’s leadership is structured, including a discussion of the roles of Chief Executive Officer (CEO) and Chairman of the Board within the organization. [21]

C.  Board and Committee Policies and Practices

The CGAD must describe board and committee members, including qualifications, backgrounds, experiences, and expertise, and how all of these integrate to benefit the applicable governing entity, insurer, and insurance group.   Board and committee independence must also be addressed, including related governance controls, and meeting attendance.  The nomination and election processes for the board and its committees should be explained, including the existence of a nomination committee, term limits on directors, elections and re-elections, whether a board diversity policy is in place, and if so, how it functions.  Finally, this section requires description of any board, committees, director performance review processes the board may have in place, and any recent measures (e.g., training and education programs) taken to improve the performance of the board, committees, or directors.

The insurer or insurance group shall describe the policies and practices of the most senior governing entity and significant committees thereof, including a discussion of the following factors:

(1)        How the qualifications, expertise and experience of each Board member meet the needs of the insurer or insurance group.

(2)        How an appropriate amount of independence is maintained on the Board and its significant committees.

(3)        The number of meetings held by the Board and its significant committees over the past year as well as information on director attendance.

(4)        How the insurer or insurance group identifies, nominates and elects members to the Board and its committees. The discussion should include, for example:

(a)        Whether a nomination committee is in place to identify and select individuals for consideration.

(b)        Whether term limits are placed on directors.

(c)        How the election and re-election processes function.

(d)        Whether a Board diversity policy is in place and if so, how it functions. 

(5)        The processes in place for the Board to evaluate its performance and the performance of its committees, as well as any recent measures taken to improve performance (including any Board or committee training programs that have been put in place). [22]

D.  Policies and Practices Directing Senior Management

The CGAD must describe the policies, procedures, and practices (i.e., suitability standards) used to determine the experience, skills, background, integrity, and education that senior management [23] must possess.  This includes identification of the specific positions for which suitability standards have been developed and a description of the standards employed, as well as identification of any changes in an executive's suitability as outlined by such standards.  The filer must also describe its code of business conduct and ethics, for example, standards on compliance with laws, rules, and regulations, and proactive reporting of any illegal or unethical behavior.  

The CGAD must also describe the filer's processes for senior management performance evaluation, compensation, and corrective actions, including significant compensation program objectives and rewards (e.g., the board’s role in management compensation oversight, compensation elements, the compensation relationship between insurer and individual performance, compensation program risk adjustments, claw back provisions, and whether an insurer's risk management objectives are met by employees' incentives).  

Finally, the CGAD must describe the filer’s plans for CEO and senior management succession planning.

The insurer or insurance group shall describe the policies and practices for directing Senior Management, including a description of the following factors:

(1)        Any processes or practices (i.e., suitability standards) to determine whether officers and key persons in control functions have the appropriate background, experience and integrity to fulfill their prospective roles, including:

(a)        Identification of the specific positions for which suitability standards have been developed and a description of the standards employed.

(b)        Any changes in an officer’s or key person’s suitability as outlined by the insurer’s or insurance group’s standards and procedures to monitor and evaluate such changes.

(2)        The insurer’s or insurance group’s code of business conduct and ethics, the discussion of which considers, for example:

(a)        Compliance with laws, rules, and regulations; and

(b)        Proactive reporting of any illegal or unethical behavior.

(3)        The insurer’s or insurance group’s processes for performance evaluation, compensation and corrective action to ensure effective senior management throughout the organization, including a description of the general objectives of significant compensation programs and what the programs are designed to reward. The description shall include sufficient detail to allow the Commissioner to understand how the organization ensures that compensation programs do not encourage and/or reward excessive risk taking. Elements to be discussed may include, for example:

(a)        The Board’s role in overseeing management compensation programs and practices;

(b)        The various elements of compensation awarded in the insurer’s or insurance group’s compensation programs and how the insurer or insurance group determines and calculates the amount of each element of compensation paid;

(c)        How compensation programs are related to both company and individual performance over time;

(d)        Whether compensation programs include risk adjustments and how those adjustments are incorporated into the programs for employees at different levels;

(e)        Any claw back provisions built into the programs to recover awards or payments if the performance measures upon which they are based are restated or otherwise adjusted;

(f)        Any other factors relevant in understanding how the insurer or insurance group monitors its compensation policies to determine whether its risk management objectives are met by incentivizing its employees.

(4)        The insurer’s or insurance group’s plans for CEO and Senior Management succession. [24]

E.  Management Processes for Oversight of Critical Risk Areas

In describing oversight processes, the CGAD must explain how oversight and management responsibilities are delegated among the board, its committees, and senior management, and how the board is kept informed of the insurer’s strategic plans, associated risks, and steps senior management is taking to monitor and manage those risks.  The insurer or insurance group must also address reporting responsibilities for critical risk areas, such as risk management processes, actuarial, compliance, financial reporting, internal auditing, and decision-making processes for investment, reinsurance, business strategy, finance, and market conduct.  For each critical risk area identified, the CGAD should identify how reporting responsibilities are organized and the frequency at which information is reported to and reviewed by senior management and the board.

The insurer or insurance group shall describe the processes by which the Board, its committees and Senior Management ensure an appropriate amount of oversight to the critical risk areas impacting the insurer’s business activities, including a discussion of:

(1)        How oversight and management responsibilities are delegated between the Board, its committees and Senior Management;

(2)        How the Board is kept informed of the insurer’s strategic plans, the associated risks, and steps that Senior Management is taking to monitor and manage those risks;

(3)        How reporting responsibilities are organized for each critical risk area.   The description should allow the Commissioner to understand the frequency at which information on each critical risk area is reported to and reviewed by Senior Management and the Board.   This description may include, for example, the following critical risk areas of the insurer:

(a)        Risk management processes (An ORSA Summary Report filer may refer to its ORSA Summary Report pursuant to the Risk Management and Own Risk and Solvency Assessment Model Act);

(b)        Actuarial function;

(c)        Investment decision-making processes;

(d)        Reinsurance decision-making processes;

(e)        Business strategy/finance decision-making processes;

(f)        Compliance function;

(g)        Financial reporting/internal auditing; and

(h)        Market conduct decision-making processes. [25]

III.  CGAD Differences by System Type

As is evident from the description above, the CGAD will vary from group to group, depending on the size, traditions, ownership structure, and other factors. For example, the company level that is the focus of the CGAD will be the ultimate holding company parent for many insurance holding company systems, but may be an intermediate holding company for the insurance business in a diversified holding company system. On the other hand, a stand-alone mutual insurance company will report at the level of the individual, mutual legal entity. Some basic considerations for public holding company systems, privately held systems, and nonprofit systems are described further below.

A.  Public Holding Company System

A publicly held holding company system, including mutual holding companies that have a publicly held subsidiary, will probably report at the level of the publicly held entity because that is likely to be the focus of governance and operations for the system. Moreover, the publicly held entity will be the one making filings with the SEC, which may be cross referenced for many components of the CGAD.

On the other hand, the insurance business is so different from other businesses, that a diversified holding company might use an intermediate holding company for insurance operations as the focus for oversight and risk assessment for those operations. Therefore, the diversified holding company might designate that intermediate insurance holding company as the CGAD reporting level. 

B.  Privately Held System

Insurance operations may be held by an individual or a group of individuals such as a family or a private equity fund. Such a system will probably report at the level of a holding company which has been formed to be the focus of governance and operations for the system and separate those functions from the individual owners. Like a publicly held system, a private system may hold only insurance operations or it may be diversified so, with respect to the latter, there is likely to be a separate holding company limited to insurance operations that should be the level of reporting for CGAD.

Given that a privately held system is controlled by one or a small number of individuals, regulators will probably be interested in policies and practices that prevent the owners from exercising their control to the detriment of the enterprise. For example, regulators may be more interested in efforts to include independent, expert voices on the board; to link management compensation to objective factors; and to build independent power centers around functions such as risk management, financial reporting, and compliance.

C.  Nonprofit system

Nonprofits will mainly be mutual or fraternal insurers which, in turn, will often be the ultimate parent and thus the likely level of CGAD reporting. However, there are many examples of insurers, whether for-profit or nonprofit, that are owned by nonprofits such as health systems or trade associations. For insurers owned by nonprofits, the CGAD reporting level may be the nonprofit or, if the insurer's operations are not integrated with those of the nonprofit, at the insurer level or the level of an intermediate holding company.

Because policyholder voting is not an effective governance device for mutuals, [26] regulators will probably be interested in policies and practices that provide a substitute check on management. And because nonprofits that own insurers are often engaged in efforts that do not involve insurance expertise, regulators will probably be interested in governance policies and practices that provide such expertise and insulate insurance management from nonprofit management to some extent. Thus, as with privately held systems, regulators may be more interested in efforts to include independent, expert voices on the board; to link management compensation to performance of insurance operations; and to build independent power centers around functions such as risk management, financial reporting, and compliance.

IV.  Conclusion

The CGAD is a complex report that will be due for the first time for many insurers this summer. Moreover, the process of preparing the CGAD for the first time may indicate the need for changes in corporate governance that may take some time to implement. Finally, regulators emphasize the importance of a thorough initial CGAD, as follow-on filings are only updates. In short, now is the time to get started on an initial CGAD filing.

[1] See F. Karlinsky, R. Fidei, and C. Brito, Corporate Governance in Insurance: A Primer on the Corporate Governance Annual Disclosure Model Act, FORC Journal, v. 29 (Summer 2018).

[2] In response to the financial crises of the late 1990s, the International Monetary Fund and the World Bank jointly established the Financial Sector Assessment Program to evaluate members' financial systems, including insurance companies.

[3] According to the NAIC, as of fall 2019 the Corporate Governance Annual Disclosure Model Act (Model Act) had been adopted by all 51 major U.S. jurisdictions except the District of Columbia, Illinois, New Jersey, New Mexico, New York, and South Dakota. Of the 51 major U.S. jurisdictions, 29 had adopted the Corporate Governance Annual Disclosure Model Regulation (Model Regulation). Per the NAIC  Financial Regulation Standards and Accreditation Program (April 2019), the CGAD models are an accreditation standard beginning January 1, 2020.

[4] The Model Act does not specify whether it applies to domestic or authorized insurers, but the former is probably intended. If the insurer is not part of a holding company system, it must file with its domestic regulator. Model Act § 3A.

[5] Model Act § 3A (the lead state is determined in accordance with the procedures in the most recent Financial Analysis Handbook adopted by the NAIC and the lead state for each system is set forth on a list maintained by the NAIC; the filing is made in accordance with the laws of the lead state).

[6] Model Act § 3D and Model Regulation § 4D.

[7] Id.

[8] Id. (the use of "and/or" indicates that the insurer may choose more than one level if various aspects of its governance activities are handled at different levels).

[9] NAIC Financial Analysis Handbook (2019 Annual / 2020 Quarterly) § VI.D.

[10] Model Regulation § 5. When referencing such other documents, the CGAD must clearly identify the location of the relevant information within the CGAD and attach any referenced documents not already filed with or available to the regulator. Model Regulation § 4F.

[11] Model Regulation § 4C. However, the CGAD must be signed by the CEO or corporate secretary of the insurer or its system attesting to the best of that individual’s belief and knowledge that the filer has implemented the corporate governance practices described in the CGAD, and that a copy of the CGAD has been provided to the filer's board or appropriate committee thereof. Model Act § 3B and Model Regulation § 4B.

[12] Model Act § 3C (again, it seems likely that this requirement applies only to domestic insurers, see Model Regulation § 4E, but it could also apply to authorized insurers).

[13] NAIC Financial Analysis Handbook (2019 Annual / 2020 Quarterly) § VI.D., which also states that it may be necessary or acceptable for the lead state to share its related work papers with another state, provided such information is shared in accordance with the confidentiality provisions of the Model Act. See Model Act § 6.

[14] Model Regulation § 4G.

[15] Model Act § 1A(3).

[16] Model Act §§ 6 and 7C, D, and E.

[17] The bold wording in this Section II is provided directly from the model regulation.  

[18] Model Regulation § 4D.

[19] Model Regulation § 4F.

[20] Model Regulation § 5A.

[21] Model Regulation § 5B.

[22] Model Regulation § 5C.

[23] “Senior management” means "any corporate officer responsible for reporting information to the board of directors at regular intervals or providing this information to shareholders or regulators," and includes the CEO, CFO, COO, and any other “C” level executive. Model Regulation § 3D.

[24] Model Regulation § 5D.

[25] Model Regulation § 5D.

[26] J.A.C. Hetherington, Fact v. Fiction: Who Owns Mutual Insurance Companies, 1969 Wis. L. Rev. 1068.