Hi Kerry!

So this is a really interesting use case that I suspect both UCF and our own GRC team would want to put some thought into...

To my understanding (and please feel free to correct me if I'm wrong here!), ACLI does not themselves publish a specific compliance framework, though they do provide a good amount of insight and editorial content related to specific Insurance Company compliance, which is analogous to how various security publications and products offer Threat Intelligence style feeds to allow users to glean insight into current security trends.

For instance, I was just reading about the ACLI's stance on the SEC's recent adoption of the "Regulation Best Interest" interest statute requiring fiduciaries to act in the best interest of their clients over their own profits.  That just happened officially this year!  LIKE ONLY TWO MONTHS AGO!!! 

That particular statute had originally been drafted as rule 15 of the Securities Exchange Act... of 1934. Like, slow down there SEC, don't move too quick there buddy.  All joking aside, this has been a long time coming and it's something that I'm sure you and your colleagues take VERY seriously as you want to understand exactly what kind of impact this has on your current market offerings.  What are you on the hook now to be able to prove when the auditor comes knocking?  It's a good question and one that might be up for debate or litigation for a while...

In any case, the EA 1934 statute has long been in the UCF (as have many other related statutes and regulations) but only after the SEC finally ratified it in June was the control in question flipped from "implied" to "mandated" in the CCH.  Interestingly enough, this actually had quite a significant impact to many other controls across a much wider swath of industries!  UCF actually went and flipped several other related controls into a "mandated" state after this turn of events to help compliance folks begin the process of building an audit-able trail of data to make the case should the need arise.  

To read more about this quite interesting turn of events I highly recommend the Harvard Law School's Corporate Governance Blog (a great favorite of mine!) which can be found here: https://corpgov.law.harvard.edu/2019/06/19/regulation-best-interest/

Wolters Kluwer to my understanding, does provide specific prescriptive guidance and which controls should be deployed for insurance agents, and their framework aims to leverage the same kind of "test once, satisfy many" approach of the UCF.  My question to you would be this:

Does your company currently subscribe to these advisory services or specifically license WK's Insurance framework?  If so, you might just consider importing the said licensed frameworks into the relevant tables in ServiceNow (specifically the policy statement table and if there are documented "cross walks" in these frameworks to various regulatory guidance I'd import those into the citations table) and forgo the UCF.  You'd likely need to either do a one time import and create a transform map or if there is a service provided by either of these groups, perhaps ask for the relevant end point and do a regular scheduled download of their controls as needed. 

If your company does not license either of these frameworks or advisory services, I believe you'd likely be well served either leveraging UCF or if your company already has a solid framework of controls in place, importing those trusted controls - though as with any move between systems it might be a really good time to examine which controls are really needed and which are simply superfluous or should perhaps be moved into risk indicators (all of which is a longer workshop level discussion that I encourage you to have with your team!).

Additionally, you might consider reaching out to both organizations to determine if they have relationships with the UCF or if they provide advisory services on either UCF list creation or even the use of other normalized frameworks like HITrust, Cobit, or SmartCompliance.  Most players in the compliance framework space recognize that ServiceNow is not prescriptive (which is great for us because it lets us work well with everyone!) and they are often happy to provide guidance on specific control deployment in ServiceNow provided you're paying for their services (and rightly so - by advising how to deploy your controls they are taking on of of the responsibility that sort of guidance entails).

Last, if you'd just like to have access to the really interesting editorial content provided by either ACLI or WK, it's actually really easy to import their individual blog RSS feeds into ServiceNow to leverage as content for a dashboard via a service portal or data feed.   I'll see if I can dig up one of the really great community posts over in the Portal community related to importing RSS feeds into one's ServiceNow content pages.  Heck, I might just do the same and start scraping the Harvard Law blog into my own instance for just this very reason...

Hope all of that was helpful, and if so, please feel free to mark as such below so other may find it!

Best,

Ben

ʕﾉಠᴥಠʔﾉ*:･ﾟ✧.