Innovation and the use of digital technology, cyber risk as core disruptor and the importance of culture – Sylvia Cronin, Director of Insurance Supervision

Speech delivered to OSG Vericlaim/Sedgwick Insurance Innovation Summit

Introduction

Good morning, ladies and gentlemen. I am very pleased to join you at this event today and I would like to thank OSG Vericlaim in association with Segwick for the opportunity to speak to you about the important topics of digital technology, cyber risk and culture.

Today, I will outline:

• Why the Central Bank considers digital technologies, cyber risk and culture to be so important.
• Our supervisory approach and reflections on what we see from our work.
• What we expect regarding the features of sound governance in respect of cyber and IT, including considering the need for a digital focused culture.

Digital technologies

 InsurTech and Technological innovation are reshaping the financial services environment at a dynamic pace. The proliferation of social media platforms and the growth of comparison websites has influenced consumer behaviour by enabling customers to easily obtain and compare options for financial services. Increased connectivity via online and mobile channels is also changing the way in which firms interact with consumers. Traditional insurers, data rich technology companies and InsurTech startups are innovating, partnering and disrupting the market at an accelerating pace.

While emerging digital business models expand product offerings, they also create a more challenging financial services landscape, where the supply and distribution chain becomes fragmented by a multitude of players.

This complex supply chain may mean some insurers are exposed to threats such as fraud, mis-use of personal financial data, digital profiling, cybercrime and reputational damage. From a consumer perspective, this may cause unfavourable customer outcomes. From a regulatory impact, regulators are concerned from both a prudential and consumer standpoint that insurers and intermediaries alike have robust controls and effective governance systems in place.

Many Irish firms are embracing this digital era, placing an increasing emphasis on the importance of technology in all aspects of their business. This is also mirrored in the global emergence of new products and services such as short term or pay-as-you-go home or motor insurance that reflects trends for short-term rentals of cars or homes in the sharing economy.

Key technologies driving innovation in insurance include: driverless cars, automated advice, cloud-based services, telematics, wearable technologies, big data analytics, artificial intelligence and the internet of things, to mention just a few. 

Telematics

The use of telematics and wearable technology enables consumers to use internet-connected devices to possibly obtain a lower premium. Insurance policies can be priced based on data transmitted from a device in a person’s car, home, or the device can be worn by the person including smart watches and fitness bracelets. The insurance policy can be tailored and priced specifically to the needs, lifestyle and risks of the individual consumer.

Smart Home

 A smart home, for example could transmit risk data from a range of devices in the home including flooding sensors, smoke detectors, thermostats and smart meters measuring electrical and heating consumption, which can feed into a tailored household insurance policy. The use of geo-location technology can facilitate more targeted home and flood insurance policies as it enables the identification of areas that may be more or less prone to flooding.

Big Data

Developing data analytics plays a key role in developing new product development opportunities. The use of Big Data enables more granular segmentation of risks, increases the effectiveness of risk identification and facilitates pricing that is more risk sensitive. Through the use of algorithms and artificial intelligence tools, insurers can influence how products are ultimately targeted and advertised.

In the insurance sector, these technological advances potentially challenge the essence of insurance provision; the pooling of risks of the many, for the claims of the few, as underwriting becomes more and more tailored through the use of data.

These digital innovations are attracting a number of insurtech start-ups and digital focused companies to the insurance sector. These new entrants are targeting all areas of the supply chain. Every process from product development to claims management is being transformed by technological innovations. Pricing and underwriting being the most affected. Digital technology of course may lead to a change in the value chain fundamentally changing the way insurance is done.

There are several factors, which play a part in challenging established insurance business models and create opportunities for digital focused firms:

1. Millennials

Societal changes impact the type of product and how it is consumed. Digital natives or millennials desire mobility usage with simplified on-demand type products embedded with a service offering. The instant and public nature of modern communication through social media has consequences for consumer expectations of customer service, claims and complaint handling.

2. Low interest rates – search for yield

The current low interest rate environment is contributing to the need for investors to expand their investment choices. Technology firms and entrepreneurs are increasingly looking at insurance for new opportunities. To improve margins in the current low interest rate environment, insurers need to find ways they can attract customers and investors.

3. Connected devices

The increased number of connected devices combined with smarter powerful analytical capabilities is improving the firms understanding of policyholder behaviour.

InsurTech

Traditional insurers view InsurTech start-ups as competitors or disruptors. A majority of insurers fear that some part of their business is at risk to disruption. Failure to innovate by an insurer may result in loss of customers, reduced market share and lack of strategic direction. The telecommunications industry illustrates such an example where once dominated by traditional telecommunications market leaders were quickly replaced by faster innovating competitors.

In response to this challenge, many global insurers are now collaborating with and investing in InsurTech start-ups. In 2015, InsurTech start-ups obtained funding of $2.5bn¹.

Our approach

An important emerging challenge for supervisory authorities is the extent of innovation taking place through greater use of financial technology. Rapid innovation represents a test for our regulatory approach:

1. When we authorise a firm to enter the insurance market, we need to strike the right balance between ensuring the firm meets our expectations, while at the same time being to open to innovation and new concepts.
2. For regulated firms, we need vigilance about shifting business models and emerging risks – including ensuring that prudential and consumer protection requirements are appropriate for new business models.
3. Resolution regimes need to be such that they enable the financial system to absorb the failure of individual firms as others grow and prosper.
4. We are strengthening international cooperation arrangements necessary to be able to effectively regulate in a digital environment that may have little regard for national borders or jurisdictional reach.

Recent Regulatory Initiatives

• From a domestic perspective, in June 2017 the Central Bank published a Discussion Paper on the Consumer Protection Code (the Code) and the Digitalisation of Financial Services – focused on:

• whether consumers are adequately protected under existing consumer protection rules contained in the Code;
• if the Code needs to be enhanced in specific areas; and
• whether there are impediments in the Code to firms adopting technologies that may be beneficial to consumers.

• From a European perspective, EIOPA is developing an InsurTech Task Force which will be responsible for the implementation of EIOPA’s core digitalisation activities such as a thematic review on the use of Big Data by insurers, assessment of barriers to financial innovation and cyber risk.

Although technological developments can provide organisational efficiencies and processes for insurers, they are not without risk. There are significant data protection, business interruption and reputational risks associated with increased digitalisation.

IT & Cyber Risk

Cyber risk is considered as a major disruptor to financial services. In 2016, cyber-attacks were estimated to cost businesses as much as 450 billion dollars a year globally². Cyber risk threatens data integrity and business continuity in an ever-interconnected financial system. The use of cloud and the dependency on external service providers also adds to the complexity of managing this risk. Cyber-attacks on businesses are increasing in frequency, scale and impact, becoming more sophisticated and persistent. Considering the past 12 months of cyber incidents such as the WannaCry ransomware attack, which affected more than 200,000 organisations in over 150 countries, there is an increased risk that more major cyber incidents will occur over the next 3 years.

Given the amount of personal data insurers hold, it is no surprise that they are considered serious potential targets.

In the words of a former FBI Director Robert S Mueller III “There are only two types of companies: those that have been hacked, and those that will be.”

What is the Central Bank doing in respect of cyber?

The Central Bank has given much thought to devising a strategy to effectively address IT and Cyber Risk, including cyber-security risk, as it pertains to supervised entities, consumers and financial stability. A one bank effort is being adopted enhance our capabilities and achieve our strategic vision.

The initial work across the Central Bank has focussed on improving overall IT governance in financial institutions, together with raising industry and consumer awareness of IT cyber risks. In this regard, last year we published the Cross Industry Guidance on IT and Cybersecurity Risks. This lays down a marker for undertakings as to the Central Bank’s expectations regarding the management of these risks and has provided a yardstick against which progress can be measured.

What specific actions has the Insurance Directorate taken?

From a supervisory perspective, the Insurance Directorate has taken a number of actions over the past 12 months with a focus on identification of control weaknesses and raising awareness of Central Bank expectations. This includes:

• Utilising the auditor assurance framework under section 27BA of the Central Bank Act 1997 for PRISM High Impact undertakings to seek assurance on cybersecurity governance arrangements as at 31 December 2016.
• Issuance of an IT and Cybersecurity questionnaire to PRISM Medium High and Medium Low impact undertakings to provide an insight on undertakings’ capabilities.
• Within the Directorate, our supervisors have undergone training on IT and cybersecurity, with this topic increasingly being addressed as part of general engagement with firms.
• Arising from both exercises, the most pronounced deficiencies relate to IT and cybersecurity governance and risk management arrangements. These findings point to significant weaknesses in the IT and cyber risk culture within firms. My speeches frequently mention this and today I will continue to emphasise how crucial board involvement is. The extent of board engagement with IT and cyber risk is an indicator of the priority accorded to such risk and the ability to manage it.

Next Steps

• We recognise and acknowledge the efforts of firms who have risk processes, strategies etc. in place. However, it is evident that there is a requirement generally to enhance existing practices, initiate and embed constructive improvements and to support an improved control environment. These enhancements must be implemented with a real sense of urgency and genuine board engagement.
• To conclude 2017 activities a Dear CEO letter has been issued to PRISM Medium High and Medium Low impact undertakings with undertaking specific actions on weaknesses identified. A letter will also be issued to PRISM High Impact undertakings in Q4 2017. Supervisors will be engaging directly with undertakings on such actions as we move into 2018.
• Going forward, and in order to ensure that a sense of urgency is embraced by undertakings, the Insurance Directorate will be focusing on the development of onsite IT inspection capacity for 2018.

Cyber protection

Insurers that do not have adequate cyber protection, may be at risk of a breach of the new General Data Protection Regulation. If a cyber-attack results in a data breach for an insurer it is almost certain that it would result in a fine, drop in share price, business interruption, loss of customers or possibly the exit of a senior executive position. All these consequences will have a knock on effect on the capital position of the firm and business model and strategy of the firm.

Cyber insurance

Separately, the demand for cyber insurance is expected to grow. It is estimated that the global cyber market is worth between 3 billion and 3.5 billion dollars³ and PwC estimate that this figure could increase to 7.5 billion dollars by 2020⁴. Some European regulators recently issued industry guidance to their undertakings reflecting the significance of this risk. Such products are still relatively new in the market, with limited underwriting experience. Unlike other types of insurance, there is a severe lack of historical data that can be used for pricing purposes.

For EIOPA, cyber risk remains a key emerging risk, with a plan to launch a cyber-questionnaire to National Supervisory Authorities and undertakings who underwrite cyber risk later this year. It should be noted that within the scope of the questionnaire the Central Bank supervise seven subsidiaries of the parent companies who underwrite cyber risk.

Therefore, although not yet a material line of business, we will be vigilant to see how these specialist lines evolve over time.

Firms should also be conscious of the risk of inadvertently covering cyber risk, as in, cyber exposure is not specifically excluded from all property and liability covers. Firms must ensure they are writing within their stated risk appetite.

Culture

This brings me to culture. What is culture and what does good culture look like? An organisation's culture is formed by the assumptions, values, expectations and beliefs, which drive behaviours and how staff act.

In this digital context, companies need to take stock and consider how they can drive and deliver change more successfully. We must “do the right thing”, not just “the easy thing”. In this changing environment, it is important that actions drive changes in behaviours. Culture is “the way things are done in firms and seen to be done.”

Although technology acts as a catalyst for change. There is a need to persist and be committed in our endeavours to address the underlying behaviours and drive meaningful culture change.

An organisation may appear to have strong governance in place in terms of structure and documentation on paper, yet the board and the organisation’s culture could be deficient in how it operates.

In line with the Central Bank’s new Consumer Protection Risk Assessment model, firms need to ensure that, as their business model may change to adopt to emerging technology, the appropriate internal risk frameworks and culture are in place to identify and mitigate risks to their customers.

What has Insurance Supervision been doing in the area of culture?

We are building culture into everything we do as supervisors. Whether we are assessing capital risk, investment risk or operational risk, we will look at how decisions are made, how they are communicated, how this reflects in the risk management framework and how actions are implemented on the ground. We have an in-house organisational psychologist working with us to develop and improve our supervisory approach. Indeed, demonstrating our commitment to best practice, this psychologist has been on secondment with the Expert Centre for Governance, Behaviour and Culture at the DNB for the last couple of months. Our supervisory approach has been developed to focus on the key influencers of culture, how to identify whether cultures are effective or ineffective and how to aggregate the data to form a holistic view of a firm at a point in time. We have focused on the indicators of risk and organisational culture. There is not an exhaustive list, as they can be tangible or intangible.

Areas we have identified include:

• Tone at the top: the way decisions are made and how information is cascaded down through the organisation.
• Board membership and performance, including the quality of board effectiveness reviews.
• Effectiveness of the risk, compliance and internal audit functions.
• Reviewing remuneration and reward models.
• Assessing the skills, knowledge, competence and ongoing training and development.
• The way firms interact and engage with us as the regulator.
• Approach to compliance – is it with the letter or the spirit of the law?
• Observing what are acceptable behaviours in your organisation.

Culture can be seen as the personality of the organisation and changes in key personnel have can have a major impact either positively or negatively.

Where we can see weakness, the intensity of the supervision may increase. We look to co-operate with companies in resolving serious supervisory issues but we will not hesitate to use our formal powers if we do not see change or cooperation. Example of where we have historically used these powers have been to investigate board effectiveness and how risk management has been implemented and is operating in practice. We have also learnt that often ineffective culture appears to transcend an organisation quickly and take hold faster than a strategy to build an effective culture. To move towards a positive culture appears to be a gradual process, perhaps this is reflective of the fact that it takes more time to build trust and credibility than it does to demolish it.

As Warren Buffet said “it takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you will do things differently”.

Closing remarks

To conclude insurance is being transformed by a range of new and emerging technologies. Innovation is driving change from how back end processes operate to the development of new innovative products. Technological innovation is a driver for efficiencies and firms therefore need to dedicate capital expenditure and resources to facilitate these improvements. I firmly believe that those who do not, will get left behind and that a sustainable business model is not possible without innovation. Of course, while the industry is transforming the ways in which it provides services to consumers, the fundamentals of good underwriting discipline remain the same. Firms must ensure they get underwriting right in a digital context.

On cyber, investment in robust IT security systems will yield return in terms of resilience to attacks and the resultant management of reputational risk and retention of customers. These systems should be tested on a periodic basis.

In relation to culture organisations need to be cognisant of the attitudes and behaviours that prevail. Are they open to these new evolving risks and opportunities that the digital technologies are presenting? Have they considered how to protect their consumers and own reputation?

“It is better to look ahead and prepare than look back and regret”⁵.

That brings me to the end of my address today on digital innovation, cyber risk and culture.
--------------------------------

Acknowledgements: I thank Sheena Savage for her inputs into this speech
¹ IAIS Fintech Developments in the Insurance Industry
² Graham, L, 2017, Cybercrime costs the global economy $450 billion. CNBC Cyber Security.
³ Stanley, C, 2017. Cyber market estimate
⁴ PwC, Insurance, 2020 and beyond
⁵ Jackie Joyner-Kersee