'Going Digital and Remaining Safe' - Sylvia Cronin, Director of Insurance Supervision

Remarks delivered to AZN Annual Conference

Cyber risks present more than just a new set of risks to the supervised firms. They can also expose consumers to undesired consequences related to personal security.

Introduction

Good morning, ladies and gentlemen. I am very pleased to join you at this event today and I would like to thank the Insurance Supervision Agency of Slovenia for the opportunity to speak to you about the important topics of digitalisation, cyber risk, and regulation.

Understanding and adequately confronting the challenges of the digital future, and indeed the digital present, is crucial in ensuring the on-going stability of the insurance industry and the ability of insurers to make good on their commitments to consumers. These commitments include an obligation to appropriately manage and protect the data relating to these consumers.

In an environment where the changes are fast-paced and threats from cyber risk are constantly evolving, there is an imperative for the insurance industry (including the regulators and supervisors, as well as insurance undertakings) to maintain the awareness, responsiveness and flexibly to act in a timely and appropriate manner to the rapidly changing landscape.

Insurers are perhaps unique in the cyber risk arena: as well as the intrinsic exposures that all sectors face from harm from breaches of information systems, insurers can choose to take additional exposure to the cyber risk environment through the provision of insurance products that mitigate losses for other entities subject to cyber risk incidents. This makes awareness and understanding of cyber risk an even more crucial aspect of the operational capabilities of insurance undertakings.

Today, I would like to share some thoughts and observations on these themes and the implications of the digital revolution on the insurance sector. In particular, I would like to highlight:

• The ever increasing importance of cyber risk.
• The necessity for insurers, regardless of size, to develop cyber resilience.
• The challenges faced by insurers considering underwriting cyber-insurance in the European market.
• The role of supervisors in ensuring the insurance sector develops a mature capability for the assessment and management of cyber risks.

The digital environment: an evolving and emerging risk

The current trend of technological transformations, increasingly referred to as a “Fourth Industrial Revolution”¹, offers possibilities to alter in a fundamental way the means by which we live and interact. This is not just a digital future, but increasing a digital present. Many of the opportunities and promises of the technological revolution are rapidly becoming part of mainstream life. As with any material shift in the landscape, the Fourth Industrial Revolution raises new issues and will expose undertakings to new risks – both anticipated and unanticipated.

The rapidity of these changes is clear when you look at the manner in which global perception of the risks of cyber-attacks and data theft has changed. Ten years ago, technology merited a passing mention as an emerging risk². Five years ago, the now familiar language around cyber-attacks, data fraud and digital misinformation began to emerge, but still were not considered as top risks in terms of impact or likelihood³. Today, these risks merit top billing. The World Economic Forum’s 2018 Global Risks Report⁴  identified both cyber-attacks and data fraud as being in the top-five evolving risks. There is nothing to suggest, given the increasing use of and dependence on digital technologies in business operations, that this trend towards the ever-increasing importance of technology related risks is likely to reverse in the near future.

The Operational Risk: cyber risk

The insurance sector, and indeed the financial system more generally, is highly exposed to cyber risk – driven by both data and technology. From a data perspective, insurance undertakings collect, store and manage substantial volumes of confidential and personal data. From a technology perspective, there is intensive use of information and communication technology and a highly interconnected industry (both locally and at the global level). This can result in a range of adverse outcomes, including loss or corruption of confidential or sensitive data, disruption of business, physical loss, financial loss and reputational damage⁵.

The intrinsic value of personal information is unquestioned. Recent legislative measures, such as the EU General Data Protection Regulation (GDPR), seek to place increased emphasis on the importance of the appropriate management of such data. Insurance undertakings routinely collect, for valid business reasons, a wide range of personally identifiable information including, for example, medical histories and employment information. Hence there is a significant onus on insurance undertakings to have in place robust systems, both governance and technological, to prevent the loss of personal data.

Indeed in an insurance context, these controls have added importance. Policyholder trust is at the very foundation of the insurance industry: insurance only works where consumers trust that the promises made by insurers will be honoured. Any incident involving the loss or mismanagement of personal data immediately undermines trust; the reputational damage, and subsequent business impacts, of such events should not be underestimated.

Alongside the wide range of business impacts such as incident response costs and loss of revenue, regulated firms are also subject to fines for regulatory breaches for not taking measures to ensure appropriate consumer protection. For example, in 2012, the Central Bank of Ireland (the Central Bank) issued a fine of €3.5 million to a financial institution following a major and prolonged failure of IT systems affecting 600,000 customers. The institution involved had entered into an outsourcing agreement with a UK-based parent for the provision of IT services, and IT risk oversight and management.

A software update supplied by a third-party contractor of the parent company inadvertently led to the failure of key account services for up to 28 days for customers of the Irish institution. Along with the regulatory fine, the Central Bank also required the institution to put in place a comprehensive redress plan, paying approximately €59 million to affected customers. There are some particular aspects related to this incident that make it particularly pertinent to the challenges facing supervisory authorities in terms of cyber risk. Firstly, this incident was related to a periodic software update implemented by the third party IT service provider and not a cyber-event initiated by an external party with malicious intent. Secondly, the Irish firm had failed to put in place robust governance arrangements in relation to the outsourcing of key IT functions, despite the fact that ultimate accountability resides with firms, regardless of outsourcing agreements. Finally, the cross-border nature of the issue required close alignment between the Central Bank and the UK Financial Services Authority, who are responsible for the regulation of the parent company, to resolve the disruption caused by the IT incident as quickly as possible. In a more recent case, in June 2018, the Central Bank issued a fine of €443,000 to an asset management firm arising from regulatory and governance failures that exposed the firm to cyber-fraud resulting in the loss of clients’ funds. In this case, a client’s email account was compromised and the firm admitted to significant breaches and failures, which led to inadequate regulatory safeguards to protect client assets.

Addressing the complexities and risks of ageing IT infrastructure, whilst trying to meet increasing customer demand for digital delivery is becoming a key challenge for insurers. In a manner similar to how the introduction of GDPR changed the framework for data, the forthcoming Network and Information Security Directive aims to strengthen cyber resilience in the providers of critical services to the economy.

Given the increasing importance of the area, I expect that cybersecurity risks should form an integrated part of an insurer’s enterprise risk management (ERM) process. More importantly, it is crucial that senior management in insurance undertakings see these as organisational risks; cybersecurity transcends the IT department and insurers need to consider these risks in a more holistic manner. One of the difficulties with cyber risks is that, unlike products and services, it’s very difficult to observe best practice in other firms to compare how your firm rates. If a firm were to share its security controls it would create a risk for itself. Insurers should have robust, organisation-wide systems for employee training, risk assessment and information sharing in respect of cyber risks.

Cyber resilience is not a single prevention focused task for a Chief Technology Officer. It requires organisation-wide governance and awareness, as well as systems for identification and detection. In the event that these activities are not successful in preventing an incident, it is key that insurers have response and recovery plans to deal with any incidents that do occur.

The Underwriting Risk: cyber risk insurance

While we have outlined some of the risks associated with technological change, the increasing level of digitalisation has provided an opportunity for insurers to introduce new products to address cyber risks.

Lack of penetration in EU market

The cyber insurance market in the EU is still at a very early stage, especially compared to the US, which is estimated to have a 90% share of the global market. While many see significant potential for growth, there are still uncertainties surrounding cyber insurance. Recent work by EIOPA has highlighted concerns that the market for cyber insurance within the EU may not be perfectly balanced. The primary reasons behind this are twofold: On one hand, cyber risks are hard to quantify and underwrite due to their evolving nature as well as the lack of historical data available, which hampers insurers' ability to offer this type of cover. On the other hand, the demand for cyber insurance is also low. Perhaps this is because firms, particularly small and medium sized firms, might not have the knowledge or expertise to understand their overall cybersecurity needs, including insurance.

There is an expectation that enforcement of the GDPR will have an impact on the European cyber insurance sector. While it remains unclear whether GDPR fines and fees will be insurable, the adoption of GDPR has undoubtedly made companies more aware of their cyber risk exposures and therefore their potential insurance needs. One of the key challenges for the European insurance sector will be to adjust to the increasing demand and changing customer needs.

From an Irish perspective, the Central Bank supervises a number of speciality insurers offering cyber risk insurance products. These cyber insurance products have become more prominent over the past number of years as firms become aware that cyber risks are now as tangible as physical threats to a company’s assets and have serious knock-on effects. A particularly interesting development is the increasing popularity of insurance products to help ensure the successful management of cyber incidents. While this type of product originated in the US market, expansion into new markets is ongoing. This brings new challenges for the Central Bank with an increased supervisory focus on modelling and underwriting of cyber risk insurance.

Challenges for cyber insurance

While we feel that the potential for growth in this market is significant, any insurers considering involvement in this area need to be mindful of some key challenges:

Limited availability of historical data

Insurers are used to dealing with risk; however, cyber risks are different. For more traditional risks, insurers can estimate the frequency and severity of a range of events. Recent history has shown that cyberattacks can happen to any number of organisations simultaneously and repeatedly. The lack of standardised and comprehensive data about events and, especially the uncertainties around long-term impacts of cyberattacks, makes the estimation of cyber liabilities challenging for insurers.

Accumulation risk

One of the key elements of increased digitalisation has been the recent trend for firms to use cloud-based services. While the use of cloud computing provides obvious benefits for firms, dependence on the same infrastructure, software and services creates a common exposure for cyber risk and increases interconnectivity. This makes these cloud services particularly vulnerable to failures or malicious attacks. The possibility for extreme losses associated with this accumulation of risk exposures is a key challenge for insurers. In fact, a recent Lloyd’s report, based on scenarios involving the top 15 U.S. cloud providers demonstrated that a significant disruption to these services would have a significant impact on the manufacturing and retail industries.

‘Silent’ cyber exposures

Cyber insurance cover can be offered as a standalone product or has often been covered as part of a traditional policy, e.g. property or general liability insurance. However, conscious of the danger of potentially covering cyber risks across a range of products (so called non-affirmative exposures or silent risks), many insurance companies are reviewing their existing contracts to add exclusions, add-ons or write-backs for cyber risks. The general trend is that insurers are becoming increasingly aware of the potential for having hidden exposures and taking steps to address it. The challenge for customers is to understand their coverage requirements and how best to address the gaps in their traditional policies.

As yet, there is no standard cybersecurity insurance policy. Every insurance company deals with cyber differently. Overcoming the major obstacles to the development outlined above of the cyber insurance market, particularly in Europe, could lead to greater and wider coverage of cyber risk and, interestingly, have a significant impact on risk management, which brings me my final point on this issue.

Cyber insurance & risk mitigation

Insurers are in a unique position to help their customers improve cyber awareness and better understand and deal with cyber risks. As well as providing risk transfer insurance coverage, a robust underwriting process with relevant and well-designed terms and conditions has the potential to assist in reducing cyber exposure and the potential losses associated with it. Just as the process of obtaining home insurance can incentivise homeowners to invest in better home security measures, the same could be true for companies seeking to obtain cyber insurance.

Thus, cyber insurance providers have the potential to contribute to the management of cyber risk by promoting awareness, encouraging measurement and by providing incentives for risk reduction. This could benefit not only the company purchasing the cyber insurance, but ultimately the end-consumers of that company’s goods and services.

The regulatory response

For regulators, the management of IT and cybersecurity are a concern given their potential to have serious implications for the prudential soundness of insurance firms, consumer protection and, more broadly, the stability of the European financial system.

Making the financial sector more cyber resilient is one of the key items addressed in the EU commissions FinTech action plan, which was published earlier this year. It also acknowledges that this challenge requires a collective and wide-ranging approach. As part of the action plan, the EU commission has asked that the European supervisory authorities (ESAs), (namely EIOPA, the EBA and ESMA) encourage financial institutions to address their cyber risk vulnerabilities and take proactive measures to address emerging challenges in an era of digital transformation.

Regulation in a rapidly changing environment

Regulators face a number of critical challenges in designing a regulatory framework for risks associated with digitalisation. The most notable of these is how best to ensure that the standards they set actually encourage firms to be more ambitious in managing risks as the technology continues to evolve. In this context, the main challenge for the authorities is to strike the right balance between the overriding objectives of promoting innovation and competition on the one hand, and those of preserving the integrity of financial stability and guaranteeing consumer protection on the other. Regulation should be designed in order to achieve such objectives.

Of course regulators are also very aware of the need to keep regulatory data secure. Since the introduction of Solvency II in January 2016, for example, the Central Bank collects and stores a significant volume of data. The Central Bank works to ensure our processes and controls are resilient and up to date.

Operational: cyber risk

With regard to cyber resilience in the European insurance industry, supervision of data and IT-related risks, including cyber risk, is something that has been on the regulatory radar for some time. As part of the EU Commission FinTech Action Plan, EIOPA, along with the other ESAs are required to gather information on the existing supervisory practices across financial sectors around ICT security and governance requirements. The next steps in the process involve examining the possibility of supervisory convergence and enforcement of ICT requirements across the financial sector. The EU Commission has requested information on possible legislative improvements in this area. The FinTech Action Plan also requests that ESAs explore and evaluate effective ways to test the cyber resilience of significant market players across the financial sector.

IT and cybersecurity risks have been a key concern for the Central Bank for many years. Our earliest experiences from engagement with insurance firms pointed to this being an area that required significant work. In 2016, we issued Cross Industry Guidance in respect of Information Technology and Cybersecurity Risks. This Guidance sets out the Central Bank’s expectations in relation to the management of IT risk, governance, IT outsourcing and cybersecurity. The consistent message that we have conveyed to firms is that they must improve their resilience to IT failures, including cybersecurity incidents with a real sense of urgency and genuine board engagement. We have also strengthened our supervisory capabilities in this area, intensifying the level of direct engagement with the development of an onsite IT inspection team. Our approach to this area will continue to evolve as our knowledge deepens through supervisory engagement and policy formulation. It is incumbent on us as regulators to proactively engage with firms and industry stakeholders in order to drive standards in this area.

Underwriting: cyber insurance

The Central Bank’s approach to supervising those insurers offering cyber insurance is also evolving. We have a specialised team of IT security experts, who in addition to carrying out on-site inspections to assess the operational resilience of supervised firms, provide insight into scenarios that could trigger claims under cyber insurance policies.

Our assessment of these insurers centres on their risk management framework. Do they have a clear risk appetite for cyber risk: how much exposure will they take on? in which areas? are they able to measure that exposure, including concentration and potential accumulation of incidents? do they have the necessary expertise? are they set up to be agile, learning from past experience and reacting quickly to unexpected developments? For these insurers, we expect that cyber risk is given appropriate focus in the ORSA, including adequate examination of adverse scenarios. We will engage with insurers if this is not the case.

EIOPA has also been looking at ways to develop and enhance mutual understanding of key issues and approaches surrounding cyber risk insurance coverage in order to further the basis for a sound regulatory framework for cyber insurance products. Firstly, EIOPA has engaged with 14 insurance companies who are active in the cyber insurance market to inform a deeper understanding of the challenges and risks of cyber insurance in Europe. Secondly, EIOPA has added a cyber-risk questionnaire to the 2018 Insurance Stress Test Exercise, which has been issued to 42 large insurance groups across Europe. This will contribute to the understanding of the position of the European insurance undertakings towards cyber risk and raise awareness in the market on the accumulation of risk in the context of cyber.

Collaborative measures

International dialogue and cooperation between regulators is a key element to ensure financial stability and consumer protection globally. The EU-US Insurance Dialogue Project (EU-US Project) which has been active since 2012 has recently begun a bilateral dialogue to share knowledge and information with respect to the dynamic area of cyber risk and the insurance sector. The project group will report later this year with input to help enhance the regulatory response in these key areas.

Closing remarks

All insurers are expected to play a critical role in this fast-changing and constantly evolving environment: both as a target for cyber crime and as an insurance coverage provider.

Regulators face a number of critical challenges in designing a regulatory framework for cyber risk. The most notable of these is how best to ensure that the standards they set actually encourage firms to be more ambitious in managing cyber risks as the technology continues to evolve. It is crucial that any regulatory framework avoids becoming a ‘checklist’ exercise in compliance; in an environment of rapidly emerging and evolving risk, a principles-based approach that has the flexibility to adapt to new challenges is crucial. Through the effective implementation of such an approach, we strive for positive outcomes for the protection of consumers and for preserving financial stability.

As already mentioned, I view this conference is an important part of this dialogue and cooperation across regulators. I look forward to hearing your views.

Many thanks for your attention.

-------------------------------------------------

I would like to thank Johnny Galway for his assistance with this speech.

¹ Klaus Schwab, World Economic Forum: The Fourth Industrial Revolution: what it means, how to respond (14 January 2016)

² World Economic Forum: Global Risks 2008

 ³ World Economic Forum: Global Risks 2013

⁴ World Economic Forum: Global Risks 2018

⁵ International Association of Insurance Supervision (IAIS): Issues Paper on Cyber Risk to the Insurance Sector (August 2016)