Risk Management forum – Gardaí advise actuaries on Cyber Fraud

There are a number of emerging risks in the insurance industry. The forum provided an opportunity to bring people together to discuss two of these – consumer risk and cyber risk – and also consider a high level overview of current hot topics.

A regulatory perspective on consumer risk

Helena Mitchell (Head of Consumer Protection: Supervision Division in the Central Bank of Ireland)

While the insurance industry has been focussing on the implementation of Solvency II and the quantification of capital under the new regime, consumer risk continues to be a crucial risk that requires attention by all insurers. Helena Mitchell presented an overview of the Central Bank’s Consumer Risk Outlook 2016 report which brings consumer risk back to the forefront of risk management agenda and highlight areas that firms need to focus on.



Acknowledging that there are no standard definitions of conduct or consumer risk as they relate to financial services, Helena cited example definitions from two sources (see box).





The definitions are broad as consumer risk can arise from a number of areas

  • A firm’s culture;
  • Products and services;
  • Systems and processes; or 
  • Individual behaviours.

The Consumer Risk Outlook 2016 report highlights a number of risks to the consumer protection objectives of the Central Bank including:

 

  1. Absence of a consumer focused culture in regulated firms – The key threat to the CBI’s consumer protection objectives, a culture of fair treatment of consumers is required within governance, risk management and business processes. The saying “culture eats strategy for breakfast” is very relevant here as culture within the firm will influence the overall consumer’s experience. 
  2. Poor product oversight and governance – It is challenging to measure whether an insurance product meets the customer’s need. Nevertheless, the CBI requires that all regulated firms must be able to demonstrate that their products are fit for purpose. Recent focus areas for the CBI have been the sale of pension annuities and renewal of health insurance. There have been a number of findings from these reviews which reflect poor product oversight and governance. In addition, EIOPA has published its preparatory guidelines on product oversight and governance for insurers in April 2016. These are due to take effect from 3 January 2017.
  3. Operating environment - The CBI expects firms to fully assess the potential impact on consumers prior to implementing any operational changes, e.g. change to claim handling processes. 
  4. Service delivery – While business models and service provision are changing, firms need to understand any consumer risks prevalent through this, e.g. introduction of automated or robo-advice in the insurance sector.
  5. IT resilience and security – This continues to be a significant risk, in particular cyber risk, for both consumers and firms.

In February 2015, the CBI set out that all firms need to introduce or enhance their internal consumer risk management frameworks. This must include:

  • How a firm is identifying consumer risks; 
  • Articulate the consumer risk strategy and appetite; 
  • Design and implement appropriate consumer risk architecture; 
  • Ensure all employees have a comprehensive understanding of the firm’s risk management policies and what this means in their individual role; 
  • Develop metrics and methodologies to monitor and manage consumer risk.

The CBI are currently enhancing this supervisory model with a view to testing and measuring firms’ progress in implementing fit-for-purpose consumer risk frameworks later in 2016. Now is the time to ensure that consumer risk is fully considered in the process of ongoing enhancement of enterprise risk management frameworks in line with Solvency II. See the presentation slides and podcast for further information.

Effective management of consumer risk has wider social and economic benefits that go far beyond the regulatory framework.

 

The cyber threat landscape

Detective Inspector Michael Gubbins (Computer Crime Investigation Unit, Garda Bureau of Fraud Investigation)

Following on from Cyril Roux’s presentation at the SAI Risk Management Perspectives Conference in October 2015, cyber risk continues to be high up the agenda for all risk committees within the insurance industry. Detective Inspector Michael Gubbins provided an overview of the current cyber threat landscape.  

The digital environment continues to grow significantly year on year. There are approximately 7 billion mobile devices worldwide, with 12 billion mobile connected devices expected by 2020. This continual growth brings significant challenges in the cyber risk space. In terms of figures, in 2014 cybercrime cost $445billion or c. 1% of global income. In addition there were over 307 cyber threats every minute, more than 5 every second. These figures reflect the challenge that the industry has in managing cyber risk.

For a description of these, check out the podcast and slides.

The absence of reporting of cybercrime attacks by private companies and individuals raises significant challenges in law enforcement’s efforts to prosecute these cyber threats. There have been numerous examples of major data breaches in 2015. Examples include IRS in US, Carphone Warehouse, and TalkTalk. Each of these raises the profile of cybercrime and challenges what the industry is doing to protect itself.

So what will 2016 bring? The Detective Inspector expects the cybercrime attacks to continue to evolve in 2016. Next generation mobile payment applications may be a new focus area while ransomware and data breach attacks are expected to continue.

To help control the cybercrime environment, the EU has published the NIS Directive (on security of network and information systems) which aims to bring cybersecurity capabilities up to the same level of development in all the EU Member States and ensure that exchanges of information and cooperation are efficient, including at cross-border level. Locally, the Criminal Justice Bill 2016 includes specific provisions in relation to offences relating to information systems.

Overall responsibility for cybercrime rests with you.



Hot topics

Tom Donlon (Director at Willis Towers Watson)

Tom gave an overview of the hot topics in the insurance industry and what new risks have emerged over the last 6 months, including:

  • Market risk – significant volatility in foreign exchange rates over the last 6 months which are at levels close to a 1 in 200 year event as prescribed under Solvency II. The Brexit decision will now result in significant volatility in the markets which will have implications for companies’ solvency levels. 
  • Credit risk – this remains relatively unchanged from 6 months ago, however the Brexit decision has implications on credit ratings of particular economies. 
  • Non-life specific – Periodic Payment Orders and the discount rate used for injury claims are key focus areas in the non-life sector for now.
  • Life specific – the consultation on the ultimate forward rate will have implications for insurers with long tailed business. 
  • Regulation – the actuarial regime (CP92) creates additional governance requirements, in addition to Solvency II, that requires attention for all companies. Conduct risk, as discussed by Helena Mitchell, is an area that is high up the CBI agenda. 
  • Operations – cyber risk, as discussed by Detective Inspector Gubbins, continues to evolve with new threats requiring attention on an ongoing basis.

 

What’s up next? The annual Risk Management Perspectives Conference on Thursday 13th October 2016 will be a full day of presentations devoted to a wide range of hot topics and current thinking in risk management. Check out the website for the latest on speakers and topics, and to reserve your place.





 

Eric Brown is a Senior Manager at Ernst & Young, member of the SAI’s Enterprise Risk Management Committee

The views of this article do not necessarily reflect the views of the Society of Actuaries in Ireland, the Enterprise Risk Management Committee, or the author’s employer. The article was edited by the Communications Subgroup of the Enterprise Risk Management Committee.