Cyberinsurance

Joint Committee Report on Risks and Vulnerabilities in the EU Financial System

Publié le 18 septembre 2022 par hanswillertbleuazurconsultingeu

EXECUTIVE SUMMARY AND POLICY ACTIONS
The recovery associated with the receding pandemic has slowed as a result of the Russian aggression in Ukraine. It has contributed to high inflation and is damaging the economic outlook, which led to increased financial market risks across the board. The economic and financial impact of the invasion has been felt globally, alongside enormous humanitarian consequences. Prices in energy and commodity markets have risen to record highs. Production and logistics costs have risen and household purchasing power has weakened. After a long period characterized by very low inflation and interest rates, policy rates are being raised in response to high inflation. The resulting higher financing costs and lower economic growth may put pressure on the government, and on corporate and household debt refinancing. It will likely also have negative impact on the credit quality of financial institution loan portfolios. Financial institutions are moreover faced with increased operational challenges associated with heightened cyber risks and the implementation of sanctions against Russia. The financial system has to date been resilient despite the increasing political and economic uncertainty.

In light of the above risks and uncertainties, the Joint Committee advises national competent authorities, financial institutions and market participants to take the following policy actions:

Financial institutions and supervisors should continue to be prepared for a deterioration in asset quality in the financial sector. In light of persistent risks that have been amplified by the Russian invasion and a deteriorating macroeconomic outlook, combined with a build-up of medium-term risks with high uncertainty, supervisors should continue to closely monitor asset quality, including in real estate lending, in assets that have benefitted from previous support measures related to the pandemic, and in assets that are particularly vulnerable to rising inflation and to high energy- and commodity prices.
The impact on financial institutions and market participants more broadly from further increases in policy rates and the potential for sudden increases in risk premia should be closely monitored. Inflationary pressures coupled with uncertainty on risk premia adjustment raise concerns over potential further market adjustments. Rising interest rates and yields are expected to improve the earnings outlook for banks given their interest rate sensitivity. They could also reduce the valuation of fixed income assets, and result in higher funding costs and operating costs, which might affect highly indebted borrowers’ abilities to service their loans. Credit risks related to the corporate and banking sector also remain a primary concern for insurers and for the credit quality of bond funds. High market volatility stemming from the above economic and geopolitical situation could also raise short-term concerns and disruptions for market infrastructures.
Financial institutions and supervisors should be aware and closely monitor the impact of inflation risks. The economic consequences of the Russian aggression mainly channel through energy and commodity markets, trade restrictions due to sanctions and the possible fragmentation of the global economy. Financial fragmentation, including fragmentation of funding costs, could threaten financial stability and put pressure on price stability. Inflation is not only relevant from a risk perspective, but is expected to reflect also on the actual benefits and pensions, inflationary trends should be taken into account in the product testing, product monitoring and product review phases. Financial institutions and regulators should make extra efforts to ensure investor awareness on the effects of inflation on real returns of assets, and how these can vary across different types of assets.
Supervisors should continue to monitor risks to retail investors some of whom buy assets, in particular crypto-assets and related products, without fully realizing the high risks involved. Some retail investors may not be fully aware of the long-term effects of rising inflation on their assets and purchasing power. In the context of growing retail participation and significant volatility in crypto-assets and related products, retail investors should be aware of the risks stemming from these. The recent events and subsequent sell-off of crypto assets raises concerns on the appropriate assessment of the risks and the developments of this market segment going forward and requires particular attention of financial institutions and supervisors. Where disclosures are ineffective, these risks are compounded.
Financial institutions and supervisors should continue to carefully manage environmental related risks and cyber risks. They should ensure that appropriate technologies and adequate control frameworks are in place to address threats to information security and business continuity, including risks stemming from increasingly sophisticated cyber-attacks.

1 MARKET DEVELOPMENTS
The Russian invasion and inflationary pressures have significantly impacted the risk environment of EU securities markets. Recoveries in most equity indices from the beginning of 2022 came to a halt, following the March 2020 market stress, with global equity indices broadly declining (in 1H22: Europe -18%, China -8%, US -20%). This was mostly linked to energy costs and lower trade flows due to the Russian invasion, supply-side bottlenecks linked to the continued effects of the COVID-19 pandemic and the tightening of credit conditions for firms. At the same time, volatility as measured by the European volatility index VSTOXX rose in early March (41%) to about half the levels of March 2020. In Europe, more energy intensive sectors, such as consumer discretionary (-31% YTD), industrials (-29%), and technology (-36%), saw larger price falls than other sectors. Price-earnings ratios tumbled, though they remained above 10-year historical averages (at 3% EU and 9% US respectively). The decreases partly reflect lower earnings expectations for the future, due to the potential long term effects of the pandemic and the impacts of higher long-term interest rates.

Fixed income markets were characterized by investor expectations of slower economic growth, higher
inflation and a less accommodating interest rate environment. Despite a short-lived fall right after the invasion, EU sovereign bond yields rose in 1H22 to levels unseen since 2016 with significant news-flow related volatility (IT +213bps, GR +230bps, DE +150bps). As of end-June, spreads to the Bund also widened, e.g. for Italy (1.9%, +70bps) and Spain (1.1%, +39bps). Corporate bond markets showed sensitivity to the evolving outlook, recording significant selloffs across all rating categories and reduced liquidity. Investment grade (IG) bonds experienced a peak-to-trough fall of 15% (August 2021 to May 2022), nearly twice that of the pandemic, and declined by 12% in the year to June. High-yield (HY) bonds performed slightly worse (‑15%) but their peak-tot rough losses were lower than during the pandemic. Credit spreads widened on concerns that the slowdown could weigh on firms’ debt capacity. Significant spreads upswings were also seen in February with the invasion, and in May and June as rates hikes occurred in the US and were announced for the EA.

The crypto-asset market experienced a continued sell-off in 2Q22 in line with the decline of traditional
financial assets (especially tech equities) with which Bitcoin (BTC) shares a close (40%) correlation. The
collapse of crypto-asset TerraUSD in May and the pausing of customer withdrawals by crypto-asset Celsius in June, added to the shift in investor sentiment away from these assets, sending BTC price to an 18-month low. In May, the largest algorithmic stablecoin (third largest overall), TerraUSD, failed to maintain its peg to the USD after its underlying decentralised finance (DeFi) protocol, Anchor, suffered a confidence run on its deposits. The combination of the sharp fall in crypto-asset prices, and the demise of the Anchor protocol linked to TerraUSD, caused the total value of assets ‘locked’ (deposited) in DeFi smart contracts to fall from over EUR 186bn at the start of May to EUR 62bn by June. In another development in June, centralized finance (CeFi) lending platform, Celsius, halted customer withdrawals of deposits, signaling that it had liquidity issues or a deeper insolvency problem. This coincided with a 21% fall in the Bitcoin price and led Binance to temporarily suspend Bitcoin withdrawals from its exchange. The Celsius token price had fallen by 94% since the start of 2022 with market speculation that it could sell a sizeable stake in crypto asset Ethereum to avoid collapse.

The turmoil triggered by the Russian invasion also affected environmental, social and governance (ESG) markets. In 1Q22, EU ESG equity funds had net outflows of EUR 5bn, compared with average inflows of EUR 11bn per quarter in 2021. ESG bond issuance volumes fell 29% from the start of the year to June, as compared with the same period in 2021. In the banking sector, ESG bond issuance as a share of total bond issuance decreased compared to 2021, though they often enjoy higher subscription levels than non-ESG bonds, allowing banks to pay lower risk premia on new issuances. Despite this, some fundamental factors driving the rise of ESG investing remain in place. Most importantly, investor preferences continue to shift towards sustainable investments, with portfolio allocations increasingly tilted towards ESG investments. Similarly, issuance of ESG bonds by EU corporates remained on par with early 2021, supported by a rapid expansion of the sustainability-linked bond market. This contrasts with a 32% fall in broader EU corporate bond issuance.

2 DEVELOPMENTS IN THE FINANCIAL SECTOR
In 1H22, European investment funds faced heightened volatility in securities markets given the increasingly uncertain economic outlook and the expected increase in interest rates. The performance of most EU fund categories dropped significantly, from a 12-month average monthly performance of 1.6% for equity funds in December 2021 to 0.9% in June 2022. In the meantime, the performance of bond funds turned negative (-0.7%). In contrast, commodity funds outperformed the sector in 1Q22, reflecting the surge in commodity prices following the Russia’s invasion of Ukraine and the sanctions on Russia, before slightly receding, to 2.1%, in end-June. Equity fund flows were also negative (-0.9%). Declining performance led to redemption requests with net outflows in 1H22 totalling 1.6% of the net asset value (NAV) of the fund sector. Bond funds were particularly affected (-4.8% NAV) due to negative performance (-0.7%) and exposures to growing credit and interest risks. Commodity funds experienced outflows (-5.8%), albeit from a low base and only in 2Q22, when their performance declined. MMFs funds also experienced substantial outflows ( -9.2% NAV exceeding the -4.6% NAV observed during COVID-19 stress). MMFs denominated in all currencies experienced outflows, though USD MMFs experienced higher returns (1.1% average monthly performance) than EUR denominated MMFs (-0.1%). While MMFs may generally benefit from a flight-to-quality during uncertain market conditions, investors currently appear to be turning away from fixed-income funds in general. Outflows were partly driven by the expected increase in interest rates. In contrast, real estate funds (1.7% of NAV) and mixed funds (1% of NAV) recorded inflows in 1H22.

The European insurance sector entered 2022 in good shape notwithstanding the adverse developments since the COVID-19 outbreak. During 2021, gross written premiums (GWP) for the life business grew (y-o-y) quite substantially (+14%), while growth was lower for the non-life business (8%). The positive change has partially been driven by the previous reduction in GWP throughout 2020 during the pandemic; although GWP remain still below pre-Covid levels, in particular for life business. The good performance of financial markets and the high returns obtained during 2021 pushed insurer’s profitability up to the levels reached back in 2019, with a median return on assets standing at 0.57% in 4Q21 (0.38% in 4Q20).

At the beginning of 2022 insurers’ capital buffers on aggregate were solid with a median SCR ratio of 216%. An improvement was observed for life insurers while a slight decline was observed for non-life insurers. As the risk-free interest rate increased throughout 2021, due to the long maturities of life insurers’ liabilities the value of technical provision decreased relatively more than the value of assets, with a positive effect on net capital. This contributed to an increase the median SCR ratio for life insurers, from 216% to 225%. However, the SCR ratio did not reach the high levels observed at the end of 2019 (236%). On the other hand, the median SCR ratio for non-life insurers slightly decreased from 218% towards 211%. This might be driven by the increase in claims negatively affecting the liabilities of some representative undertakings, combined with the fact that asset values declined more than liabilities when interest rates increased given that non-life insurers tend to be characterized by a positive duration gap. Likewise, the financial position of EEA IORPs displayed a recovery in 2021. The total amount of assets grew to EUR 2,713 bn in 4Q21 (From EUR 2,491 bn. in 4Q20), while liabilities remained more or less unchanged. Similarly, the Excess of Assets over Liabilities exhibited a positive trend.

The European banking sector entered 2022 with relatively strong capital- and liquidity positions. The capital ratio (CET1 fully loaded) is, at 15.0% in 1Q22, at the same level as it was before the pandemic broke out (in 4Q19). Yet the capital ratio was 50bps lower than in the previous quarter, mainly driven by rising risk weighted assets (RWA). After a steadily rise in previous quarters, the liquidity coverage ratio (LCR) also slightly deteriorated in 1Q22. A reported LCR ratio of 168.1% in 1Q22 (174.8% in 4Q21) was nevertheless still substantial.

EU banks are facing additional challenges to asset quality and profitability while pandemic-related vulnerabilities continue to loom. Deteriorating economic prospects, high uncertainties and high inflation with a phasing-out of accommodative monetary policy are affecting the outlook for EU banking sector. Loan portfolios with pre-existing vulnerabilities from disruptions caused by the pandemic may also be further affected in a slower economic recovery. Accordingly, 45% banks responding to the EBA’s spring 2022 risk assessment questionnaire (RAQ) indicated their plans to maintain their overlays related to the pandemic to cover potential losses that may materialize in the next quarters, while 35% of banks indicated plan to release them fully or partially. Supervisors should continue to closely monitor the adequacy of banks’ provisions.

The NPL ratio further improved in the first quarter of the year (to 1.9%), mainly driven by decreasing volumes of non-performing loans (NPL). However, rising cost of risks and an increasing share of loans allocated under Stage 2 under IFRS points to slightly deteriorating asset quality. The quality of loans under previous support measures related to the pandemic continues to show signs of deterioration and also requires vigilance. The total volume of loans with expired EBA-compliant moratoria reached EUR 649bn in 1Q22, a 7.8% decline compared to the previous quarter. The volume of subject to public guarantee schemes (PGS) stood at EUR 366bn in 1Q22, almost unchanged compared to the previous quarter. The NPL ratio of loans under expired moratoria and of loans subject to PGS is, at 6.1% and 3.5% in 1Q22, respectively, substantially higher than the overall NPL ratio, and has increased further since 4Q21. PGS loans are mostly concentrated to a few countries only. The allocation of Stage 2 under IRFS 9 for loans under previous support measures is, at 24.5% for loans under expired moratoria and 22.7% for loans subject to PGS, substantially higher than stage 2 allocations for all loans and advances (9.1% in 1Q22). In spite of their slight deterioration in 1Q22, EU banks’ capital and liquidity positions nevertheless provide, for the time being, sufficient cushioning in banks’ balance sheets should the economic situation deteriorate further, or heightened market volatility persist.

Positive operating trends were observed for European banks in 1Q 2022, with a profitability of 6.6% return on equity (ROE) achieved under difficult market conditions, though this is lower than the 7.7% ROE reported in the previous year (1Q21) and lower than the 7.3% ROE of the previous quarter. The contraction can be explained mainly by rising contributions to deposit guarantees schemes and resolutions funds in some countries and various one-off effects, whereas net operating income improved. In 1Q21, lending growth offset a slight decline in net interest margins (NIM) and led to improved net interest income (NII). Net trading income also increased, supported by market volatility. Overall increasing net operating income also outweighed the impact of rising inflation on operating expenses in the first quarter of 2021.

3 IMPACT OF RU-UA WAR ON THE EUROPEAN FINANCIAL SECTORS
Securities markets experienced volatility with some key commodity markets strongly impacted by the Russian invasion and sanctions. Bond yields rose in response to the increasing inflation and anticipated higher rates, while equity markets were volatile and experienced periodic sell-offs. Such volatility can create short-term risks on financial markets. Margin calls on derivatives related to commodities can create liquidity strains for counterparties, as was witnessed by the calls for emergency liquidity assistance for energy traders and the London Metal Exchange suspending nickel trading for five trading days in early March. While commodity derivatives markets in the EU are of limited size relative to EU derivative markets as a whole, these markets create sensitive interlinkages between commodity producing or processing companies, commodity traders, banks acting as intermediaries in the clearing process, central counterparties, and other financial institutions.

The Russian invasion negatively affected credit rating agencies’ (CRA) credit outlook for EEA30 debt. The number of corporate downgrades grew relative to upgrades over 1H22, with a jump in downgrades around the time of the invasion. Russian and Ukrainian ratings were mainly affected, with a series of downgrades in late February and March among both corporates and sovereigns. By mid-April CRAs had withdrawn their Russian ratings in response to the EU measures banning the rating of Russian debt and the provision of rating services to Russian clients. In addition, sanctions have made it difficult for Russia to make sovereign coupon payments. In this context, Russia defaulted on some debt payments due in late June.

Direct impacts of the invasion on investment funds were limited. Exposures to both Russian and Ukrainian counterparties were EUR 50bn (below 0.5% of EU fund assets as of end-January 2022). Some fund exposures were higher, with 300 funds holding over 5% of their portfolios in Russian and Ukrainian assets (total EUR 225bn). The massive fall in prices and liquidity of Russian financial instruments led to serious valuation issues for exposed EU funds. In 1H22, 100 Russia-exposed EU funds (EUR 15bn in combined assets) temporarily suspended redemptions. However, funds with material Russian exposures before the invasion account for a very small share of the EU fund population (less than 0.1% of the EU industry). A number of ETFs tracking Russian benchmarks also suspended share creation. While direct impacts of the Russian invasion on funds, such as losses, were limited, existing risks were amplified by the invasion and the deteriorating macroeconomic outlook. Credit, valuation and liquidity risks remained elevated in the bond fund sector, linked to multiple factors. Bond fund exposures to credit risk stayed elevated, especially for HY funds. The credit quality of the portfolio of HY funds remained close to an average rating between BB- and B+ (5-year low). The likelihood of credit risk materialization also increased with the deteriorating macroeconomic environment and rising interest rates, as visible in the higher credit spreads. In comparison, liquidity risk remained steady for corporate bond funds. Based on asset quality and cash holdings, portfolio liquidity remained stable in 1H22.

EU insurers’ exposure to assets issued in Russia, Ukraine and Belarus is also limited. These assets amount to EUR 8.3 bn, less than 0.1% of the total investment of the sector. The exposure to Russia is EUR 6.3 bn, which is 0.066% of total investments and the asset exposure to Ukraine is EUR 1.8 bn, 0.019% of total Investments. The exposure to Belarus is negligible. Most of the investments in Russia are through investment funds (84% of total investments). Within funds, the largest asset classes are represented by sovereign bonds and equities associated to unit linked portfolios. A large share of investments to Russia, Ukraine and Belarus (42%) is in index- and unit-linked portfolios, whose risk is born directly by policyholders.

EU insurers have limited activities in the Russian, Ukrainian and Belarusian markets. A small number of EEA groups are active in those countries through subsidiaries. Their size in terms of total assets is minimal if compared to the total assets of the groups. In terms of liability portfolios exposures are also limited. Total technical provision in Russia, Ukraine and Belarus is EUR 0.36 bn., mostly concentrated in the life business.

With regards to IORPs, asset exposures are also limited, at EUR 7.5 bn. (0.23% of total investments). In absolute numbers this is similar to the exposure of the insurance sector. It is worth noting that the size of the IORPs total investment is smaller with respect to the insurance sector.

In the banking sector, direct exposure to Russia and Ukraine appears limited on an EU level and country level. In 1Q22, exposures of the EU/EEA banking sector were at EUR 75.3bn (ca. 0.3% of total assets) towards Russian counterparties, at EUR 10.0bn towards Ukrainian counterparties, and at EUR 2.0bn towards Belorussian counterparties, slightly decreasing towards the three countries compared to the previous quarter. However, exposures are concentrated in a few countries, and a few banks report an up to 10% share of their exposures towards Russia and Ukraine. Some banks also booked substantive provisions related to their exposure to Russia and related to the deteriorating economic environment in the first quarter of this year.

While immediate, first round implications from the Russian invasion appear contained for financial institutions across sectors, the possibility of second round effects is a source of concern. The invasion, heightened uncertainties and inflation are not only weighing on economic prospects, but also affect consumer- and business confidence. Exposures of economic sectors more sensitive to rising energy- and commodity prices require attention across sectors.

In the insurance sector, second-round effects could emerge via exposures to sectors which, in turn, are highly exposed to the current crisis. Losses in these sectors could have spill-over effects through losses on investments. Two areas could be the most relevant: the exposures of insurers to the banking sector and the exposure to sectors of the economy that are more sensitive to energy and gas prices. Insurers have significant holdings of bank assets, and in this context also hold a significant amount of assets issued by banks that are assumed to be more vulnerable to the evolution of the current crisis. The exposure of EEA insurers to those banks is estimated to only a total amount of EUR 55 bn (0.57% to total investments). Furthermore, insurers have significant asset exposure to sectors sensitive to energy and gas prices.6 The total exposures sum to EUR 174 bn, which includes almost 3% of the equity portfolio of insurers and 7.5% of corporate bond holdings.

In the banking sector, second-round effects could emerge via deteriorating asset quality and further increasing provisioning needs in a deteriorating economic environment. Fee and commission income might also be affected. Banks’ securities portfolios might moreover be negatively affected as fair value declines when interest rates rise. The worsening economic outlook has already resulted in slightly deteriorating early warning indicators for asset quality. The cost of risk increased to 0.51% in 1Q22, a 4bps increase compared to the previous quarter, as borrowers’ debt servicing capacity might be affected by lower economic growth. The increase was mainly driven by the numerator, i.e. by increasing allowances for credit losses. Also, the share of loans allocated under Stage 2 under IFRS increased in 1Q22 and 4Q21, and it another early-warning indicator pointing to slightly deteriorating asset quality. Responses to the EBA RAQ moreover indicate that a majority of banks expect asset quality to deteriorate.

In line with the deteriorating economic outlook and heightened market- and interest rate volatility, bank funding conditions have worsened since the Ukrainian war started and since interest rates increased. Wholesale bank debt spreads have widened for debt and capital instruments across the capital ladder, and particularly for subordinated instruments. Interest rates for bank debt instruments have risen substantially across durations, albeit from extremely low levels. Since the beginning of the war, bank debt issuance activity has been mainly focused on issuing covered bonds, amid challenging market conditions and as banks have begun to roll over expiring long-term central bank funding facilities. Bank funding conditions are likely to stay more challenging while volatility persists and as interest rates continue to rise. Yet current ample liquidity buffers should allow banks to withstand further periods of market turmoil for the time being. In the medium-term, the substitution of expiring extraordinary central bank funding with other sources of funding could prove challenging for some banks.

In spite of positive operating trends in 1Q2022, the outlook for EU bank profitability is subdued. The deteriorating economic environment might affect lending growth and might result in lower loan- and payment-related fee income. Inflationary pressure, higher provisioning needs for expected deteriorating asset quality, costs related to digital transformation and higher compliance costs, e.g. related to the enforcement of sanctions will all likely affect costs, and may offset operating cost savings achieved. While rising rates may have a positive impact on interest income, rising funding costs might also offset additional income from asset repricing.

4 INFLATION AND INTEREST RATE RISKS
The Russian aggression and the sanctions applied contributed to inflation pressures via the resulting supply shocks in energy, food and metals commodities, which added to the supply chain bottlenecks related to the pandemic. Higher energy prices particularly contribute to inflation, widely increasing input and distribution costs. In terms of investment impacts, inflation directly lowers real returns. Inflation changes relative attractiveness of assets both across asset classes and within asset classes. Higher inflation reduces the values of existing assets with fixed returns, such as (most) bonds. By reducing short-term growth, higher rates lower profitability and typically reduce equity values. However, if a rate rise is expected to be effective in increasing long-term growth, it can also increase equity values. Inflation has indirect impacts through its effects on actual and anticipated monetary policy, especially interest rate rises, to reduce demand and bring inflation down. Higher interest rates increase returns on savings and raise borrowing and refinancing costs, reducing debt sustainability. Variable-rate loans face higher debt servicing costs, raising credit risk, including for securitizations backed by variable-rate loans.

In the investment fund sector, interest rate risk increased in a context of rising inflation expectations. Fund portfolios with a longer duration will see their value fall, as inflation drives rates up. However, adjustments are already being made in some funds. Bond fund portfolio durations fell in 1H22, remaining higher for Government (7.6 years, down from 8.6 years) and IG bond funds (6.5 years, down from 7.3 years) than for HY funds (4.3 years, down from 4.8 years). Based on current duration, a 100bps increase of in yield could have a potential impact of -7% on bond fund NAV, about EUR 270bn, which could lead to significant fund outflows. In the MMF sector, funds also significantly reduced the weighted average maturity of their portfolios from 44 days to 30 days (a 3-year low) to lower interest rate risk and improve resilience to a rate rise.

As a period of low inflation and low interest rate is coming to an abrupt end, medium-term risks for asset managers are considerable. Impacts on performance and fund flows are likely to vary across asset classes. For example, the recent US increase in rates led to significant reallocation across fund types from bond funds (-4.7% NAV in 1H22) towards funds offering some form of protection against higher rates. To-date, this contrasts with the EU. In 1H22, US cumulative flows into funds offering protection against higher inflation or rates, such as inflation-protected funds (EUR 1.5bn), loan funds (EUR 13.9bn) and commodity funds (EUR 16.3bn), outpaced their EU equivalents.

Inflation can have a significant impact on borrowers and retail investors. It can heighten vulnerabilities of debtors exposed to flexible lending rates, or where low interest rates on their loans will expire in the near term, including in mortgage lending. Inflation can also have large effects on real returns on savings and investments of retail investors both in the immediate term as well as in the long term. Retail investors may be unaware of inflation or not pay enough attention to its effects on their assets and purchasing power. Consumers can suffer from behavioral biases, such as money illusion or exponential growth bias, that can lead to insufficient saving and investing. Moreover, when inflation is rising, the effects of insufficient saving on long-term wealth become more pronounced.

Insurer positions are affected by inflation on both on the asset and liabilities side typically negative net effects for the non-life segment. On the asset side, insurer investments whose market prices are sensitive to inflation will see a direct or indirect impact through movements of the interest rates. On the liability side, inflation affects insurers through higher costs of claims. This is mostly relevant for non-life lines of business, because non-life guarantees are in nominal terms; crucially, insurers’ build-up provisions for future claims payments and in doing so they must make assumptions today about future price developments. Life insurers are less affected by costs of claims, these typically have liabilities in nominal terms, i.e. claims do not increase with the price development; this is because potential future benefits are often stipulated at inception. Higher general costs can have negative profitability implication for both life and non-life. Finally, the sensitivity on inflation and to interest rate depends also crucially on the duration gap of the undertakings: those with positive duration gaps are more likely to be negatively affected by inflation than those with negative long duration gap, such as life insurers.

On the liability side, the price development relevant for claims expenses, i.e. claims inflation, is particularly important for insurers. Claims inflation tends to outpace the general inflation rate, claims cost depends only to a small extent on inflation as measured by the Harmonized Index of Consumer Prices (HICP); the reason is that the goods for which insurers pay are significantly different from those which consumers buy. Moreover, claims of insurers encompass various costs, not just costs of goods and services. For Europe, there are no time series available on estimates of future claims inflation; each insurer makes its own business line specific forecast.

Developments in the term structure and risk premia, which remain uncertain, are also having an impact on the net effect on insurer positions, through their exposure to interest rate sensitive assets and the duration of their liabilities. A potential increase in long-term rates would be accompanied by a repricing of the risk premia, and the negative impact on the asset side would not be limited to the fixed income assets but would be reflected to other asset classes through the reduction of market prices. A similar scenario was tested in the EIOPA 2018 Stress Test exercise (Yield Curve Up scenario). This showed relatively high resilience of the insurance sector as a result of the solid capital buffers of the sector in aggregate.

Insurance products can be sensitive to inflation, policyholders and pension beneficiaries face the risk of inflation eroding the real value of their benefits. This ultimately depends on the particular features and details of each contract sold. In the traditional business case of nominal interest rate guarantees, higher inflation than expected (relative to that already factored in the guarantees) has a negative impact in real terms for the policyholder, while contracts with profit sharing may help policyholder returns. In case of unit-linked policies, the policyholder can select the underlying assets from a range of investments e.g. mutual funds. The allocation could involve assets that provide inflation protection or not. Crucially, it requires policyholder financial knowledge/literacy to navigate through the complex dynamics of how investments affect their benefits. In the last years, the share of unit-linked in the life segment continues to increase, now reaching a peak of 39% since the introduction of Solvency II reporting, notwithstanding the considerable differences in the popularity of unit-linked products that remain across countries.

In the banking sector, increasing interest rates are usually expected to have a positive impact on interest income and on net interest margins (NIMs). Accordingly, a vast majority of banks responding to the spring 2022 EBA RAQ expect a positive impact on their profitability from rising interest rates with a repricing of assets. Both banks and analysts are optimistic about the impact of rising rates, and 85% of banks responding to the RAQ expect rising rates to have a positive impact on their profitability. However, analysts also expect an increase in provisions and impairments (at 80%, compared to 15% in the previous RAQ). Since 2014 NIMs have steadily decreased in the very low interest rate environment, and have remained nearly stable since Q1 2021 (1.25% in Q2 2022).

In spite of positive expectations, historic episodes of rising interest rates globally, as well as bank profitability trends in some European countries with an earlier cycle of increasing interest rates offer some indication that NIM may not improve substantially with rising interest rates. Expectations for a substantively positive impact on profitability may be overly optimistic. For example, during periods of stagflation in the USA between 1971 and 1973 and between 1976 and 1980, the sensitivity of NIM to interest rate rises was negligible. Disclosures from banks’ interest rate risks in the banking book (IRRBB) indicate that a parallel shift up of the yield curve positively affects NII for most banks. Yet, while about half of banks disclosing their IRRBB assume that a 200bp parallel rise of the yield curve will add at least a 10% to their NII, a majority of banks assume a negative net impact on their economic value of equity (EVE), a long-term measure of their interest rate risk.

On the liabilities’ side, bank funding costs have increased considerably in line with rising interest rates, which affects profitability. In the next months, analysts expect a broad-based increase in funding costs, including for deposits. Banks, particularly those relying more on wholesale funding, may be affected by a potential substantial increase in funding costs that could even offset positive effects from asset repricing. Banks that need to further build up their loss absorbing capacity could be particularly affected, as a majority of banks consider pricing as main constraint to issuing instruments eligible for MREL. In line with rising inflation, EU banks’ operating costs are also expected to increase further and have already increased substantially in 1Q22.

While general expectations suggest that banks will benefit from a repricing of assets amid rising interest rates, increasing rates might also affect borrower ability to service their debt, and could thus affect asset quality. Coupled with a deteriorating economic outlook, the rising interest rate environment risks in resulting in a reversal of the long-term trend of declining NPL in the banking sector. Rising rates could also contribute to adjustments to the already high real estate valuations in Europe, while the high levels of real estate exposure of EU banks has been identified as a risk. Monetary tightening might also impact lending growth, when, e.g., tightening is accompanied by lower GDP growth, and so could affect interest income.

5 DIGITAL RELATED RISKS
The Russian war in Ukraine and the increasingly volatile geopolitical environment have heightened cybersecurity risks. The frequency of cyber incidents impacting all sectors of activity, as measured by publicly available data, increased significantly in the first quarter of 2022 compared to the same quarter of last year. The potential for escalation involving cyberattacks remains, and a successful attack on a major financial institution or on a critical infrastructure could spread across the entire financial system. Potential consequences also grow ever more far-reaching as the digitalization trend of the financial sector continues. These include disruptions to business continuity, as well as impact on reputation and, in extreme scenarios, liquidity and financial stability. Potential cyberattacks might not be limited to the financial sector only, but also to consumers. In a severe scenario, access to basic services could be impaired, including financial services, and personal data could be compromised.

The sharp market sell-off in May and June 2022 once again demonstrated the extremely volatile and speculative nature of many crypto-assets and related products and the high risks involved for investors, as highlighted in the recent joint-ESAs Warning. The collapse of the Terra ecosystem in May exposed fragilities in stable coins markets, which if left unmanaged, could have ripple effects with negative implications for financial stability, calling for a swift implementation of the Markets in Crypto Assets (MiCA) proposed regulation.

The current geopolitical situation underscores the relevance of the legislation on digital operational resilience (DORA). DORA, which builds on the ESAs Joint Advice in the area of information and communication technology (ICT), is expected to enter into force in early 2023. On 10 May 2022 co-legislators reached a provisional political agreement on its final text. DORA aims to establish a comprehensive framework on digital operational resilience for EU financial entities, and consolidate and upgrade ICT risk requirements spread over various financial services legislation (e.g. PSD2, MiFID, NIS). The geopolitical situation has highlighted some of the risks that DORA will address and underscores the importance of the legislation. The ESAs will be working closely together on the many joint deliverables and new tasks under DORA to help implement the legislation. Moreover, the ESAs, in cooperation with NCAs, have launched a high-level exercise (covering a sample of financial entities) to obtain a better understanding of the exposure of the financial sector to ICT third party providers. The exercise will help authorities and entities to prepare for the forthcoming DORA regime for oversight of critical third-party providers of ICT services.

Digitalization and cyber risks are currently assessed as high and show an increasing trend for the financial sector. In the banking sector, cyber risks are assessed to be very high by both banks and supervisors. The insurance, banking and markets sectors likewise remain on high alert. Since the beginning of the war, cyber-related incidents and disruptions beyond Ukraine and Russia have been rather limited to date, but related risks nevertheless remain unabatedly high. Cyber negative sentiment in the insurance sector, measured as the frequency of negative cyber terms pronounced during insurers’ earning calls, indicates an increased concern in the first quarter of 2022. From an insurance cyber underwriting perspective, cyber-related claims are increasing alongside a growth in the frequency and sophistication of cyber-attacks across financial sectors. In response to increasing cyber-attacks, cyber insurers are strengthening the wording to protect them against losses and could eventually also adjust pricing. Insurers seem to have pushed up attempts to tighten policies and to clarify coverage in the case of a retaliation by Russia and its allies in response to sanctions – the so-called war exclusion, which dictates that losses caused by armed conflict are usually not compensated. In this context, clear communication and disclosure to policyholders on the scope of the coverage and level of protection offered by insurance policies is crucial, in order to avoid a mismatch between their expectations and the actual coverage provided.

Supervisors aim at enhancing monitoring of cyber-related risk framework due to the increased relevance of digitalization and cyber risks. ESMA has recently facilitated increased information-sharing among its competent authorities to ensure supervisors receive timely updates on cyber incidents to inform their work. Turning to the insurance sector, EIOPA has produced exploratory indicators that rely on supervisor responses to the EIOPA Insurance Bottom-Up Survey and on publicly available external data. They will be improved once new supervisory data becomes available. To establish an adequate assessment and mitigation tools to address potential systemic cyber and extreme risks, throughout 2022 and 2023 EIOPA will be working on improving its methodological framework for bottom-up insurance stress tests, including cyber risk.

click-here-to-access-eba-eiopa-esmas-joint-committee-report-september-2022

EIOPA Financial Stability Report July 2020

Publié le 1 août 20201 août 2020 par hanswillertbleuazurconsultingeu

The unexpected COVID-19 virus outbreak led European countries to shut down major part of their economies aiming at containing the outbreak. Financial markets experienced huge losses and flight-to-quality investment behaviour. Governments and central banks committed to the provision of significant emergency packages to support the economy, as the economic shock, caused by demand and supply disruptions accompanied by its reflection to the financial markets, is expected to challenge economic growth, labour market and the consumer sentiment across Europe for an uncertain period of time.

Amid an unprecedented downward shift of interest rate curves during March, reflecting the flight-to-quality behaviour, credit spreads of corporates and sovereigns increased for riskier assets, leading effectively to a double-hit scenario. Equity markets dramatically dropped showing extreme levels of volatility responding to the uncertainties on virus effects and on the status of government and central banks support programs and their effectiveness. Despite the stressed market environment, there were signs of improvement following the announcements of the support packages and during the course of the initiatives of gradually reopening the economies. The virus outbreak also led to extraordinary working conditions, with part of the services sector working from home, which rises the potential of those conditions being preserved after the virus outbreak, which could decrease demand and market value for commercial real estate investments.

Within this challenging environment, insurers are exposed in terms of solvency risk, profitability risk and reinvestment risk. The sudden reassessment of risk premia and the increase of default risk could trigger large-scale rating downgrades and result in decreased investments’ value for insurers and IORPs, especially for exposures to highly indebted corporates and sovereigns. On the other hand, the risk of ultra-low interest rates for long has further increased. Factoring in the knock on effects of the weakening macro economy, future own funds position of the insurers could be further challenged, due to potential lower levels of profitable new business written accompanied by increased volume of profitable in-force policies being surrendered or lapsed.

Finally, liquidity risk has resurfaced, due to the potential of mass lapse type of events and higher than expected virus and litigation related claims accompanied by the decreased inflows of premiums.

EIOPA1

For the European occupational pension sector, the negative impact of COVID-19 on the asset side is mainly driven by deteriorating equity market prices, as, in a number of Member States, IORPs allocate significant proportions of the asset portfolio (up to nearly 60%) in equity investments. However, the investment allocation is highly divergent amongst Member States, so that IORPs in other Member States hold up to 70% of their investments in bonds, mostly sovereign bonds, where the widening of credit spreads impair their market value. The liability side is already pressured due to low interest rates and, where market-consistent valuation is applied, due to low discount rates. The funding and solvency ratios of IORPs are determined by national law and, as could be seen in the 2019 IORP stress test results, have been under pressure and are certainly negatively impacted by this crisis. The current situation may lead to benefit cuts for members and may require sponsoring undertakings to finance funding gaps, which may lead to additional pressure on the real economy and on entities sponsoring an IORP.

EIOPA2

Climate risks remain one of the focal points for the insurance and pension industry, with Environmental, Social and Governance (ESG) factors increasingly shaping investment decisions of insurers and pension funds but also affecting their underwriting. In response to climate related risks, the EU presented in mid-December the European Green Deal, a roadmap for making the EU climate neutral by 2050, providing actions meant to boost the efficient use of resources by

moving to a clean, circular economy and stop climate change,
revert biodiversity loss
and cut pollution.

At the same time, natural catastrophe related losses were milder than previous year, but asymmetrically shifted towards poorer countries lacking relevant insurance coverages.

Cyber risks have become increasingly relevant across the financial system in particular during the virus outbreak due to the new working conditions that the confinement measures imposed. Amid the extraordinary en masse remote working arrangements an increased number of cyber-attacks has been reported on both individuals and healthcare systems. With increasing attention for cyber risks both at national and European level, EIOPA contributed to building a strong, reliable, cyber insurance market by publishing its strategy for cyber underwriting and has also been actively involved in promoting cyber resilience in the insurance and pensions sectors.

Click here to access EIOPA’s detailed Financial Stability Report July 2020

EIOPA outlines key financial stability risks of the European insurance and pensions sector

Publié le 21 décembre 201921 décembre 2019 par hanswillertbleuazurconsultingeu

The global and European economic outlook has deteriorated in the past months with weakening industrial production and business sentiment and ongoing uncertainties about trade disputes and Brexit. In particular, the “low for long” risk has resurfaced in the EU, as interest rates reached record lows in August 2019 and an increasing number of countries move into negative yield territory for their sovereign bonds even at longer maturities in anticipation of a further round of monetary easing by central banks and a general flight to safety. Bond yields and swap rates have since slightly recovered again, but protracted low interest rates form the key risk for both insurers and pension funds and put pressure on both the capital position and long-term profitability. Large declines in interest rates can also create further incentives for insurers and pension funds to search for yield, which could add to the build-up of vulnerabilities in the financial sector if not properly managed.

Despite the challenging environment, the European insurance sector remains overall well capitalized with a median SCR ratio of 212% as of Q2 2019. However, a slight deterioration could be observed for life insurers in the first half of 2019 and the low interest rate environment is expected to put further pressures on the capital positions of life insurers in the second half of 2019. At the same time, profitability improved in the first half of 2019, mainly due to valuation gains in the equity and bond portfolios of insurers. Nevertheless, the low yield environment is expected to put additional strains on the medium to long term profitability of insurers as higher yielding bonds will have to be replaced by lower yielding bonds, which may make it increasingly difficult for insurers to make investment returns in excess of guaranteed returns issued in the past, which are still prevalent in many countries.

THE EUROPEAN INSURANCE SECTOR

The challenging macroeconomic environment is leading insurance undertakings to further adapt their business models. In order to address the challenges associated with the low yield environment and improve profitability, life insurers are lowering guaranteed rates in traditional products and are increasingly focusing on unit-linked products. On the investment side, insurers are slowly moving towards more alternative investments and illiquid assets, such as unlisted equity, mortgages & loans, infrastructure and property. For non-life insurers, the challenge is mostly focused on managing increasing losses stemming from climate-related risks and cyber events, which may not be adequately reflected in risk models based on historical data, and continued competitive pressures.

Despite the challenging environment, the European insurance sector overall gross written premiums slightly grew by 1.6% on an annual basis in Q2 2019. This growth is particularly driven by the increase in non life GWP (3.7%), in comparison to a slightly decrease in life (-0.5%). This reduction growth rate in life GWP is associated to the slowdown in the economic growth; however this does not seem to have affected the growth of non-life GWP to the same extent. Overall GWP as a percentage of GDP slightly increased from 9% to 11% for the European insurance market, likewise total assets as a share of GDP improved from 70% to 74%. The share of unit-linked business has slightly declined notwithstanding the growth expectations. Even though insurers are increasingly trying to shift towards unit-linked business in the current low yield environment, the total share of unit-linked business in life GWP has slightly decreased from 42% in Q2 2018 to 40% in Q2 2019, likewise the share for the median insurance company declined from 34% in Q2 2018 to 31% in Q2 2019. Considerable differences remain across countries, with some countries still being plagued by low trust due to misselling issues in the past. Overall, the trend towards unit-lead business means that investment risks are increasingly transferred to policyholders with potential reputational risks to the insurance sector in case investment returns turn out lower than anticipated.

EIOPA1

The liquid asset ratio slightly deteriorated in the first half of 2019. The median value for liquid asset increased by 1.5% from 63.3% in 2018 Q2 to 64.8% in 2018 Q4, and after slightly decreased to 63.8% in Q2 2019. Furthermore, the distribution moved down (10th percentile reduced in the past year by 6 p.p. to 47.9%). Liquid assets are necessary in order to meet payment obligations when they are due. Furthermore, a potential increase in interest rate yields might directly impact the liquidity needs of insurers due to a significant increase in the lapse rate as policyholders might look for more attractive alternative investments.

EIOPA2

Lapse rates in the life business remained stable slightly increased in the first half of 2019. The median value increased from 1.34% in Q2 2018 to 1.38% in Q2 2019. Moreover, a potential sudden reversal of risk premia and abruptly rising yields could trigger an increase in lapse rates and surrender ratios as policyholders might look for more attractive investments. Although several contractual and fiscal implications could limit the impact of lapses and surrenders in some countries, potential lapses by policyholders could add additional strains on insurers’ financial position once yields start increasing.

The return on investment has substantially declined further over 2018. The investment returns have significantly deteriorated for the main investment classes (bonds, equity and collective instruments). The median return on investment decreased to only 0.31% in 2018, compared to 2.83% in 2016 and 1.95% in 2017. In particular the four main investment options (government and corporate bonds, equity instruments and collective investment undertakings) – which approximately account for two-thirds of insurers’ total investment portfolios – have generated considerably lower or even negative returns in 2018. As a consequence, insurers may increasingly look for alternative investments, such as unlisted equities, mortgages and infrastructure to improve investment returns. This potential search for yield behaviour might differ per country and warrants close monitoring by supervisory authorities as insurers may suffer substantial losses on these more illiquid investments when markets turn sour.

EIOPA3

Despite the challenging investment climate, overall insurer profitability improved in the first half of 2019. The median return on assets (ROA) increased from 0.24% in Q2 2018 to 0.32% in Q2 2019, whereas the median return on excess of assets over liabilities (used as a proxy of return on equity), increased from 2.8% in Q2 2018 to 4.9 % in Q2 2019. The improvement in overall profitability seems to stem mainly from valuation gains in the investment portolio of insurers driven by a strong rebound in equity prices and declining yields (and hence increasing values of bond holdings) throughout the first half of 2019, while profitability could be further supported by strong underwriting results and insurers’ continued focus on cost optimisation. However, decreased expected profits in future premiums (EPIFP) from 11% in Q1 2019 to 10.3% in Q2 2019 suggest expectations of deteriorating profitability looking ahead. Underwriting profitability remained stable and overall positive in the first half of 2019. The median Gross Combined Ratio for non-life business remained below 100% in the first half of 2019 across all lines of business, indicating that most EEA insurers were able to generate positive underwriting results (excluding profits from investments). However, significant outliers can still be observed across lines of business, in particular for credit and suretyship insurance, indicating that several insurers have experienced substantial underwriting losses in this line of business. Furthermore, concerns of underpricing and underreserving remain in the highly competitive motor insurance markets.

EIOPA4

Solvency positions slightly deteriorated in the first half of 2019 and the low interest rate environment is expected to put further pressures on the capital positions in the second half of the year, especially for life insurers. Furthermore, the number of life insurance undertakings with SCR ratios below the 100% threshold increased in comparison with the previous year from 1 in Q2 2018 to 4 in Q2 2019 mainly due to the low interest rate environment, while the number of non-life insurance undertakings with SCR ratios below 100% threshold decreased from 9 in Q2 2018 to 7 in Q2 2019. The median SCR ratio for life insurers is still the highest compared to non-life insurers and composite undertakings. However, the SCR ratio differs substantially among countries.

EIOPA5

The impact of the LTG and transitional measures varies considerably across insurers and countries. The long term guarantees (LTG) and transitional measures were introduced in the Solvency II Directive to ensure an appropriate treatment of insurance products that include long-term guarantees and facilitate a smooth transition of the new regime. These measures can have a significant impact on the SCR ratio by allowing insurance undertakings, among others, to apply a premium to the risk free interest rate used for discounting technical provions. The impact of applying these measures is highest in DE and the UK, where the distribution of SCR ratios is signicantly lower without LTG and transitional measures (Figure 2.16). While it is important to take the effect of LTG measures and transitional measures into account when comparing across insurers and countries, the LTG measures do provide a potential financial stability cushion by reducing overall volatility.

On October 15th 2019, EIOPA launched a public consultation on an Opinion that sets out technical advice for the 2020 review of Solvency II. The call for advice comprises 19 separate topics. Broadly speaking, these can be divided into three parts.

The review of the LTG measures, where a number of different options are being consulted on, notably on extrapolation and on the volatility adjustment.
The potential introduction of new regulatory tools in the Solvency II framework, notably on macro-prudential issues, recovery and resolution, and insurance guarantee schemes. These new regulatory tools are considered thoroughly in the consultation.
Revisions to the existing Solvency II framework including in relation to
- freedom of services and establishment;
- reporting and disclosure;
- and the solvency capital requirement.

The main specific considerations and proposals of this consultation are as follows:

Considerations to choose a later starting point for the extrapolation of risk-free interest rates for the euro or to change the extrapolation method to take into account market information beyond the starting point.
Considerations to change the calculation of the volatility adjustment to risk-free interest rates, in particular to address overshooting effects and to reflect the illiquidity of insurance liabilities.
The proposal to increase the calibration of the interest rate risk sub-module in line with empirical evidence, in particular the existence of negative interest rates. The proposal is consistent with the technical advice EIOPA provided on the Solvency Capital Requirement standard formula in 2018.
The proposal to include macro-prudential tools in the Solvency II Directive.
The proposal to establish a minimum harmonised and comprehensive recovery and resolution framework for insurance.

The European Supervisory Authorities (ESAs) published on the 4th October 2019 a Joint Opinion on the risks of money laundering and terrorist financing affecting the European Union’s financial sector. In this Joint Opinion, the ESAs identify and analyse current and emerging money laundering and terrorist financing (ML/ TF) risks to which the EU’s financial sector is exposed. In particular, the ESAs have identified that the main cross-cutting risks arise from

the withdrawal of the United Kingdom (UK) from the EU,
new technologies,
virtual currencies,
legislative divergence and divergent supervisory practices,
weaknesses in internal controls,
terrorist financing and de-risking;

in order to mitigate these risks, the ESAs have proposed a number of potential actions for the Competent Authorities.

Following its advice to the European Commission on the integration of sustainability risks in Solvency II and the Insurance Distribution Directive on April 2019, EIOPA has published on 30th September 2019 an Opinion on Sustainability within Solvency II, which addresses the integration of climate-related risks in Solvency II Pillar I requirements. EIOPA found no current evidence to support a change in the calibration of capital requirements for “green” or “brown” assets. In the opinion, EIOPA calls insurance and reinsurance undertakings to implement measures linked with climate change-related risks, especially in view of a substantial impact to their business strategy; in that respect, the importance of scenario analysis in the undertakings’ risk management is highlighted. To increase the European market and citizens’ resilience to climate change, undertakings are called to consider the impact of their underwriting practices on the environment. EIOPA also supports the development of new insurance products, adjustments in the design and pricing of the products and the engagement with public authorities, as part of the industry’s stewardship activity.

On the 15th July 2019 EIOPA submitted to the European Commission draft amendments to the Implementing technical standards (ITS) on reporting and the ITS on public disclosure. The proposed amendments are mainly intended to reflect the changes in the Solvency II Delegated Regulation by the Commission Delegated Regulation (EU) 2019/981 and the Commission Delegated Regulation 2018/1221 as regards the calculation of regulatory capital requirements for securitisations and simple, transparent and standardised securitisations held by insurance and reinsurance undertakings. A more detailed review of the reporting and disclosure requirements will be part of the 2020 review of Solvency II.

On 18th June 2019 the Commission Delegated Regulation (EU) 2019/981 amending the Solvency II Delegated Regulation with respect to the calculation of the SCR for standard formula users was published. The new regulation includes the majority of the changes proposed by EIOPA in its advice to the Commission in February 2018 with the exception of the proposed change regarding interest rate risk. Most of the changes are applicable since July 2019, although changes to the calculation of the loss-absorbing capacity of deferred taxes and non-life and health premium and reserve risk will apply from 1 January 2020.

RISK ASSESSMENT

QUALITATIVE RISK ASSESSMENT

EIOPA conducts twice a year a bottom-up survey among national supervisors to determine the key risks and challenges for the European insurance and pension fund sectors, based on their probability and potential impact.

The EIOPA qualitative Autumn 2019 Survey reveals that low interest rates remain the main risks for both the insurance and pension fund sectors. Equity risks also remain prevalent, ranking as the 3rd and 2nd biggest risk for the insurance and pension funds sectors respectively. The cyber risk category is now rank as the 2nd biggest risk for the insurance sector, as insurers need to adapt their business models to this new type of risk both from an operational risk perspective and an underwriting perspective. Geopolitical risks have become more significant for both markets, along with Macro risks, which continue to be present in the insurance and pension fund sectors, partially due to concerns over protectionism, trade tensions, debt sustainability, sudden increase in risk premia and uncertainty relating to the potential future post-Brexit landscape.

The survey further suggests that all the risks are expected to increase over the coming year. The increased risk of the low for long interest rate environment is in line with the observed market developments, particulary after the ECB’s announcement of renewed monetary easing in September 2019. The significant expected raise of cyber, property, equity, macro and geopolitical risks in the following year is also in line with the observed market developments, indicating increased geopolitical uncertainty, trade tensions, stretched valuations in equity and real estate markets and more frequent and sophisticated cyber attacks which could all potentially affect the financial position of insurers and pension funds. On the other hand, ALM risks and Credit risk for financials are expected to increase in the coming year, while in the last survey in Spring 2019 the expectations were following the opposite direction.

EIOPA6

Although cyber risk is ranking as one of the top risks and expected to increase in the following year, many jurisdictions also see cyber-related insurance activities as a growth opportunity. The rapid pace of technological innovation and digitalisation is a challenge for the insurance market and insurers need to be able to adapt their business models to this challenging environment, nonetheless from a profitability perspective, increased digitalisation may offer significant cost-saving and revenue-increasing opportunities for insurance companies. The increase of awareness of cyber-risk and higher vulnerability to cyber threats among undertakings due to the increased adoption of digital technologies could drive a growth in cyber insurance underwriting.

The survey shows the exposure of an sudden correction of the risk premia significantly differs across EU countries. In the event of a sudden correction in the risk premia, insurance undertakings and pension funds with ample exposure to bonds and real estate, could suffer significant asset value variations that could lead to forced asset sales and potentially amplify the original shock to asset prices in less liquid markets. Some juridictions, however, confirm the limited exposure to this risk due to the low holding of fixed income instruments and well diversified portfolios.

The survey further indicates that national authorities expect the increase of investments in alternative asset classes and more illiquid assets. Conversely, holdings of governement bonds are expected to decrease in favour of corporate bonds within the next 12 months. Overall this might indicate potential search for yield behaviour and a shift towards more illiquid assets continues throughout numerous EU jurisdictions. Property investments – through for instance mortgages and infrastructure investment – are also expected to increase in some jurisdictions, for both insurers and pension funds. A potential downturn of real estate markets could therefore also affect the soundness of the insurance and pension fund sectors.

EIOPA7

QUANTITATIVE RISK ASSESSMENT EUROPEAN INSURANCE SECTOR

This section further assesses the key risks and vulnerabilities for the European insurance sector identified in this report. A detailed breakdown of the investment portfolio and asset allocation is provided with a focus on specific country exposures and interconnectedness with the banking sector. The chapter also analyses in more detail the implications of the current low yield environment for insurers.

INVESTMENTS

Insurance companies’ investments remain broadly stable, with a slight move towards less liquid investment. Government and corporate bonds continue to make up the majority of the investment portfolio, with only a slight movement towards more non-traditional investment instruments such as unlisted equity and mortgage and loans. Life insurers in particular rely on fixed-income assets, due to the importance of asset-liability matching of their long-term obligations. At the same time, the high shares of fixed-income investments could give rise to significant reinvestment risk in the current low yield environment, in case the maturing fixed-income securities can only be replaced by lower yielding fixed-income securities for the same credit quality.

The overall credit quality of the bond portfolio is broadly satisfactory, although slight changes are observed in 2018. The vast majority of bonds held by European insurers are investment grade, with most rated as CQS1 (AA). However, the share of CQS2 has increased in the first half of 2019, and significant differences can be observed for insurers across countries.

EIOPA8

INTERCONNECTEDNESS BETWEEN INSURERS AND BANKS

The overall exposures towards the banking sector remain significant for insurers in certain countries, which could be one potential transmission channel in case of a sudden reassessment of risk premia. The interconnectedness between insurers and banks could intensify contagion across the financial system through common risk exposures. A potential sudden reassessment of risk premia may not only affect insurers directly, but also indirectly through exposures to the banking sector. This is also a potential transmission channel of emerging markets distress, as banks have on average larger exposures to emerging markets when compared to insurers.

Another channel of risk transmission could be through different types of bank instruments bundled together and credited by institutional investors such as insurers and pension funds.

Insurers’ exposures towards banks are heterogeneous across the EU/EEA countries, with different levels of home bias as well. Hence, countries with primary banks exposed to emerging markets or weak banking sectors could be impacted more in case of economic distress. On average, 15.95% of the EU/EEA insurers’ assets are issued by the banking sector through different types of instruments, mostly bank bonds.

EIOPA9

Click here to access EIOPA’s Dec 2019 Financial Stability Report

Cyber Risk Management – From Security to Resilience

Publié le 30 juin 2019 par hanswillertbleuazurconsultingeu

Rapidly evolving threats and infiltration techniques have rendered traditional cyber defense strategies insufficient and ineffective. The emerging threat vectors and speed of change amplified by the digital transformation cannot be addressed by traditional means. Globally, laws are also changing to keep pace as cybercrime evolves, knowing no
boundaries. Therefore, organizations must be nimble and agile to keep pace with policy changes, especially when expanding across different jurisdictions.

This report highlights three strategic imperatives to strengthen cyber resilience:

Understand (know your threats): Identify organization and industry-specific cyber threats and regulations calls for robust strategies that include cross-disciplinary considerations.
Measure (know yourself): Quantify the potential financial impact of cyber exposures to compare against the level of risk appetite acceptable to the board. This will determine the amount of investment necessary to mitigate and transfer any residual risk.
Manage (know what you can do): Proactively manage cyber risks by having clear action plans based on your capabilities and capacities to protect against cyber criminals.

It is inefficient and impractical to expect organizations to be ahead of every threat, but organizations should at least be on par with the evolution of cyber threats while ensuring compliance with changing laws and regulations. While cyber attacks are inevitable, proper preparation is the essential element that sets resilient organizations apart from the rest in managing risk, minimizing damage, and recovering quickly from any incidents.

Cyber Risk: A Top Concern

Technology continues to play a profound role in shaping the global risk landscape for individuals, businesses, and governments. Risk experts around the world continue to rank massive data fraud and theft and cyber attacks as their greatest and most likely risks over the next decade, a pattern that is consistent with previous years. Most risk experts also expect cyber attacks to have a much greater impact through business disruption and the targeted theft of money, data and intellectual property. Our increased dependence on pervasive, integrated digital technologies also increases anxiety around cyber security.

Rapid Innovation

The pace of business innovation has been driven by technology and connectivity megatrends such as mobile, the Internet of Things (IoT), big data and cloud solutions. The adoption and use of mobile devices have surpassed that of desktops since the last quarter of 2016, with mobile traffic accounting for 52 percent of total internet traffic in 2018. While business benefits include greater convenience and productivity, the use of mobile devices for both work and personal reasons has blurred the lines between sensitive corporate and confidential personal data, which are increasingly exposed to weaker application security features, mobile malware and other vulnerabilities.

Pervasive, Sophisticated Technologies

A recent study by FireEye Mandiant revealed that cyber attackers have followed cloud-reliant organizations, such as software-as-a-service and cloud computing, into the cloud. Mandiant researchers observed an increased volume of attacks against organizations with access to vast amounts of personal and confidential data, such as cloud providers, telecommunications, and retail and hospitality. More than 730 investigations were performed by Mandiant experts globally in 2018, a higher volume than any year before and an increase of more than 30 percent over 2017.

Devious, Organized Threat Actors

The modern cyber risk landscape is rapidly evolving and populated by threat actors with a myriad of motivations and attack sophistication levels. The methodologies can vary from highly-targeted and deliberate, to mass-scale with self-distributing malware. Different threat actors also have different motivations and ambitions that can be uniquely destructive.

Motivations and methodologies of threat actors can also overlap with one another. In many cases, similar tools and techniques are used by different groups since those may be the only tools available. In some cases, state-sponsored actors may even work with hacktivists to carry out an attack. Some threat groups demonstrate increased determination by maintaining persistence in victims’ networks. Some APT attackers plan out their modus operandi and patiently pursue their goals over a long period of time—months or years—before they launch their attack. They rapidly adapt to a victim organization’s attempts to remove them from the network and frequently target the same victim again if access is lost.

After an organization has been successfully attacked, there is a higher probability of re-compromise. According to FireEye, globally two in three (64 percent) compromised organizations were successfully attacked again within a year. It is more significant in APAC where almost eight in 10 (78 percent) of compromised organizations are likely to face at least one additional significant attack over the next year.

Organizations that have been attacked should strengthen their cyber security defenses and close any identified gaps to mitigate risks; unfortunately, this doesn’t always happen.

MMC1

Data Sharing Economies

Data sharing is inevitable as we accelerate into the digital economy. Our growing interconnectedness is combined with a massive increase in velocity, volume, and variety of data shared across boundaries and jurisdictions. The accelerated digitalization of countries and industries amplifies the systemic effects from cyber attacks and increases the severity of successful cyber attacks.

With the advent of digital and transformative technologies that change the nature of business, policymakers are challenged to maintain the robustness of cyber laws and legislations. The anonymity of the Internet further ensures little or no risk of repercussion for cyber criminals.

According to FireEye CEO Kevin Mandia, ”We are on a slippery slope in terms of frequency and seriousness of cyber attacks” and it is likely to get worse unless serious consequences can be put in place for criminal behavior.

Although cyber regulations have lagged behind evolving cyber threats, the past years have seen a substantial increase in new cyber laws and other regulatory schemes, and this is expected to continue. Most regulatory schemes aim to protect data and privacy and fulfil notification obligations by breached organizations, but disclosures and notifications are critical first steps to reveal the volume, frequency and complexity of breaches before data protection and privacy can be further improved.

Complications That Impact Cyber Resilience

In an increasingly complex business and cyber landscape, organizations encounter greater challenges when trying to balance their business resilience and cyber security priorities.

Between 2016 and 2018, the rate of growth for internet users was 10 times faster than the global population. Correspondingly, the surface area for attack has expanded exponentially. The exposure is estimated to impact up to six billion internet users by 2022, approximately three-quarters of the projected world population. Increased connectivity coupled with the expanded adoption of mobile devices makes building cyber security defenses much more challenging since every employee or web-connected device now represents a potential vulnerability.

Underlying Trends Impose Additional Layers of Fiduciary Responsibilities

Rapid digitalization amplifies the systemic effect of cyber threats, which leads to more cyber regulations and policies. In addition to safeguarding the interests of individuals and businesses, governments and policymakers also aim provide a conducive and well-regulated environment to develop transformative technologies to spearhead their respective digital economies.

Unsurprisingly, their business models are impacted by new cyber laws and regulations. As these laws are introduced, revised and enacted, companies can find themselves in a continually reactive state when attempting to comply with changing policies. Organizations with operations across national boundaries face additional compliance costs as they attempt to navigate diverse regulations in different jurisdictions. While GDPR has led to the convergence of cyber security and data protection laws in the EU, cyber regulations in other parts of the world remain largely localized and diverse.

Re-Thinking a Cyber Resilient Culture

To reduce our growing vulnerability to humanenabled cyber threats, workplace culture needs to change. The outlook, attitudes, values, moral goals and legacy systems shared within an organization have a direct impact on how cyber threats are perceived and managed. While cyber security involves many different technical and information solutions, necessary defenses and resilience cannot be fully achieved without the right mindset.

To establish a cyber resilient culture, everyone in the organization—from executive leadership and management to data analysts and salespeople—have an equal and important role to play in defense.

Through social engineering, threat actors increasingly exploit individuals as the weakest link of the cyber security chain. Therefore, cyber security and resilience must begin with the individual. Although Finance or HR departments may be primary targets for potential access to sensitive information, other executives and employees may also be targeted to gain network access.

How To Line Up Your Defense

Given the reality of the cyber threat landscape, you need to determine the tools you need to mitigate and respond to inevitable cyber attacks. Unfortunately, while both the aggressiveness and sophistication of cyber attacks have accelerated, defensive capabilities have been relatively slow to evolve and respond.

MMC2

Darren Thayre, Partner in the Digital, Technology and Analytics Practice for Asia Pacific at Oliver Wyman, mentioned that typical cyber security discussions are often absent when organizations initially strategize on cloud implementation, a process normally driven by developers or infrastructure demands.

Many victim organizations and those working diligently on defensive improvements still lack the fundamental security controls and capabilities to either prevent breaches or to minimize the damages and consequences of an inevitable compromise.

Based on trend observations, Kelly Butler, Head of Cyber Practice, Pacific, Marsh, stated that while security remains important in the 2019 cyber landscape, it is becoming more about resilience.

Organizations must maintain a posture of continuous cyber resilience to prepare for and adapt to the changing threat landscape and recover from the disruptive attacks. Otherwise, they risk facing significant gaps in both basic security controls and—more critically—visibility and detection of targeted attacks. The saying goes, “what gets measured, gets managed,” but you can only measure what you understand.

Understand Cyber Risks from a Business Perspective

Cyber risk is now at the forefront of most corporate risk agendas. Organizations are increasingly looking to understand and assess the nature and extent of their potential cyber-related losses—a necessary first step to mitigate those losses.

A cyber defense strategy delivers substantial benefits for both the senior management and the organization, especially when the strategy and associated action plans are mandated from the top and prioritized with the necessary investments and budgets. A proactive cyber defense strategy demonstrates to regulators that the organization takes cyber risk management seriously and has clear priorities in place.

A cyber security strategy is how you direct and focus the creation of an actionable roadmap and build a comprehensive cyber security program. This process allows you to clearly link gaps identified in the program assessment to your organization’s cyber security investments. However, developing a fit-for-purpose strategy and obtaining buy-in for the cyber security program from senior management can be difficult.

MMC3

After you understand cyber risks from a business perspective, you need to identify how much cyber risk is acceptable (to be absorbed) across your entire organization. This baseline helps make decisions related to cyber risk and implement controls.

For example, you can use a structured methodology to determine your organization’s cyber risk appetite. Ideally, you should break down and prioritize your cyber risk appetite, and the metrics you need to inform and measure the risk appetite. Later, you can develop recommendations regarding governance and operating model requirements, which in turn will determine and influence corporate decisions with respect to cyber security investments.

MMC4

After you assess the amount of acceptable cyber risk, work to quantify your potential cyber risk exposure. Measure its financial impact to inform the business case for cyber security investments as well as cyber insurance that can mitigate or transfer risk.

Quantification determines nature and extent of risk impacts for different threats and scenarios. However, boards and senior executives often struggle to clearly and comprehensively gain a current understanding of their organization’s cyber risk profile.

MMC5

The increase in awareness, cyber data breaches and adoption of cloud-based services are a few of the factors that drive the growth of the cyber insurance market, while high costs inhibit growth. High premiums can be effectively overcome by systematically and clearly understanding organization-specific cyber risks to lower risk exposure and enhance risk profile. For example, the use of data analytics to quantify risk exposure and underwrite cyber risks has proved to drive more efficient and effective risk profiling and provide more accurate policy coverage.

MMC6

With an internally aligned cyber risk strategy and adequately measured risk exposure around expected losses due to cyber attacks, organizations can better insure and secure stronger financials to respond and recover from an incident. An incident response plan requires the support of proper security technologies and expertise. At a minimum, a response plan requires full view of IT assets, strong detection capabilities, clear roles and responsibilities and fast reaction times. The plan must also be regularly practiced through drills to ensure that personnel know their roles and to track and record various metrics that measure their performance. Frequent testing can help identify areas for improvement and provide opportunities to continually refine processes and protocols.

Click here to access MMC-FireEye’s Report

Can Data and Technology Support the Insurance Industry to Regain Lost Relevance?

Publié le 22 juin 2019 par hanswillertbleuazurconsultingeu

Since the start of the Third Industrial Revolution in the 1980s, the world has changed in many different ways:

rapid introduction and adoption of technological innovation (global internet; social networks; mobile technologies; evolving payment solutions; data availability);
new economic realities (volatile and shorter economic cycles; interconnected financial climate; under utilisation of assets);
structural shifts in society’s values (desire for community; generational altruism; active citizenship);
and demographic readjustment (increasing population; urbanization; longer life expectancy; millennials in the work force).

While these changes have been happening, the Insurance industry has seemingly preferred to operate in a closed environment oblivious to much of the impact these changes could bring:

Resistance to change,
Failure to meet changing customer demands
Decrease in the importance of attritional risks

has led the Insurance industry to reduce its relevance.

However

the availability of data,
the introduction of new capital providers,
the impact of new business models emerging from the sharing economy
and the challenge of InsurTechs

are affecting the industry complacency. Collectively, these factors are creating the perfect storm for the incumbents allowing them to re-evaluate their preference for maintaining the status quo. There is an ever increasing expectation from the industry to be more innovative and deliver a vastly improved customer experience.

As data and emerging technology are accelerating the need for change, they are also opening doors. The industry is at cross roads where it can either choose to regain relevance by adapting to the new world order or it can continue to decline. Should it choose the latter, it could expose the US$ 5 trillion market to approaches from large technology firms and manufacturers who have the access to customers, transformational capabilities and more than enough capital to fill the void left by the traditional players.

Insurance industry is slow to evolve

The Insurance industry has historically lacked an appetite to evolve and has shown reluctance in adopting industry-wide changes. A number of key elements, have created high barriers to entry. New entrants have found it difficult to challenge the status quo and lack appetite to win market share from incumbents with significantly large balance sheets. Such high barriers have kept the impact of disruption to minimal, allowing the industry to stay complacent even when most other industries have undergone significant structural shifts. In many ways ‘Darwin’ has not been at work.

A complex value chain

The Insurance industry started with a simple value chain involving four roles – the insured, a broker who advices the insured, an underwriter who prices the risk and an investor who provides the capital to secure the risk. Over centuries, the chain has expanded to include multiple other roles essential in helping the spreading of large risks across a broad investor community, as shown below.

Aon1

These new parties have benefitted the chain by providing expertise, access to customers, secure handling of transactions, arbitration in case of disputes and spreading of risk coverage across multiple partners. However, this has also resulted in added complexities and inefficiencies as each risk now undergoes multiple handovers.

While a longer value chain offers opportunities to new entrants to attack at multiple points, the added complexities and the importance of scale reduces opportunities to cause real disruption.

Stringent regulations

Insurance is one of the highest regulated industries in the world. And since the global financial crisis of last decade, when governments across the globe bailed out several financial service providers including insurers, the focus on capital adequacy and customer safety has increased manifold.

While a proactive regulatory regime ensures a healthy operating standard with potential measures in place to avoid another financial meltdown, multiple surveys have highlighted the implications of increased regulatory burden, leading to increased costs and limited product innovation.

Scale and volatility of losses

The true value of any insurance product is realised when the customer receives payments for incurred losses. This means that insurers must maintain enough reserves at any time to meet these claims.

Over the years volatility in high severity losses have made it difficult for insurers to accurately predict the required capital levels.

In addition, regulators now require insurers to be adequately capitalised with enough buffer to sustain extreme losses for even the lowest probability of occurrence (for example 1-in-100 years event or 1-in-200 years event). This puts additional pressure on the insurers to maintain bulky balance sheets.

On the other hand, a large capital base gives established insurers advantage of scale and limits growth opportunities for smaller industry players/new entrants.

Need for proprietary and historical data

Accurate pricing of the risk is key to survival in the industry. The insurers (specifically underwriters supported by actuaries) rely excessively on experience and statistical analysis to determine the premiums that they would be willing to take to cover the risk.

Access to correct and historical data is of chief importance and has been a key differentiating factor amongst insurers. Since the dawn of Third Industrial Revolution in the 1980s, insurers have been involved in a race to acquire, store and develop proprietary databases that allow them to price risks better than the competitors.

The collection of these extensive databases by incumbent insurers have given them immense benefits over new entrants that do not typically have similar datasets. Additionally, the incumbents have continued to add on to these databases through an unchallenged continuation of underwriting– which has further widened the gap for new entrants.

Struggling to meet customer needs

Despite years of existence, the Insurance industry has failed to keep up with the demand for risk coverage. For example the economic value of losses from all natural disasters has consistently been more than the insured value of losses by an average multiple of 3x-4x.

The gap is not limited to natural disasters. As highlighted by Aon’s Global Risk Management Survey 2019, multiple top risks sighted by customers are either uninsurable or partially insurable leading to significant supply gap.

Aon2

Six of the top 10 risks, including Damage to reputation/brand and Cyber, require better data and analytical insights to achieve fully effective risk transfer. However, current capabilities are primarily applied to drive better pricing and claims certainty across existing risk pools, and have not yet reached their full potential for emerging risks.

This inability to meet customer need has been driven by both an expensive model (for most risks only 60% of premiums paid are actually returned to the insured) and a lack of innovation. Historically, the need for long data trends meant insurance products always trailed emerging risks.

Status Quo is being challenged

While the industry has been losing relevance, it is now facing new challenges which are creating pressure for change. While these challenges are impacting the incumbents they also provide the potential for insurance to regain its key role in supporting innovation. Creating opportunity for lower costs and new innovations.

The insurance customer landscape has changed considerably: traditional property and casualty losses are no longer the only main risks that corporations are focused on mitigating. The importance of intellectual property and brand/reputation in value creation is leading to a realignment in the customer risk profile.

Value in the corporate world is no longer driven by physical/ tangible assets. As technology has advanced, it has led to the growth of intangibles assets in the form of intellectual property. The graph below shows that 84% of market capitalization in 2018 was driven by intangible assets. While the five largest corporations in 1975 were manufacturing companies (IBM; Exxon Mobil; P&G; GE; 3M), that has completely changed in 2018 as the first five positions were occupied by Tech companies (Apple; Alphabet; Microsoft; Amazon; Facebook). Yet, organizations are only able to secure coverage to insure a relatively small portion of their intangible assets (15%) compared to insurance coverage for legacy tangible assets (59%).

Aon3

This shift represents both a challenge and an opportunity for the Insurance industry. The ability to provide coverage for intangible assets would enable insurance to regain relevance and support innovation and investment. Until it can, its importance is likely to remain muted.

InsurTech

The Insurance industry has had traditionally manual processes, and has been a paper driven industry with huge inefficiencies. While customers´ needs are evolving at an unprecedented quick pace, the incumbents´ large legacy systems and naturally conservative approach, make them slow to reach the market with new products and an improved customer experience.

InsurTechs are companies that use technology to make the traditional insurance value chain more efficient. They are beginning to reshape the Insurance industry by targeting particular value pools or services in the sector, rather than seek to provide end-to-end solutions.

InsurTechs have seen more than US$ 11 billion of funding since 2015, and the volume in 2018 is expected to reach US$ 3,8 billion (FT PARTNERS). While Insurtechs were originally viewed as a disruptive force competing with traditional insurers to gain market share, there is a growing collaboration and partnership with the incumbent players. Most of them are launched to help solve legacy insurer problems across the organization, from general inefficiency in operations to enhancing underwriting, distribution, and claims functions, especially in consumer facing insurance. More recently they are also moving into the commercial segment focusing on loss prevention and efficiency. (CATLIN, T. et al. 2017). Incumbent insurers have managed to leverage InsurTechs to speed up innovation (DELOITTE, 2018: 11). From a funding perspective most of the US$ 2.6 billion that went into the InsurTechs in the first nine months of 2018 came from incumbent Insurers. (MOODY`S, 2018: 6).

The accelerated use of technology and digital capabilities again represents both a challenge for the industry but also an opportunity to innovate and develop more efficient products and services.

Data and technology with potential to transform

Traditionally, the Insurance industry has used proprietary historic data to match the demand from risk owners with the supply from capital providers. Focusing on relative simplistic regression analysis as the main approach.

While robust, this approach is reliant on a long data history and limits insurers ability to move into new areas. Increasingly the transformative power of data and technology is changing this relationship, as shown in the graph below. While underwriting data used to be in the hands of the incumbents only, emerging technologies, new analytical techniques and huge increases in sensors are enabling usage of new forms of data that are much more freely accessible. In addition, these technologies are supporting instant delivery of in-depth analytics that can potentially lead to significant efficiency gains and new types of products.

Aon4

Artificial Intelligence

Artificial Intelligence – Robotic Process Automation (RPA) and Cognitive Intelligence (CI) – is know as any system that can perceive the world around it, analyse and understand the information it receives, take actions based on that understanding and improve its own performance by learning from what happended.

Artificial Intelligence not only gives the opportunity to reduce costs (process automation; reduction of cycle times; free up of thousands of people hours) but improves accuracy that results in better data quality. For insurers this offers significant potential to both enable new ways of interpreting data and understanding risks. As well as reducing the costs of many critical processes such as claims assessment.

This dual impact of better understanding and lower costs is highly valuable. Insurers’ spend on cognitive/artificial intelligence technologies is expected to rise 48% globally on an annual basis over five years, reaching US$ 1.4 billion by 2021. (DELOITTE, 2017: 15).

Internet of Things

The Internet of Things refers to the digitization of objects around us. It works by embedding advanced hardware (e.g. sensors, cameras and meters) into everyday objects and even people themselves, linking those objects further to online networks. (MOODY`S, 2018: 11).

For example, connected devices in the homes such as water leakage detectors, smoke alarms, C02 readers and sophisticated home security systems will support prevention and reduction in losses from water damage, fire and burglary, respectively.

The Internet of Things has the potential to significantly change the way that risks are underwritten. The ability to have access to data in ‘real time’ will provide greater precision in the pricing of risk and also help insurers to respond better to the evolving customer needs. Consider the example of home insurance; customers will be forced to resconsider the decision to buy home insurance as packaged currently when their house is already monitored 24/7 for break-ins and the sensors are constantly monitoring the appliances to prevent fires. The insurers could utilise the same data to develop customised insurance policies depending on usage and scope of sensors.

The Internet of Things applies equally to wearable devices with embedded sensors for tracking vital statistics to improve the health, safety and productivity of individuals at work. It is predicted that the connected health market will be worth US$ 61 billion by 2026.

The Internet of Things offers the Insurance industry an opportunity to reinvent itself and to move from simply insuring against risk to helping customers protect the properties / health. This integration of insurance with products through live sensor data can revolutionise how insurance is embedded into our every day lives.

Blockchain

All disruptive technologies have a “tipping point” – the exact moment when it moves from early adopters to widespread acceptance. Just as it was for Google in the late 1990s and smartphones in the 2000s, could we be approaching the tipping point for the next big disruptive technology – blockchain?

Essentially, blockchain is a shared digital ledger technology that allows a continuously growing number of transactions to be recorded and verified electronically over a network of computers. It holds an immutable record of data, stored locally by each party to remove the barrier of trust. Through smart contacts, blockchain can enable automation of tasks for more efficient processing. It made its debut in 2009 as the system used to track dealing in the first cryptocurrency, Bitcoin, and, since then, organisations around the world have spotted blockchain’s potential to transform operations.

Most industries are currently experimenting with blockchain to identify and prove successful use cases to embrace the technology in business as usual. IDC, a leading market intelligence firm, expects the spend on blockchain to increase from US$ 1.8 billion in 2018 to US$ 11.7 billion in 2022 at a growth rate of 60%.

With all the aforementioned benefits, blockchain also has potential to impact the Insurance industry. It can help Insurers reduce operational and administrative costs through automated verification of policyholders, auditable registration of claims and data from third parties, underwriting of small contracts and automation of claims procedures. Equally, it can help reduce the fraud which would contribute to reduce total cost.

In an industry where ‘trust’ is critical, the ability to have guaranteed contracts, with claims certainty will help the take-up of insurance in new areas. BCG estimates that blockchain could drastically improve the end-to-end processing of a motor insurance policy and any claims arising thereof as shown in the graph below.

Aon5

Conclusion

The relevance of insurance, which has declined over the last few decades, after peaking in the early 1980s, is set to increase again:

Big shifts in insurance needs, both in the commercial and consumer segments,
New sources of cheap capital,
Prevelance of cheap and accessible data and the technology to automate and analyse

will transform the Insurance industry.

Not only is this important for insurers, it is also important for all of us. Insurance is the grease behind investment and innovation. The long term decline in the Insurance´s industry ability to reduce risk could be a significant impediment on future growth.

However we believe that the reversal of this trend will mean that insurance can once again grow in its importance of protecting our key investments and activities.

Click here to access Aon’s White Paper

Perspectives on the next wave of cyber

Publié le 27 janvier 2019 par hanswillertbleuazurconsultingeu

Financial institutions are acutely aware that cyber risk is one of the most significant perils they face and one of the most challenging to manage. The perceived intensity of the threats, and Board level concern about the effectiveness of defensive measures, ramp up continually as bad actors increase the sophistication, number, and frequency of their attacks.

Cyber risk management is high on or at the top of the agenda for financial institutions across the sector globally. Highly visible attacks of increasing insidiousness and sophistication are headline news on an almost daily basis. The line between criminal and political bad actors is increasingly blurred with each faction learning from the other. In addition, with cyberattack tools and techniques becoming more available via the dark web and other sources, the population of attackers continues to increase, with recent estimates putting the number of cyberattackers globally in the hundreds of thousands.

Cyber offenses against banks, clearers, insurers, and other major financial services sector participants will not abate any time soon. Looking at the velocity and frequency of attacks, the motivation for cyberattack upon financial services institutions can be several hundred times higher than for non-financial services organizations.

Observing these developments, regulators are prescribing increasingly stringent requirements for cyber risk management. New and emerging regulation will force changes on many fronts and will compel firms to demonstrate that they are taking cyber seriously in all that they do. However, compliance with these regulations will only be one step towards assuring effective governance and control of institutions’ Cyber Risk.

We explore the underlying challenges with regard to cyber risk management and analyze the nature of increasingly stringent regulatory demands. Putting these pieces together, we frame five strategic moves which we believe will enable businesses to satisfy business needs, their fiduciary responsibilities with regard to cyber risk, and regulatory requirements:

Seek to quantify cyber risk in terms of capital and earnings at risk.
Anchor all cyber risk governance through risk appetite.
Ensure effectiveness of independent cyber risk oversight using specialized skills.
Comprehensively map and test controls, especially for third-party interactions.
Develop and exercise major incident management playbooks.

These points are consistent with global trends for cyber risk management. Further, we believe that our observations on industry challenges and the steps we recommend to address them are applicable across geographies, especially when considering prioritization of cyber risk investments.

FIVE STRATEGIC MOVES

The current environment poses major challenges for Boards and management. Leadership has to fully understand the cyber risk profile the organization faces to simultaneously protect the institution against everchanging threats and be on the front foot with regard to increasing regulatory pressures, while prioritizing the deployment of scarce resources. This is especially important given that regulation is still maturing and it is not yet clear how high the compliance bars will be set and what resources will need to be committed to achieve passing grades.

With this in mind, we propose five strategic moves which we believe, based on our experience, will help institutions position themselves well to address existing cyber risk management challenges.

1) Seek to quantify cyber risk in terms of capital and earnings at risk

Boards of Directors and all levels of management intuitively relate to risks that are quantified in economic terms. Explaining any type of risk, opportunity, or tradeoff relative to the bottom line brings sharper focus to the debate.

For all financial and many non-financial risks, institutions have developed methods for quantifying expected and unexpected losses in dollar terms that can readily be compared to earnings and capital. Further, regulators have expected this as a component of regulatory and economic capital, CCAR, and/or resolution and recovery planning. Predicting losses due to Cyber is particularly difficult because it consists of a combination of direct, indirect, and reputational elements which are not easy to quantify. In addition, there is limited historical cyber loss exposure data available to support robust cyber risk quantification.

Nevertheless, institutions still need to develop a view of their financial exposures of cyber risk with different levels of confidence and understand how this varies by business line, process, or platform. In some cases, these views may be more expert based, using scenario analysis approaches as opposed to raw statistical modeling outputs. The objectives are still the same – to challenge perspectives as to

how much risk exposure exists,
how it could manifest within the organization,
and how specific response strategies are reducing the institution’s inherent cyber risk.

2) Anchor all cyber risk governance through risk appetite

Regulators are specifically insisting on the establishment of a cyber risk strategy, which is typically shaped by a cyber risk appetite. This should represent an effective governance anchor to help address the Board’s concerns about whether appropriate risks are being considered and managed effectively.

Setting a risk appetite enables the Board and senior management to more deeply understand exposure to specific cyber risks, establish clarity on the Cyber imperatives for the organization, work out tradeoffs, and determine priorities.

Considering cyber risk in this way also enables it to be brought into a common framework with all other risks and provides a starting point to discuss whether the exposure is affordable (given capital and earnings) and strategically acceptable.

Cyber risk appetite should be cascaded down through the organization and provide a coherent management and monitoring framework consisting of

metrics,
assessments,
and practical tests or exercises

at multiple levels of granularity. Such cascading establishes a relatable chain of information at each management level across business lines and functions. Each management layer can hold the next layer more specifically accountable. Parallel business units and operations can have common standards for comparing results and sharing best practices.

Finally, Second and Third Line can have focal points to review and assure compliance. A risk appetite chain further provides a means for the attestation of the effectiveness of controls and adherence to governance directives and standards.

Where it can be demonstrated that risk appetite is being upheld to procedural levels, management will be more confident in providing the attestations that regulators require.

cyber1

3) Ensure effectiveness of independent cyber risk oversight using specialized skills

From our perspective, firms face challenges when attempting to practically fit cyber risk management into a “Three Lines of Defense” model and align cyber risk holistically within an enterprise risk management framework.

CROs and risk management functions have traditionally developed specialized skills for many risk types, but often have not evolved as much depth on IT and cyber risks. Organizations have overcome this challenge by weaving risk management into the IT organization as a First Line function.

In order to more clearly segregate the roles between IT, business, and Information Security (IS), the Chief Information Security Officer (CISO) and the IS team will typically need to be positioned as a « 1.5 Line of Defense » position. This allows an Information Security group to provide more formal oversight and guidance on the cyber requirements and to monitor day-today compliance across business and technology teams.

Further independent risk oversight and audit is clearly needed as part of the Third Line of Defense. Defining what oversight and audit means becomes more traceable and tractable when specific governance mandates and metrics from the Board down are established.

Institutions will also need to deal with the practical challenge of building and maintaining Cyber talent that can understand the business imperatives, compliance requirements, and associated cyber risk exposures.

At the leadership level, some organizations have introduced the concept of a Risk Technology Officer who interfaces with the CISO and is responsible for integration of cyber risk with operational risk.

4) Comprehensively map and test controls, especially for the third party interactions

Institutions need to undertake more rigorous and more frequent assessments of cyber risks across operations, technology, and people. These assessments need to test

the efficacy of surveillance,
the effectiveness of protection and defensive controls,
the responsiveness of the organization,
and the ability to recover

in a manner consistent with expectations of the Board.

Given the new and emerging regulatory requirements, firms will need to pay closer attention to the ongoing assessment and management of third parties. Third parties need to be tiered based on their access and interaction with the institution’s high value assets. Through this assessment of process, institutions need to obtain a more practical understanding of their ability to get early warning signals against cyber threats. In a number of cases, a firm may choose to outsource more IT or data services to third party providers (e.g., Cloud) where they consider that this option represents a more attractive and acceptable solution relative to the cost or talent demands associated with maintaining Information Security in-house for certain capabilities. At the same time, the risk of third party compromise needs to be fully understood with respect to the overall risk appetite.

cyber3

5) Develop and exercise incident management playbooks

A critical test of an institution’s cyber risk readiness is its ability to quickly and effectively respond when a cyberattack occurs.

As part of raising the bar on cyber resilience, institutions need to ensure that they have clearly documented and proven cyber incident response plans that include

a comprehensive array of attack scenarios,
clear identification of accountabilities across the organization,
response strategies,
and associated internal and external communication scenarios.

Institutions need to thoroughly test their incident response plan on an ongoing basis via table top exercises and practical drills. As part of a table top exercise, key stakeholders walk through specific attack scenarios to test their knowledge of response strategies. This exercise provides an avenue for exposing key stakeholders to more tangible aspects of cyber risk and their respective roles in the event of a cyberattack. It also can reveal gaps in specific response processes, roles, and communications that the institution will need to address.

Last but not least, incident management plans need to be reviewed and refined based on changes in the overall threat landscape and an assessment of the institution’s cyber threat profile; on a yearly or more frequent basis depending on the nature and volatility of the risk for a given business line or platform.

CONCLUSION

Cyber adversaries are increasingly sophisticated, innovative, organized, and relentless in developing new and nefarious ways to attack institutions. Cyber risk represents a relatively new class of risk which brings with it the need to grasp the often complex technological aspects, social engineering factors, and changing nature of Operational Risk as a consequence of cyber.

Leadership has to understand the threat landscape and be fully prepared to address the associated challenges. It would be impractical to have zero tolerance to cyber risk, so institutions will need to determine their risk appetite with regard to cyber, and consequently, make direct governance, investment, and operational design decisions.

The new and emerging regulations are a clear directive to financial institutions to keep cyber risk at the center of their enterprise-wide business strategy, raising the overall bar for cyber resilience. The associated directives and requirements across the many regulatory bodies represent a good and often strong basis for cyber management practices but each institution will need to further ensure that they are tackling cyber risk in a manner fully aligned with the risk management strategy and principles of their firm. In this context, we believe the five moves represent multiple strategically important advances almost all financial services firms will need to make to meet business security, resiliency, and regulatory requirements.

cyber2

click here to access mmc’s cyber handbook

Global Governance Insights on Emerging Risks

Publié le 17 juin 201817 juin 2018 par hanswillertbleuazurconsultingeu

A HEIGHTENED FOCUS ON RESPONSE AND RECOVERY

Over a third of directors of US public companies now discuss cybersecurity at every board meeting. Cyber risks are being driven onto the agenda by

high-profile data breaches,
distributed denial of services (DDoS) attacks,
and rising ransomware and cyber extortion attacks.

The concern about cyber risks is justified. The annual economic cost of cyber-crime is estimated at US$1.5 trillion and only about 15% of that loss is currently covered by insurance.

MMC Global Risk Center conducted research and interviews with directors from WCD to understand the scope and depth of cyber risk management discussions in the boardroom. The risk of cyberattack is a constantly evolving threat and the interviews highlighted the rising focus on resilience and recovery in boardroom cyber discussions. Approaches to cyber risks are maturing as organizations recognize them as an enterprise business risk, not just an information technology (IT) problem.

However, board focus varies significantly across industries, geographies, organization size and regulatory context. For example, business executives ranked cyberattacks among the top five risks of doing business in the Asia Pacific region but Asian organizations take 1.7 times longer than the global median to discover a breach and spend on average 47% less on information security than North American firms.

REGULATION ON THE RISE

Tightening regulatory requirements for cybersecurity and breach notification across the globe such as

the EU GDPR,
China’s new Cyber Security Law,
and Australia’s Privacy Amendment,

are also propelling cyber onto the board agenda. Most recently, in February 2018, the USA’s Securities and Exchange Commission (SEC) provided interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents.

Regulations relating to transparency and notifications around cyber breaches drive greater discussion and awareness of cyber risks. Industries such as

financial services,
telecommunications
and utilities,

are subject to a large number of cyberattacks on a daily basis and have stringent regulatory requirements for cybersecurity.

Kris Manos, Director, KeyCorp, Columbia Forest Products, and Dexter Apache Holdings, observed, “The manufacturing sector is less advanced in addressing cyber threats; the NotPetya and WannaCry attacks flagged that sector’s vulnerability and has led to a greater focus in the boardroom.” For example, the virus forced a transportation company to shut down all of its communications with customers and also within the company. It took several weeks before business was back to normal, and the loss of business was estimated to have been as high as US$300 million. Overall, it is estimated that as a result of supply chain disruptions, consumer goods manufacturers, transport and logistics companies, pharmaceutical firms and utilities reportedly suffered, in aggregate, over US$1 billion in economic losses from the NotPetya attacks. Also, as Cristina Finocchi Mahne, Director, Inwit, Italiaonline, Banco Desio, Natuzzi and Trevi Group, noted, “The focus on cyber can vary across industries depending also on their perception of their own clients’ concerns regarding privacy and data breaches.”

LESSONS LEARNED: UPDATE RESPONSE PLANS AND EVALUATE THIRD-PARTY RISK

The high-profile cyberattacks in 2017, along with new and evolving ransomware onslaughts, were learning events for many organizations. Lessons included the need to establish relationships with organizations that can assist in the event of a cyberattack, such as l

aw enforcement,
regulatory agencies and recovery service providers
including forensic accountants and crisis management firms.

Many boards need to increase their focus on their organization’s cyber incident response plans. A recent global survey found that only 30% of companies have a cyber response plan and a survey by the National Association of Corporate Directors (NACD) suggests that only 60% of boards have reviewed their breach response plan over the past 12 months. Kris Manos noted, “[If an attack occurs,] it’s important to be able to quickly access a response plan. This also helps demonstrate that the organization was prepared to respond effectively.”

Experienced directors emphasized the need for effective response plans alongside robust cyber risk mitigation programs to ensure resilience, as well as operational and reputation recovery. As Jan Babiak, Director, Walgreens Boots Alliance, Euromoney Institutional Investor, and Bank of Montreal, stressed, “The importance of the ’respond and recover’ phase cannot be overstated, and this focus needs to rapidly improve.”

Directors need to review how the organization will communicate and report breaches. Response plans should include preliminary drafts of communications to all stakeholders including customers, suppliers, regulators, employees, the board, shareholders, and even the general public. The plan should also consider legal requirements around timelines to report breaches so the organization is not hit with financial penalties that can add to an already expensive and reputationally damaging situation. Finally, the response plan also needs to consider that normal methods of communication (websites, email, etc.) may be casualties of the breach. A cyber response plan housed only on the corporate network may be of little use in a ransomware attack.

Other lessons included the need to focus on cyber risks posed by third-party suppliers, vendors and other impacts throughout the supply chain. Shirley Daniel, Director, American Savings Bank, and Pacific Asian Management Institute, noted, “Such events highlight vulnerability beyond your organization’s control and are raising the focus on IT security throughout the supply chain.” Survey data suggests that about a third of organizations do not assess the cyber risk of vendors and suppliers. This is a critical area of focus as third-party service providers (e.g., software providers, cloud services providers, etc.) are increasingly embedded in value chains.

FRUSTRATIONS WITH OVERSIGHT

Most directors expressed frustrations and challenges with cyber risk oversight even though the topic is frequently on meeting agendas. Part of the challenge is that director-level cyber experts are thin on the ground; most boards have only one individual serving as the “tech” or “cyber” person. A Spencer Stuart survey found that 41% of respondents said their board had at least one director with cyber expertise, with an additional 7% who are in the process of recruiting one. Boards would benefit from the addition of experienced individuals who can identify the connections between cybersecurity and overall company strategy.

A crucial additional challenge is obtaining clarity on the organization’s overall cyber risk management framework. (See Exhibit 1: Boards Need More Information on Cyber Investments.) Olga Botero, Director, Evertec, Inc., and Founding Partner, C&S Customers and Strategy, observed, “There are still many questions unanswered for boards, including:

How good is our security program?
How do we compare to peers?

There is a big lack of benchmarking on practices.” Anastassia Lauterbach, Director, Dun & Bradstreet, and member of Evolution Partners Advisory Board, summarized it well, “Boards need a set of KPIs for cybersecurity highlighting their company’s

unique business model,
legacy IT,
supplier and partner relationships,
and geographical scope.”

CR Ex 1

Nearly a quarter of boards are dissatisfied with the quality of management-provided information related to cybersecurity because of insufficient transparency, inability to benchmark and difficulty of interpretation.

EFFECTIVE OVERSIGHT IS BUILT ON A COMPREHENSIVE CYBER RISK MANAGEMENT FRAMEWORK

Organizations are maturing from a “harden the shell” approach to a protocol based on understanding and protecting core assets and optimizing resources. This includes the application of risk disciplines to assess and manage risk, including quantification and analytics. (See Exhibit 2: Focus Areas of a Comprehensive Cyber Risk Management Framework.) Quantification shifts the conversation from a technical discussion about threat vectors and system vulnerabilities to one focused on maximizing the return on an organization’s cyber spending and lowering its total cost of risk.

CR Ex 2

Directors also emphasized the need to embed the process in an overall cyber risk management framework and culture. “The culture must emphasize openness and learning from mistakes. Culture and cyber risk oversight go hand in hand,” said Anastassia Lauterbach. Employees should be encouraged to flag and highlight potential cyber incidents, such as phishing attacks, as every employee plays a vital role in cyber risk management. Jan Babiak noted, “If every person in the organization doesn’t view themselves as a human firewall, you have a soft underbelly.” Mary Beth Vitale, Director, GEHA and CoBiz Financial, Inc., also noted, “Much of cyber risk mitigation is related to good housekeeping such as timely patching of servers and ongoing employee training and alertness.”

Boards also need to be alert. “Our board undertakes the same cybersecurity training as employees,” noted Wendy Webb, Director, ABM Industries. Other boards are putting cyber updates and visits to security centers on board “offsite” agendas.

THE ROLE OF CYBER INSURANCE

Although the perception of many directors is that cyber insurance provides for limited coverage, the insurance is increasingly viewed as an important component of a cyber risk management framework and can support response and recovery plans. Echoing this sentiment, Geeta Mathur, Director, Motherson Sumi Ltd, IIFL Holdings Ltd, and Tata Communication Transformation Services Ltd., commented, « There is a lack of information and discussion on risk transfer options at the board level. The perception is that it doesn’t cover much particularly relating to business interruption on account of cyber threats.” Cristina Finocchi Mahne also noted, “Currently, management teams may not have a positive awareness of cyber insurance, but we expect this to rapidly evolve over the short-term.”

Insurance does not release the board or management from the development and execution of a robust risk management plan but it can provide a financial safeguard against costs associated with a cyber event. Cyber insurance coverage should be considered in the context of an overall cyber risk management process and cyber risk appetite.

With a robust analysis, the organization can

quantify the price of cyber risk,
develop effective risk mitigation,
transfer and risk financing strategy,
and decide if – and how much – cyber insurance to purchase.

This allows the board to have a robust conversation on the relationship between risk, reward and the cost of mitigation and can also prompt an evaluation of potential consequences by using statistical modeling to assess different damage scenarios.

CYBER INSURANCE ADOPTION IS INCREASING

The role of insurance in enhancing cyber resilience is increasingly being recognized by policymakers around the world, and the Organisation of Economic Co-operation and Development (OECD) is recommending actions to stimulate cyber insurance adoption.

Globally, it is expected the level of future demand for cyber insurance will depend on the frequency of high-profile cyber incidents as well as the evolving legislative and regulatory environment for privacy protections in many countries. In India, for example, there was a 50% increase in companies buying cybersecurity coverage 2016 to 2017. Research suggests that only 40% of US boards have reviewed their organization’s cyber insurance coverage in the past 12 months.

LIMITING FINANCIAL LOSSES

In the event of a debilitating attack, cyber insurance and associated services can limit an organization’s financial damage from direct and indirect costs and help accelerate its recovery. (See Exhibit 3: Direct and Indirect Costs Associated with a Cyber Attack.) For example, as a result of the NotPetya attack, one global company reported a decline in operating margins and income, with losses in excess of US$500 million in the last fiscal year. The company noted the costs were driven by

investments in enhanced systems in order to prevent future attacks;
cost of incentives offered to customers to restore confidence and maintain business relationships;
additional costs due to claims for service failures; costs associated with data breach or data loss due to third-parties;
and “other consequences of which we are not currently aware but may subsequently discover.”

Indeed, the very process of assessing and purchasing cyber insurance can bolster cyber resilience by creating important incentives that drive behavioral change, including:

Raising awareness inside the organization on the importance of information security.
Fostering a broader dialogue among the cyber risk stakeholders within an organization.
Generating an organization-wide approach to ongoing cyber risk management by all aspects of the organization.
Assessing the strength of cyber defenses, particularly amid a rapidly changing cyber environment.

CR Ex 3

Click here to access Marsh’s and WCD’s detailed report