EIOPA Financial Stability Report July 2020

The unexpected COVID-19 virus outbreak led European countries to shut down major part of their economies aiming at containing the outbreak. Financial markets experienced huge losses and flight-to-quality investment behaviour. Governments and central banks committed to the provision of significant emergency packages to support the economy, as the economic shock, caused by demand and supply disruptions accompanied by its reflection to the financial markets, is expected to challenge economic growth, labour market and the consumer sentiment across Europe for an uncertain period of time.

Amid an unprecedented downward shift of interest rate curves during March, reflecting the flight-to-quality behaviour, credit spreads of corporates and sovereigns increased for riskier assets, leading effectively to a double-hit scenario. Equity markets dramatically dropped showing extreme levels of volatility responding to the uncertainties on virus effects and on the status of government and central banks support programs and their effectiveness. Despite the stressed market environment, there were signs of improvement following the announcements of the support packages and during the course of the initiatives of gradually reopening the economies. The virus outbreak also led to extraordinary working conditions, with part of the services sector working from home, which rises the potential of those conditions being preserved after the virus outbreak, which could decrease demand and market value for commercial real estate investments.

Within this challenging environment, insurers are exposed in terms of solvency risk, profitability risk and reinvestment risk. The sudden reassessment of risk premia and the increase of default risk could trigger large-scale rating downgrades and result in decreased investments’ value for insurers and IORPs, especially for exposures to highly indebted corporates and sovereigns. On the other hand, the risk of ultra-low interest rates for long has further increased. Factoring in the knock on effects of the weakening macro economy, future own funds position of the insurers could be further challenged, due to potential lower levels of profitable new business written accompanied by increased volume of profitable in-force policies being surrendered or lapsed.

Finally, liquidity risk has resurfaced, due to the potential of mass lapse type of events and higher than expected virus and litigation related claims accompanied by the decreased inflows of premiums.

EIOPA1

For the European occupational pension sector, the negative impact of COVID-19 on the asset side is mainly driven by deteriorating equity market prices, as, in a number of Member States, IORPs allocate significant proportions of the asset portfolio (up to nearly 60%) in equity investments. However, the investment allocation is highly divergent amongst Member States, so that IORPs in other Member States hold up to 70% of their investments in bonds, mostly sovereign bonds, where the widening of credit spreads impair their market value. The liability side is already pressured due to low interest rates and, where market-consistent valuation is applied, due to low discount rates. The funding and solvency ratios of IORPs are determined by national law and, as could be seen in the 2019 IORP stress test results, have been under pressure and are certainly negatively impacted by this crisis. The current situation may lead to benefit cuts for members and may require sponsoring undertakings to finance funding gaps, which may lead to additional pressure on the real economy and on entities sponsoring an IORP.

EIOPA2

Climate risks remain one of the focal points for the insurance and pension industry, with Environmental, Social and Governance (ESG) factors increasingly shaping investment decisions of insurers and pension funds but also affecting their underwriting. In response to climate related risks, the EU presented in mid-December the European Green Deal, a roadmap for making the EU climate neutral by 2050, providing actions meant to boost the efficient use of resources by

  • moving to a clean, circular economy and stop climate change,
  • revert biodiversity loss
  • and cut pollution.

At the same time, natural catastrophe related losses were milder than previous year, but asymmetrically shifted towards poorer countries lacking relevant insurance coverages.

Cyber risks have become increasingly relevant across the financial system in particular during the virus outbreak due to the new working conditions that the confinement measures imposed. Amid the extraordinary en masse remote working arrangements an increased number of cyber-attacks has been reported on both individuals and healthcare systems. With increasing attention for cyber risks both at national and European level, EIOPA contributed to building a strong, reliable, cyber insurance market by publishing its strategy for cyber underwriting and has also been actively involved in promoting cyber resilience in the insurance and pensions sectors.

Click here to access EIOPA’s detailed Financial Stability Report July 2020

Fintech, regtech and the role of compliance in 2020

The ebb and flow of attitudes on the adoption and use of technology has evolving ramifications for financial services firms and their compliance functions, according to the findings of the Thomson Reuters Regulatory Intelligence’s fourth annual survey on fintech, regtech and the role of compliance. This year’s survey results represent the views and experiences of almost 400 compliance and risk practitioners worldwide.

During the lifetime of the report it has had nearly 2,000 responses and been downloaded nearly 10,000 times by firms, risk and compliance practitioners, regulators, consultancies, law firms and global systemically-important financial institutions (G-SIFIs). The report also highlights the shifting role of the regulator and concerns about best or better practice approaches to tackle the rise of cyber risk. The findings have become a trusted source of insight for firms, regulators and their advisers alike. They are intended to help regulated firms with planning, resourcing and direction, and to allow them to benchmark whether their resources, skills, strategy and expectations are in line with those of the wider industry. As with previous reports, regional and G-SIFI results are split out where they highlight any particular trend. One challenge for firms is the need to acquire the skill sets which are essential if they are to reap the expected benefits of technological solutions. Equally, regulators and policymakers need to have the appropriate up-todate skillsets to enable consistent oversight of the use of technology in financial services. Firms themselves, and G-SIFIs in particular, have made substantial investments in skills and the upgrading of legacy systems.

Key findings

  • The involvement of risk and compliance functions in their firm’s approach to fintech, regtech and insurtech continues to evolve. Some 65% of firms reported their risk and compliance function was either fully engaged and consulted or had some involvement (59% in prior year). In the G-SIFI population 69% reported at least some involvement with those reporting their compliance function as being fully engaged and consulted almost doubling from 13% in 2018, to 25% in 2019. There is an even more positive picture presented on increasing board involvement in the firm’s approach to fintech, regtech and insurtech. A total of 62% of firms reported their board being fully engaged and consulted or having some involvement, up from 54% in the prior year. For G-SIFIs 85% reported their board being fully engaged and consulted or having some involvement, up from 56% in the prior year. In particular, 37% of G-SIFIs reported their board was fully engaged with and consulted on the firm’s approach to fintech, regtech and insurtech, up from 13% in the prior year.
  • Opinion on technological innovation and digital disruption has fluctuated in the past couple of years. Overall, the level of positivity about fintech innovation and digital disruption has increased, after a slight dip in 2018. In 2019, 83% of firms have a positive view of fintech innovation (23% extremely positive, 60% mostly positive), compared with 74% in 2018 and 83% in 2017. In the G-SIFI population the positivity rises to 92%. There are regional variations, with the UK and Europe reporting a 97% positive view at one end going down to a 75% positive view in the United States.
  • There has been a similar ebb and flow of opinion about regtech innovation and digital disruption although at lower levels. A total of 77% reported either an extremely or mostly positive view, up from 71% in the prior year. For G-SIFIs 81% had a positive view, up from 76% in the prior year.
  • G-SIFIs have reported a significant investment in specialist skills for both risk and compliance functions and at board level. Some 21% of G-SIFIs reported they had invested in and/or appointed people with specialist skills to the board to accommodate developments in fintech, insurtech and regtech, up from 2% in the prior year. This means in turn 79% of G-SIFIs have not completed their work in this area, which is potentially disturbing. Similarly, 25% of G-SIFIs have invested in specialist skills for the risk and compliance functions, up from 9% in the prior year. In the wider population 10% reported investing in specialist skills at board level and 16% reported investing in specialist skills for the risk and compliance function. A quarter (26%) reported they have yet to invest in specialist skills for the risk and compliance function, but they know it is needed (32% for board-level specialist skills). Again, these figures suggest 75% of G-SIFIs have not fully upgraded their risk and compliance functions, rising to 84% in the wider population.
  • The greatest financial technology challenge firms expect to face in the next 12 months have changed in nature since the previous survey, with the top three challenges cited as keeping up with technological advancements; budgetary limitations, lack of investment and cost; and data security. In prior years, the biggest challenges related to the need to upgrade legacy systems and processes as well as budgetary limitations, the adequacy and availability of skilled resources together with the need for cyber resilience. In terms of the greatest benefits expected to be seen from financial technology in the next 12 months the top three are a strengthening of operational efficiency, improved services for customers and greater business opportunities.
  • G-SIFIs are leading the way on the implementation of regtech solutions. Some 14% of G-SIFIs have implemented a regtech solution, up from 9% in the prior year with 75% (52% in the prior year) reporting they have either fully or partially implemented a regtech solution to help manage compliance. In the wider population, 17% reported implementing a regtech solution, up from 8% in the prior year. The 2018 numbers overall showed a profound dip from 2017 when 29% of G-SIFIs and 30% of firms reported implementing a regtech solution, perhaps highlighting that early adoption of regtech solutions was less than smooth.
  • Where firms have not yet deployed fintech or regtech solutions various reasons were cited as to what was holding them back. Significantly, one third of firms cited lack of investment; a similar number of firms pointed to a lack of in-house skills and information security/data protection concerns. Some 14% of  firms and 12% of G-SIFIs reported they had taken a deliberate strategic decision not to deploy fintech or regtech solutions yet.
  • There continues to be substantial variation in the overall budget available for regtech solutions. A total of 38% of firms (31% in prior year) reported that the expected budget would grow in the coming year, however, 31% said they lack a budget for regtech (25% in the prior year). For G-SIFIs 48% expected the budget to grow (36% in prior year), with 12% reporting no budget for regtech solutions (6% in the prior year).

Focus : Challenges for firms

Technological challenges for firms come in all shapes and sizes. There is the potential, marketplace changing, challenge posed by the rise of bigtech. There is also the evolving approach of regulators and the need to invest in specialist skill sets. Lastly, there is the emerging need to keep up with technological advances themselves.

TR10

The challenges for firms have moved on. In the first three years of the report the biggest financial technology challenge facing firms was that of the need to upgrade legacy systems and processes. This year the top three challenges are expected to be the need to keep up with technology advancements; perceived budgetary limitations, lack of investment and cost, and then data security.

Focus : Cyber risk

Cyber risk and the need to be cyber-resilient is a major challenge for financial services firms which are targets for hackers. They must be prepared and be able to respond to any kind of cyber incident. Good customer outcomes will be under threat if cyber resilience fails.

One of the most prevalent forms of cyber attack is ransomware. There are different types of ransomware, all of which will seek to prevent a firm or an individual from using their IT systems and will ask for something (usually payment of a ransom) to be done before access will be restored. Even then, there is no guarantee that paying the fine or acceding to the ransomware attacker’s demands will restore full access to all IT systems, data or files. Many firms have found that critical files often containing client data have been encrypted as part of an attack and large amounts of money are demanded for restoration. Encryption is in this instance used as a weapon and it can be practically impossible to reverse-engineer the encryption or “crack” the files without the original encryption key – which cyber attackers deliberately withhold. What was previously viewed often as an IT problem has become a significant issue for risk and compliance functions. The regulatory stance is typified by the UK Financial Conduct Authority (FCA) which has said its goal is to “help firms become more resilient to cyber attacks, while ensuring that consumers are protected and market integrity is upheld”. Regulators do not expect firms to be impervious but do expect cyber risk management to become a core competency.

Good and better practice on defending against ransomware attacks Risk and compliance officers do not need to become technological experts overnight but must ensure cyber risks are effectively managed and reported on within their firm’s corporate governance framework. For some compliance officers, cyber risk may be well outside their comfort zone but there is evidence that simple steps implemented rigorously can go a long way towards protecting a firm and its customers. Any basic cyber-security hygiene aimed at protecting businesses from ransomware attacks should make full use of the wide range of resources available on cyber resilience, IT security and protecting against malware attacks. The UK National Cyber Security Centre has produced some practical guidance on how organizations can protect themselves in cyberspace, which it updates regularly. Indeed, the NCSC’s 10 steps to cyber security have now been adopted by most of the FTSE350.

TR11

Closing thoughts

The financial services industry has much to gain from the effective implementation of fintech, regtech and insurtech but practical reality is there are numerous challenges to overcome before the potential benefits can be realised. Investment continues to be needed in skill sets, systems upgrades and cyber resilience before firms can deliver technological innovation without endangering good customer outcomes.

An added complication is the business need to innovate while looking over one shoulder at the threat posed by bigtech. There are also concerns for solution providers. The last year has seen many technology start-ups going bust and far fewer new start-ups getting off the ground – an apparent parallel, at least on the surface, to the bubble that was around dotcom. Solutions need to be practical, providers need to be careful not to over promise and under deliver and above all developments should be aimed at genuine problems and not be solutions looking for a problem. There are nevertheless potentially substantive benefits to be gained from implementing fintech, regtech and insurtech solutions. For risk and compliance functions much of the benefit may come from the ability to automate rote processes with increasing accuracy and speed. Indeed, when 900 respondents to the 10th annual cost of compliance survey report were asked to look into their crystal balls and predict the biggest change for compliance in the next 10 years, the largest response was automation.

Technology and its failure or misuse is increasingly being linked to the personal liability and accountability of senior managers. Chief executives, board members and other senior individuals will be held accountable for failures in technology and should therefore ensure their skill set is up-to-date. Regulators and politicians alike have shown themselves to be increasingly intolerant of senior managers who fail to take the expected reasonable steps with regards to any lack of resilience in their firm’s technology.

This year’s findings suggest firms may find it beneficial to consider:

  • Is fintech (and regtech) properly considered as part of the firm’s strategy? It is important for regtech especially not to be forgotten about in strategic terms: a systemic failure arising from a regtech solution has great capacity to cause problems for the firm – the UK FCA’s actions on regulatory reporting, among other things, are an indicator of this.
  • Not all firms seem to have fully tackled the governance challenge fintech implies: greater specialist skills may be needed at board level and in risk and compliance functions.
  • Lack of in-house skills was given as a main reason for failing to develop fintech or regtech solutions. It is heartening that firms understand the need for those skills. As fintech/regtech becomes mainstream, however, firms may be pressed into developing such solutions. Is there a plan in place to plug the skills gap?
  • Only 22% of firms reported that they need more resources to evaluate, understand and deploy fintech/ regtech solutions. This suggests 78% of firms are unduly relaxed about the resources needed in the second line of defence to ensure fintech/regtech solutions are properly monitored. This may be a correct conclusion, but seems potentially bullish.

Click here to access Thomson Reuters’ Survey Results

EIOPA outlines key financial stability risks of the European insurance and pensions sector

The global and European economic outlook has deteriorated in the past months with weakening industrial production and business sentiment and ongoing uncertainties about trade disputes and Brexit. In particular, the “low for long” risk has resurfaced in the EU, as interest rates reached record lows in August 2019 and an increasing number of countries move into negative yield territory for their sovereign bonds even at longer maturities in anticipation of a further round of monetary easing by central banks and a general flight to safety. Bond yields and swap rates have since slightly recovered again, but protracted low interest rates form the key risk for both insurers and pension funds and put pressure on both the capital position and long-term profitability. Large declines in interest rates can also create further incentives for insurers and pension funds to search for yield, which could add to the build-up of vulnerabilities in the financial sector if not properly managed.

Despite the challenging environment, the European insurance sector remains overall well capitalized with a median SCR ratio of 212% as of Q2 2019. However, a slight deterioration could be observed for life insurers in the first half of 2019 and the low interest rate environment is expected to put further pressures on the capital positions of life insurers in the second half of 2019. At the same time, profitability improved in the first half of 2019, mainly due to valuation gains in the equity and bond portfolios of insurers. Nevertheless, the low yield environment is expected to put additional strains on the medium to long term profitability of insurers as higher yielding bonds will have to be replaced by lower yielding bonds, which may make it increasingly difficult for insurers to make investment returns in excess of guaranteed returns issued in the past, which are still prevalent in many countries.

THE EUROPEAN INSURANCE SECTOR

The challenging macroeconomic environment is leading insurance undertakings to further adapt their business models. In order to address the challenges associated with the low yield environment and improve profitability, life insurers are lowering guaranteed rates in traditional products and are increasingly focusing on unit-linked products. On the investment side, insurers are slowly moving towards more alternative investments and illiquid assets, such as unlisted equity, mortgages & loans, infrastructure and property. For non-life insurers, the challenge is mostly focused on managing increasing losses stemming from climate-related risks and cyber events, which may not be adequately reflected in risk models based on historical data, and continued competitive pressures.

Despite the challenging environment, the European insurance sector overall gross written premiums slightly grew by 1.6% on an annual basis in Q2 2019. This growth is particularly driven by the increase in non life GWP (3.7%), in comparison to a slightly decrease in life (-0.5%). This reduction growth rate in life GWP is associated to the slowdown in the economic growth; however this does not seem to have affected the growth of non-life GWP to the same extent. Overall GWP as a percentage of GDP slightly increased from 9% to 11% for the European insurance market, likewise total assets as a share of GDP improved from 70% to 74%. The share of unit-linked business has slightly declined notwithstanding the growth expectations. Even though insurers are increasingly trying to shift towards unit-linked business in the current low yield environment, the total share of unit-linked business in life GWP has slightly decreased from 42% in Q2 2018 to 40% in Q2 2019, likewise the share for the median insurance company declined from 34% in Q2 2018 to 31% in Q2 2019. Considerable differences remain across countries, with some countries still being plagued by low trust due to misselling issues in the past. Overall, the trend towards unit-lead business means that investment risks are increasingly transferred to policyholders with potential reputational risks to the insurance sector in case investment returns turn out lower than anticipated.

EIOPA1

The liquid asset ratio slightly deteriorated in the first half of 2019. The median value for liquid asset increased by 1.5% from 63.3% in 2018 Q2 to 64.8% in 2018 Q4, and after slightly decreased to 63.8% in Q2 2019. Furthermore,  the distribution moved down (10th percentile reduced in the past year by 6 p.p. to 47.9%). Liquid assets are necessary in order to meet payment obligations when they are due. Furthermore, a potential increase in interest rate yields might directly impact the liquidity needs of insurers due to a significant increase in the lapse rate as policyholders might look for more attractive alternative investments.

EIOPA2

Lapse rates in the life business remained stable slightly increased in the first half of 2019. The median value increased from 1.34% in Q2 2018 to 1.38% in Q2 2019. Moreover, a potential sudden reversal of risk premia and abruptly rising yields could trigger an increase in lapse rates and surrender ratios as policyholders might look  for more attractive investments. Although several contractual and fiscal implications could limit the impact of lapses and surrenders in some countries, potential lapses by policyholders could add additional strains on insurers’ financial position once yields start increasing.

The return on investment has substantially declined further over 2018. The investment returns have significantly deteriorated for the main investment classes (bonds, equity and collective instruments). The median return on investment decreased to only 0.31% in 2018, compared to 2.83% in 2016 and 1.95% in 2017. In particular the four main investment options (government and corporate bonds, equity instruments and collective investment undertakings) – which approximately account for two-thirds of insurers’ total investment portfolios – have generated considerably lower or even negative returns in 2018. As a consequence, insurers may increasingly look for alternative investments, such as unlisted equities, mortgages and infrastructure to improve investment returns. This potential search for yield behaviour might differ per country and warrants close monitoring by supervisory authorities as insurers may suffer substantial losses on these more illiquid investments when markets turn sour.

EIOPA3

Despite the challenging investment climate, overall insurer profitability improved in the first half of 2019. The median return on assets (ROA) increased from 0.24% in Q2 2018 to 0.32% in Q2 2019, whereas the median return on excess of assets over liabilities (used as a proxy of return on equity), increased from 2.8% in Q2 2018 to 4.9 % in Q2 2019. The improvement in overall profitability seems to stem mainly from valuation gains in the investment portolio of insurers driven by a strong rebound in equity prices and declining yields (and hence increasing values of bond holdings) throughout the first half of 2019, while profitability could be further supported by strong underwriting results and insurers’ continued focus on cost optimisation. However, decreased expected profits in future premiums (EPIFP) from 11% in Q1 2019 to 10.3% in Q2 2019 suggest expectations of deteriorating profitability looking ahead. Underwriting profitability remained stable and overall positive in the first half of 2019. The median Gross Combined Ratio for non-life business remained below 100% in the first half of 2019 across all lines of business, indicating that most EEA insurers were able to generate positive underwriting results (excluding profits from investments). However, significant outliers can still be observed across lines of business, in particular for credit and suretyship insurance, indicating that several insurers have experienced substantial underwriting losses in this line of business. Furthermore, concerns of underpricing and underreserving remain in the highly competitive motor insurance markets.

EIOPA4

Solvency positions slightly deteriorated in the first half of 2019 and the low interest rate environment is expected to put further pressures on the capital positions in the second half of the year, especially for life insurers. Furthermore, the number of life insurance undertakings with SCR ratios below the 100% threshold increased in comparison with the previous year from 1 in Q2 2018 to 4 in Q2 2019 mainly due to the low interest rate environment, while the number of non-life insurance undertakings with SCR ratios below 100% threshold decreased from 9 in Q2 2018 to 7 in Q2 2019. The median SCR ratio for life insurers is still the highest compared to non-life insurers and composite undertakings. However, the SCR ratio differs substantially among countries.

EIOPA5

The impact of the LTG and transitional measures varies considerably across insurers and countries. The long term guarantees (LTG) and transitional measures were introduced in the Solvency II Directive to ensure an appropriate treatment of insurance products that include long-term guarantees and facilitate a smooth transition of the new regime. These measures can have a significant impact on the SCR ratio by allowing insurance undertakings, among others, to apply a premium to the risk free interest rate used for discounting technical provions. The impact of applying these measures is highest in DE and the UK, where the distribution of SCR ratios is signicantly lower without LTG and transitional measures (Figure 2.16). While it is important to take the effect of LTG measures and transitional measures into account when comparing across insurers and countries, the LTG measures do provide a potential financial stability cushion by reducing overall volatility.

On October 15th 2019, EIOPA launched a public consultation on an Opinion that sets out technical advice for the 2020 review of Solvency II. The call for advice comprises 19 separate topics. Broadly speaking, these can be divided into three parts.

  1. The review of the LTG measures, where a number of different options are being consulted on, notably on extrapolation and on the volatility adjustment.
  2. The potential introduction of new regulatory tools in the Solvency II framework, notably on macro-prudential issues, recovery and resolution, and insurance guarantee schemes. These new regulatory tools are considered thoroughly in the consultation.
  3. Revisions to the existing Solvency II framework including in relation to
    • freedom of services and establishment;
    • reporting and disclosure;
    • and the solvency capital requirement.

The main specific considerations and proposals of this consultation are as follows:

  • Considerations to choose a later starting point for the extrapolation of risk-free interest rates for the euro or to change the extrapolation method to take into account market information beyond the starting point.
  • Considerations to change the calculation of the volatility adjustment to risk-free interest rates, in particular to address overshooting effects and to reflect the illiquidity of insurance liabilities.
  • The proposal to increase the calibration of the interest rate risk sub-module in line with empirical evidence, in particular the existence of negative interest rates. The proposal is consistent with the technical advice EIOPA provided on the Solvency Capital Requirement standard formula in 2018.
  • The proposal to include macro-prudential tools in the Solvency II Directive.
  • The proposal to establish a minimum harmonised and comprehensive recovery and resolution framework for insurance.

The European Supervisory Authorities (ESAs) published on the 4th October 2019 a Joint Opinion on the risks of money laundering and terrorist financing affecting the European Union’s financial sector. In this Joint Opinion, the ESAs identify and analyse current and emerging money laundering and terrorist financing (ML/ TF) risks to which the EU’s financial sector is exposed. In particular, the ESAs have identified that the main cross-cutting risks arise from

  • the withdrawal of the United Kingdom (UK) from the EU,
  • new technologies,
  • virtual currencies,
  • legislative divergence and divergent supervisory practices,
  • weaknesses in internal controls,
  • terrorist financing and de-risking;

in order to mitigate these risks, the ESAs have proposed a number of potential actions for the Competent Authorities.

Following its advice to the European Commission on the integration of sustainability risks in Solvency II and the Insurance Distribution Directive on April 2019, EIOPA has published on 30th September 2019 an Opinion on Sustainability within Solvency II, which addresses the integration of climate-related risks in Solvency II Pillar I requirements. EIOPA found no current evidence to support a change in the calibration of capital requirements for “green” or “brown” assets. In the opinion, EIOPA calls insurance and reinsurance undertakings to implement measures linked with climate change-related risks, especially in view of a substantial impact to their business strategy; in that respect, the importance of scenario analysis in the undertakings’ risk management is highlighted. To increase the European market and citizens’ resilience to climate change, undertakings are called to consider the impact of their underwriting practices on the environment. EIOPA also supports the development of new insurance products, adjustments in the design and pricing of the products and the engagement with public authorities, as part of the industry’s stewardship activity.

On the 15th July 2019 EIOPA submitted to the European Commission draft amendments to the Implementing technical standards (ITS) on reporting and the ITS on public disclosure. The proposed amendments are mainly intended to reflect the changes in the Solvency II Delegated Regulation by the Commission Delegated Regulation (EU) 2019/981 and the Commission Delegated Regulation 2018/1221 as regards the calculation of regulatory capital requirements for securitisations and simple, transparent and standardised securitisations held by insurance and reinsurance undertakings. A more detailed review of the reporting and disclosure requirements will be part of the 2020 review of Solvency II.

On 18th June 2019 the Commission Delegated Regulation (EU) 2019/981 amending the Solvency II Delegated Regulation with respect to the calculation of the SCR for standard formula users was published. The new regulation includes the majority of the changes proposed by EIOPA in its advice to the Commission in February 2018 with the exception of the proposed change regarding interest rate risk. Most of the changes are applicable since July 2019, although changes to the calculation of the loss-absorbing capacity of deferred taxes and non-life and health premium and reserve risk will apply from 1 January 2020.

RISK ASSESSMENT

QUALITATIVE RISK ASSESSMENT

EIOPA conducts twice a year a bottom-up survey among national supervisors to determine the key risks and challenges for the European insurance and pension fund sectors, based on their probability and potential impact.

The EIOPA qualitative Autumn 2019 Survey reveals that low interest rates remain the main risks for both the insurance and pension fund sectors. Equity risks also remain prevalent, ranking as the 3rd and 2nd biggest risk for the insurance and pension funds sectors respectively. The cyber risk category is now rank as the 2nd biggest risk for the insurance sector, as insurers need to adapt their business models to this new type of risk both from an operational risk perspective and an underwriting perspective. Geopolitical risks have become more significant for both markets, along with Macro risks, which continue to be present in the insurance and pension fund sectors, partially due to concerns over protectionism, trade tensions, debt sustainability, sudden increase in risk premia and uncertainty relating to the potential future post-Brexit landscape.

The survey further suggests that all the risks are expected to increase over the coming year. The increased risk of the low for long interest rate environment is in line with the observed market developments, particulary after the ECB’s announcement of renewed monetary easing in September 2019. The significant expected raise of cyber, property, equity, macro and geopolitical risks in the following year is also in line with the observed market developments, indicating increased geopolitical uncertainty, trade tensions, stretched valuations in equity and real estate markets and more frequent and sophisticated cyber attacks which could all potentially affect the financial position of insurers and pension funds. On the other hand, ALM risks and Credit risk for financials are expected to increase in the coming year, while in the last survey in Spring 2019 the expectations were following the opposite direction.

EIOPA6

Although cyber risk is ranking as one of the top risks and expected to increase in the following year, many jurisdictions also see cyber-related insurance activities as a growth opportunity. The rapid pace of technological innovation and digitalisation is a challenge for the insurance market and insurers need to be able to adapt their business models to this challenging environment, nonetheless from a profitability perspective, increased digitalisation may offer significant cost-saving and revenue-increasing opportunities for insurance companies. The increase of awareness of cyber-risk and higher vulnerability to cyber threats among undertakings due to the increased adoption of digital technologies could drive a growth in cyber insurance underwriting.

The survey shows the exposure of an sudden correction of the risk premia significantly differs across EU countries. In the event of a sudden correction in the risk premia, insurance undertakings and pension funds with ample exposure to bonds and real estate, could suffer significant asset value variations that could lead to forced asset sales and potentially amplify the original shock to asset prices in less liquid markets. Some juridictions, however, confirm the limited exposure to this risk due to the low holding of fixed income instruments and well diversified portfolios.

The survey further indicates that national authorities expect the increase of investments in alternative asset classes and more illiquid assets. Conversely, holdings of governement bonds are expected to decrease in favour of corporate bonds within the next 12 months. Overall this might indicate potential search for yield behaviour and a shift towards more illiquid assets continues throughout numerous EU jurisdictions. Property investments – through for instance mortgages and infrastructure investment – are also expected to increase in some jurisdictions, for both insurers and pension funds. A potential downturn of real estate markets could therefore also affect the soundness of the insurance and pension fund sectors.

EIOPA7

QUANTITATIVE RISK ASSESSMENT EUROPEAN INSURANCE SECTOR

This section further assesses the key risks and vulnerabilities for the European insurance sector identified in this report. A detailed breakdown of the investment portfolio and asset allocation is provided with a focus on specific country exposures and interconnectedness with the banking sector. The chapter also analyses in more detail the implications of the current low yield environment for insurers.

INVESTMENTS

Insurance companies’ investments remain broadly stable, with a slight move towards less liquid investment. Government and corporate bonds continue to make up the majority of the investment portfolio, with only a  slight movement towards more non-traditional investment instruments such as unlisted equity and mortgage and loans. Life insurers in particular rely on fixed-income assets, due to the importance of asset-liability matching of their long-term obligations. At the same time, the high shares of fixed-income investments could give rise to significant reinvestment risk in the current low yield environment, in case the maturing fixed-income securities can only be replaced by lower yielding fixed-income securities for the same credit quality.

The overall credit quality of the bond portfolio is broadly satisfactory, although slight changes are observed in 2018. The vast majority of bonds held by European insurers are investment grade, with most rated as CQS1 (AA). However, the share of CQS2 has increased in the first half of 2019, and significant differences can be observed for insurers across countries.

EIOPA8

INTERCONNECTEDNESS BETWEEN INSURERS AND BANKS

The overall exposures towards the banking sector remain significant for insurers in certain countries, which could be one potential transmission channel in case of a sudden reassessment of risk premia. The interconnectedness between insurers and banks could intensify contagion across the financial system through common risk exposures. A potential sudden reassessment of risk premia may not only affect insurers directly, but also indirectly through exposures to the banking sector. This is also a potential transmission channel of emerging markets distress, as banks have on average larger exposures to emerging markets when compared to insurers.

Another channel of risk transmission could be through different types of bank instruments bundled together and credited by institutional investors such as insurers and pension funds.

Insurers’ exposures towards banks are heterogeneous across the EU/EEA countries, with different levels of home bias as well. Hence, countries with primary banks exposed to emerging markets or weak banking sectors could be impacted more in case of economic distress. On average, 15.95% of the EU/EEA insurers’ assets are issued by the banking sector through different types of instruments, mostly bank bonds.

EIOPA9

Click here to access EIOPA’s Dec 2019 Financial Stability Report

Cyber Risk Management – From Security to Resilience

Rapidly evolving threats and infiltration techniques have rendered traditional cyber defense strategies insufficient and ineffective. The emerging threat vectors and speed of change amplified by the digital transformation cannot be addressed by traditional means. Globally, laws are also changing to keep pace as cybercrime evolves, knowing no
boundaries. Therefore, organizations must be nimble and agile to keep pace with policy changes, especially when expanding across different jurisdictions.

This report highlights three strategic imperatives to strengthen cyber resilience:

  • Understand (know your threats): Identify organization and industry-specific cyber threats and regulations calls for robust strategies that include cross-disciplinary considerations.
  • Measure (know yourself): Quantify the potential financial impact of cyber exposures to compare against the level of risk appetite acceptable to the board. This will determine the amount of investment necessary to mitigate and transfer any residual risk.
  • Manage (know what you can do): Proactively manage cyber risks by having clear action plans based on your capabilities and capacities to protect against cyber criminals.

It is inefficient and impractical to expect organizations to be ahead of every threat, but organizations should at least be on par with the evolution of cyber threats while ensuring compliance with changing laws and regulations. While cyber attacks are inevitable, proper preparation is the essential element that sets resilient organizations apart from the rest in managing risk, minimizing damage, and recovering quickly from any incidents.

Cyber Risk: A Top Concern

Technology continues to play a profound role in shaping the global risk landscape for individuals, businesses, and governments. Risk experts around the world continue to rank massive data fraud and theft and cyber attacks as their greatest and most likely risks over the next decade, a pattern that is consistent with previous years. Most risk experts also expect cyber attacks to have a much greater impact through business disruption and the targeted theft of money, data and intellectual property. Our increased dependence on pervasive, integrated digital technologies also increases anxiety around cyber security.

Rapid Innovation

The pace of business innovation has been driven by technology and connectivity megatrends such as mobile, the Internet of Things (IoT), big data and cloud solutions. The adoption and use of mobile devices have surpassed that of desktops since the last quarter of 2016, with mobile traffic accounting for 52 percent of total internet traffic in 2018. While business benefits include greater convenience and productivity, the use of mobile devices for both work and personal reasons has blurred the lines between sensitive corporate and confidential personal data, which are increasingly exposed to weaker application security features, mobile malware and other vulnerabilities.

Pervasive, Sophisticated Technologies

A recent study by FireEye Mandiant revealed that cyber attackers have followed cloud-reliant organizations, such as software-as-a-service and cloud computing, into the cloud. Mandiant researchers observed an increased volume of attacks against organizations with access to vast amounts of personal and confidential data, such as cloud providers, telecommunications, and retail and hospitality. More than 730 investigations were performed by Mandiant experts globally in 2018, a higher volume than any year before and an increase of more than 30 percent over 2017.

Devious, Organized Threat Actors

The modern cyber risk landscape is rapidly evolving and populated by threat actors with a myriad of motivations and attack sophistication levels. The methodologies can vary from highly-targeted and deliberate, to mass-scale with self-distributing malware. Different threat actors also have different motivations and ambitions that can be uniquely destructive.

Motivations and methodologies of threat actors can also overlap with one another. In many cases, similar tools and techniques are used by different groups since those may be the only tools available. In some cases, state-sponsored actors may even work with hacktivists to carry out an attack. Some threat groups demonstrate increased determination by maintaining persistence in victims’ networks. Some APT attackers plan out their modus operandi and patiently pursue their goals over a long period of time—months or years—before they launch their attack. They rapidly adapt to a victim organization’s attempts to remove them from the network and frequently target the same victim again if access is lost.

After an organization has been successfully attacked, there is a higher probability of re-compromise. According to FireEye, globally two in three (64 percent) compromised organizations were successfully attacked again within a year. It is more significant in APAC where almost eight in 10 (78 percent) of compromised organizations are likely to face at least one additional significant attack over the next year.

Organizations that have been attacked should strengthen their cyber security defenses and close any identified gaps to mitigate risks; unfortunately, this doesn’t always happen.

MMC1

Data Sharing Economies

Data sharing is inevitable as we accelerate into the digital economy. Our growing interconnectedness is combined with a massive increase in velocity, volume, and variety of data shared across boundaries and jurisdictions. The accelerated digitalization of countries and industries amplifies the systemic effects from cyber attacks and increases the severity of successful cyber attacks.

With the advent of digital and transformative technologies that change the nature of business, policymakers are challenged to maintain the robustness of cyber laws and legislations. The anonymity of the Internet further ensures little or no risk of repercussion for cyber criminals.

According to FireEye CEO Kevin Mandia, ”We are on a slippery slope in terms of frequency and seriousness of cyber attacks” and it is likely to get worse unless serious consequences can be put in place for criminal behavior.

Although cyber regulations have lagged behind evolving cyber threats, the past years have seen a substantial increase in new cyber laws and other regulatory schemes, and this is expected to continue. Most regulatory schemes aim to protect data and privacy and fulfil notification obligations by breached organizations, but disclosures and notifications are critical first steps to reveal the volume, frequency and complexity of breaches before data protection and privacy can be further improved.

Complications That Impact Cyber Resilience

In an increasingly complex business and cyber landscape, organizations encounter greater challenges when trying to balance their business resilience and cyber security priorities.

Between 2016 and 2018, the rate of growth for internet users was 10 times faster than the global population. Correspondingly, the surface area for attack has expanded exponentially. The exposure is estimated to impact up to six billion internet users by 2022, approximately three-quarters of the projected world population. Increased connectivity coupled with the expanded adoption of mobile devices makes building cyber security defenses much more challenging since every employee or web-connected device now represents a potential vulnerability.

Underlying Trends Impose Additional Layers of Fiduciary Responsibilities

Rapid digitalization amplifies the systemic effect of cyber threats, which leads to more cyber regulations and policies. In addition to safeguarding the interests of individuals and businesses, governments and policymakers also aim provide a conducive and well-regulated environment to develop transformative technologies to spearhead their respective digital economies.

Unsurprisingly, their business models are impacted by new cyber laws and regulations. As these laws are introduced, revised and enacted, companies can find themselves in a continually reactive state when attempting to comply with changing policies. Organizations with operations across national boundaries face additional compliance costs as they attempt to navigate diverse regulations in different jurisdictions. While GDPR has led to the convergence of cyber security and data protection laws in the EU, cyber regulations in other parts of the world remain largely localized and diverse.

Re-Thinking a Cyber Resilient Culture

To reduce our growing vulnerability to humanenabled cyber threats, workplace culture needs to change. The outlook, attitudes, values, moral goals and legacy systems shared within an organization have a direct impact on how cyber threats are perceived and managed. While cyber security involves many different technical and information solutions, necessary defenses and resilience cannot be fully achieved without the right mindset.

To establish a cyber resilient culture, everyone in the organization—from executive leadership and management to data analysts and salespeople—have an equal and important role to play in defense.

Through social engineering, threat actors increasingly exploit individuals as the weakest link of the cyber security chain. Therefore, cyber security and resilience must begin with the individual. Although Finance or HR departments may be primary targets for potential access to sensitive information, other executives and employees may also be targeted to gain network access.

How To Line Up Your Defense

Given the reality of the cyber threat landscape, you need to determine the tools you need to mitigate and respond to inevitable cyber attacks. Unfortunately, while both the aggressiveness and sophistication of cyber attacks have accelerated, defensive capabilities have been relatively slow to evolve and respond.

MMC2

Darren Thayre, Partner in the Digital, Technology and Analytics Practice for Asia Pacific at Oliver Wyman, mentioned that typical cyber security discussions are often absent when organizations initially strategize on cloud implementation, a process normally driven by developers or infrastructure demands.

Many victim organizations and those working diligently on defensive improvements still lack the fundamental security controls and capabilities to either prevent breaches or to minimize the damages and consequences of an inevitable compromise.

Based on trend observations, Kelly Butler, Head of Cyber Practice, Pacific, Marsh, stated that while security remains important in the 2019 cyber landscape, it is becoming more about resilience.

Organizations must maintain a posture of continuous cyber resilience to prepare for and adapt to the changing threat landscape and recover from the disruptive attacks. Otherwise, they risk facing significant gaps in both basic security controls and—more critically—visibility and detection of targeted attacks. The saying goes, “what gets measured, gets managed,” but you can only measure what you understand.

Understand Cyber Risks from a Business Perspective

Cyber risk is now at the forefront of most corporate risk agendas. Organizations are increasingly looking to understand and assess the nature and extent of their potential cyber-related losses—a necessary first step to mitigate those losses.

A cyber defense strategy delivers substantial benefits for both the senior management and the organization, especially when the strategy and associated action plans are mandated from the top and prioritized with the necessary investments and budgets. A proactive cyber defense strategy demonstrates to regulators that the organization takes cyber risk management seriously and has clear priorities in place.

A cyber security strategy is how you direct and focus the creation of an actionable roadmap and build a comprehensive cyber security program. This process allows you to clearly link gaps identified in the program assessment to your organization’s cyber security investments. However, developing a fit-for-purpose strategy and obtaining buy-in for the cyber security program from senior management can be difficult.

MMC3

After you understand cyber risks from a business perspective, you need to identify how much cyber risk is acceptable (to be absorbed) across your entire organization. This baseline helps make decisions related to cyber risk and implement controls.

For example, you can use a structured methodology to determine your organization’s cyber risk appetite. Ideally, you should break down and prioritize your cyber risk appetite, and the metrics you need to inform and measure the risk appetite. Later, you can develop recommendations regarding governance and operating model requirements, which in turn will determine and influence corporate decisions with respect to cyber security investments.

MMC4

After you assess the amount of acceptable cyber risk, work to quantify your potential cyber risk exposure. Measure its financial impact to inform the business case for cyber security investments as well as cyber insurance that can mitigate or transfer risk.

Quantification determines nature and extent of risk impacts for different threats and scenarios. However, boards and senior executives often struggle to clearly and comprehensively gain a current understanding of their organization’s cyber risk profile.

MMC5

The increase in awareness, cyber data breaches and adoption of cloud-based services are a few of the factors that drive the growth of the cyber insurance market, while high costs inhibit growth. High premiums can be effectively overcome by systematically and clearly understanding organization-specific cyber risks to lower risk exposure and enhance risk profile. For example, the use of data analytics to quantify risk exposure and underwrite cyber risks has proved to drive more efficient and effective risk profiling and provide more accurate policy coverage.

MMC6

With an internally aligned cyber risk strategy and adequately measured risk exposure around expected losses due to cyber attacks, organizations can better insure and secure stronger financials to respond and recover from an incident. An incident response plan requires the support of proper security technologies and expertise. At a minimum, a response plan requires full view of IT assets, strong detection capabilities, clear roles and responsibilities and fast reaction times. The plan must also be regularly practiced through drills to ensure that personnel know their roles and to track and record various metrics that measure their performance. Frequent testing can help identify areas for improvement and provide opportunities to continually refine processes and protocols.

Click here to access MMC-FireEye’s Report

Perspectives on the next wave of cyber

Financial institutions are acutely aware that cyber risk is one of the most significant perils they face and one of the most challenging to manage. The perceived intensity of the threats, and Board level concern about the effectiveness of defensive measures, ramp up continually as bad actors increase the sophistication, number, and frequency of their attacks.

Cyber risk management is high on or at the top of the agenda for financial institutions across the sector globally. Highly visible attacks of increasing insidiousness and sophistication are headline news on an almost daily basis. The line between criminal and political bad actors is increasingly blurred with each faction learning from the other. In addition, with cyberattack tools and techniques becoming more available via the dark web and other sources, the population of attackers continues to increase, with recent estimates putting the number of cyberattackers globally in the hundreds of thousands.

Cyber offenses against banks, clearers, insurers, and other major financial services sector participants will not abate any time soon. Looking at the velocity and frequency of attacks, the motivation for cyberattack upon financial services institutions can be several hundred times higher than for non-financial services organizations.

Observing these developments, regulators are prescribing increasingly stringent requirements for cyber risk management. New and emerging regulation will force changes on many fronts and will compel firms to demonstrate that they are taking cyber seriously in all that they do. However, compliance with these regulations will only be one step towards assuring effective governance and control of institutions’ Cyber Risk.

We explore the underlying challenges with regard to cyber risk management and analyze the nature of increasingly stringent regulatory demands. Putting these pieces together, we frame five strategic moves which we believe will enable businesses to satisfy business needs, their fiduciary responsibilities with regard to cyber risk, and regulatory requirements:

  1. Seek to quantify cyber risk in terms of capital and earnings at risk.
  2. Anchor all cyber risk governance through risk appetite.
  3. Ensure effectiveness of independent cyber risk oversight using specialized skills.
  4. Comprehensively map and test controls, especially for third-party interactions.
  5. Develop and exercise major incident management playbooks.

These points are consistent with global trends for cyber risk management. Further, we believe that our observations on industry challenges and the steps we recommend to address them are applicable across geographies, especially when considering prioritization of cyber risk investments.

FIVE STRATEGIC MOVES

The current environment poses major challenges for Boards and management. Leadership has to fully understand the cyber risk profile the organization faces to simultaneously protect the institution against everchanging threats and be on the front foot with regard to increasing regulatory pressures, while prioritizing the deployment of scarce resources. This is especially important given that regulation is still maturing and it is not yet clear how high the compliance bars will be set and what resources will need to be committed to achieve passing grades.

With this in mind, we propose five strategic moves which we believe, based on our experience, will help institutions position themselves well to address existing cyber risk management challenges.

1) Seek to quantify cyber risk in terms of capital and earnings at risk

Boards of Directors and all levels of management intuitively relate to risks that are quantified in economic terms. Explaining any type of risk, opportunity, or tradeoff relative to the bottom line brings sharper focus to the debate.

For all financial and many non-financial risks, institutions have developed methods for quantifying expected and unexpected losses in dollar terms that can readily be compared to earnings and capital. Further, regulators have expected this as a component of regulatory and economic capital, CCAR, and/or resolution and recovery planning. Predicting losses due to Cyber is particularly difficult because it consists of a combination of direct, indirect, and reputational elements which are not easy to quantify. In addition, there is limited historical cyber loss exposure data available to support robust cyber risk quantification.

Nevertheless, institutions still need to develop a view of their financial exposures of cyber risk with different levels of confidence and understand how this varies by business line, process, or platform. In some cases, these views may be more expert based, using scenario analysis approaches as opposed to raw statistical modeling outputs. The objectives are still the same – to challenge perspectives as to

  • how much risk exposure exists,
  • how it could manifest within the organization,
  • and how specific response strategies are reducing the institution’s inherent cyber risk.

2) Anchor all cyber risk governance through risk appetite

Regulators are specifically insisting on the establishment of a cyber risk strategy, which is typically shaped by a cyber risk appetite. This should represent an effective governance anchor to help address the Board’s concerns about whether appropriate risks are being considered and managed effectively.

Setting a risk appetite enables the Board and senior management to more deeply understand exposure to specific cyber risks, establish clarity on the Cyber imperatives for the organization, work out tradeoffs, and determine priorities.

Considering cyber risk in this way also enables it to be brought into a common framework with all other risks and provides a starting point to discuss whether the exposure is affordable (given capital and earnings) and strategically acceptable.

Cyber risk appetite should be cascaded down through the organization and provide a coherent management and monitoring framework consisting of

  • metrics,
  • assessments,
  • and practical tests or exercises

at multiple levels of granularity. Such cascading establishes a relatable chain of information at each management level across business lines and functions. Each management layer can hold the next layer more specifically accountable. Parallel business units and operations can have common standards for comparing results and sharing best practices.

Finally, Second and Third Line can have focal points to review and assure compliance. A risk appetite chain further provides a means for the attestation of the effectiveness of controls and adherence to governance directives and standards.

Where it can be demonstrated that risk appetite is being upheld to procedural levels, management will be more confident in providing the attestations that regulators require.

cyber1

3) Ensure effectiveness of independent cyber risk oversight using specialized skills

From our perspective, firms face challenges when attempting to practically fit cyber risk management into a “Three Lines of Defense” model and align cyber risk holistically within an enterprise risk management framework.

CROs and risk management functions have traditionally developed specialized skills for many risk types, but often have not evolved as much depth on IT and cyber risks. Organizations have overcome this challenge by weaving risk management into the IT organization as a First Line function.

In order to more clearly segregate the roles between IT, business, and Information Security (IS), the Chief Information Security Officer (CISO) and the IS team will typically need to be positioned as a « 1.5 Line of Defense » position. This allows an Information Security group to provide more formal oversight and guidance on the cyber requirements and to monitor day-today compliance across business and technology teams.

Further independent risk oversight and audit is clearly needed as part of the Third Line of Defense. Defining what oversight and audit means becomes more traceable and tractable when specific governance mandates and metrics from the Board down are established.

Institutions will also need to deal with the practical challenge of building and maintaining Cyber talent that can understand the business imperatives, compliance requirements, and associated cyber risk exposures.

At the leadership level, some organizations have introduced the concept of a Risk Technology Officer who interfaces with the CISO and is responsible for integration of cyber risk with operational risk.

4) Comprehensively map and test controls, especially for the third party interactions

Institutions need to undertake more rigorous and more frequent assessments of cyber risks across operations, technology, and people. These assessments need to test

  • the efficacy of surveillance,
  • the effectiveness of protection and defensive controls,
  • the responsiveness of the organization,
  • and the ability to recover

in a manner consistent with expectations of the Board.

Given the new and emerging regulatory requirements, firms will need to pay closer attention to the ongoing assessment and management of third parties. Third parties need to be tiered based on their access and interaction with the institution’s high value assets. Through this assessment of process, institutions need to obtain a more practical understanding of their ability to get early warning signals against cyber threats. In a number of cases, a firm may choose to outsource more IT or data services to third party providers (e.g., Cloud) where they consider that this option represents a more attractive and acceptable solution relative to the cost or talent demands associated with maintaining Information Security in-house for certain capabilities. At the same time, the risk of third party compromise needs to be fully understood with respect to the overall risk appetite.

cyber3

5) Develop and exercise incident management playbooks

A critical test of an institution’s cyber risk readiness is its ability to quickly and effectively respond when a cyberattack occurs.

As part of raising the bar on cyber resilience, institutions need to ensure that they have clearly documented and proven cyber incident response plans that include

  • a comprehensive array of attack scenarios,
  • clear identification of accountabilities across the organization,
  • response strategies,
  • and associated internal and external communication scenarios.

Institutions need to thoroughly test their incident response plan on an ongoing basis via table top exercises and practical drills. As part of a table top exercise, key stakeholders walk through specific attack scenarios to test their knowledge of response strategies. This exercise provides an avenue for exposing key stakeholders to more tangible aspects of cyber risk and their respective roles in the event of a cyberattack. It also can reveal gaps in specific response processes, roles, and communications that the institution will need to address.

Last but not least, incident management plans need to be reviewed and refined based on changes in the overall threat landscape and an assessment of the institution’s cyber threat profile; on a yearly or more frequent basis depending on the nature and volatility of the risk for a given business line or platform.

CONCLUSION

Cyber adversaries are increasingly sophisticated, innovative, organized, and relentless in developing new and nefarious ways to attack institutions. Cyber risk represents a relatively new class of risk which brings with it the need to grasp the often complex technological aspects, social engineering factors, and changing nature of Operational Risk as a consequence of cyber.

Leadership has to understand the threat landscape and be fully prepared to address the associated challenges. It would be impractical to have zero tolerance to cyber risk, so institutions will need to determine their risk appetite with regard to cyber, and consequently, make direct governance, investment, and operational design decisions.

The new and emerging regulations are a clear directive to financial institutions to keep cyber risk at the center of their enterprise-wide business strategy, raising the overall bar for cyber resilience. The associated directives and requirements across the many regulatory bodies represent a good and often strong basis for cyber management practices but each institution will need to further ensure that they are tackling cyber risk in a manner fully aligned with the risk management strategy and principles of their firm. In this context, we believe the five moves represent multiple strategically important advances almost all financial services firms will need to make to meet business security, resiliency, and regulatory requirements.

cyber2

click here to access mmc’s cyber handbook

 

 

The Global Risks Landscape 2019

Is the world sleepwalking into a crisis? Global risks are intensifying but the collective will to tackle them appears to be lacking. Instead, divisions are hardening. The world’s move into a new phase of strongly state-centred politics, noted in last year’s Global Risks Report, continued throughout 2018. The idea of “taking back control”— whether domestically from political rivals or externally from multilateral or supranational organizations — resonates across many countries and many issues. The energy now expended on consolidating or recovering national control risks weakening collective responses to emerging global challenges. We are drifting deeper into global problems from which we will struggle to extricate ourselves.

During 2018, macroeconomic risks moved into sharper focus. Financial market volatility increased and the headwinds facing the global economy intensified. The rate of global growth appears to have peaked: the latest International Monetary Fund (IMF) forecasts point to a gradual slowdown over the next few years. This is mainly the result of developments in advanced economies, but projections of a slowdown in China—from 6.6% growth in 2018 to 6.2% this year and 5.8% by 2022—are a source of concern. So too is the global debt burden, which is significantly higher than before the global financial crisis, at around 225% of GDP. In addition, a tightening of global financial conditions has placed particular strain on countries that built up dollar-denominated liabilities while interest rates were low.

Geopolitical and geo-economic tensions are rising among the world’s major powers. These tensions represent the most urgent global risks at present. The world is evolving into a period of divergence following a period of globalization that profoundly altered the global political economy. Reconfiguring the relations of deeply integrated countries is fraught with potential risks, and trade and investment relations among many of the world’s powers were difficult during 2018.

Against this backdrop, it is likely to become more difficult to make collective progress on other global challenges—from protecting the environment to responding to the ethical challenges of the Fourth Industrial Revolution. Deepening fissures in the international system suggest that systemic risks may be building. If another global crisis were to hit, would the necessary levels of cooperation and support be forthcoming? Probably, but the tension between the globalization of the world economy and the growing nationalism of world politics is a deepening risk.

Environmental risks continue to dominate the results of our annual Global Risks Perception Survey (GRPS). This year, they accounted for three of the top five risks by likelihood and four by impact. Extreme weather was the risk of greatest concern, but our survey respondents are increasingly worried about environmental policy failure: having fallen in the rankings after Paris, “failure of climate-change mitigation and adaptation” jumped back to number two in terms of impact this year. The results of climate inaction are becoming increasingly clear. The accelerating pace of biodiversity loss is a particular concern. Species abundance is down by 60% since 1970. In the human food chain, biodiversity loss is affecting health and socioeconomic development, with implications for well-being, productivity, and even regional security.

Technology continues to play a profound role in shaping the global risks landscape. Concerns about data fraud and cyber-attacks were prominent again in the GRPS, which also highlighted a number of other technological vulnerabilities: around two-thirds of respondents expect the risks associated with fake news and identity theft to increase in 2019, while three-fifths said the same about loss of privacy to companies and governments. There were further massive data breaches in 2018, new hardware weaknesses were revealed, and research pointed to the potential uses of artificial intelligence to engineer more potent cyberattacks. Last year also provided further evidence that cyber-attacks pose risks to critical infrastructure, prompting countries to strengthen their screening of cross-border partnerships on national grounds.

The importance of the various structural changes that are under way should not distract us from the human side of global risks. For many people, this is an increasingly anxious, unhappy and lonely world. Worldwide, mental health problems now affect an estimated 700 million people. Complex transformations— societal, technological and work-related—are having a profound impact on people’s lived experiences. A common theme is psychological stress related to a feeling of lack of control in the face of uncertainty. These issues deserve more attention: declining psychological and emotional wellbeing is a risk in itself—and one that also affects the wider global risks landscape, notably via impacts on social cohesion and politics.

Another set of risks being amplified by global transformations relate to biological pathogens. Changes in how we live have increased the risk of a devastating outbreak occurring naturally, and emerging technologies are making it increasingly easy for new biological threats to be manufactured and released either deliberately or by accident. The world is badly under-prepared for even modest biological threats, leaving us vulnerable to potentially huge impacts on individual lives, societal well-being, economic activity and national security. Revolutionary new biotechnologies promise miraculous advances, but also create daunting challenges of oversight and control—as demonstrated by claims in 2018 that the world’s first genemodified babies had been created.

Rapidly growing cities and ongoing effects of climate change are making more people vulnerable to rising sea levels. Two-thirds of the global population is expected to live in cities by 2050 and already an estimated 800 million people live in more than 570 coastal cities vulnerable to a sea-level rise of 0.5 metres by 2050. In a vicious circle, urbanization not only concentrates people and property in areas of potential damage and disruption, it also exacerbates those risks— for example by destroying natural sources of resilience such as coastal mangroves and increasing the strain on groundwater reserves. Intensifying impacts will render an increasing amount of land uninhabitable. There are three main strategies for adapting to rising sea-levels:

  1. engineering projects to keep water out,
  2. naturebased defences,
  3. and peoplebased strategies, such as moving households and businesses to safer ground or investing in social capital

to make flood-risk communities more resilient.

In this year’s Future Shocks section, we focus again on the potential for threshold effects that could trigger dramatic deteriorations and cause cascading risks to crystallize with dizzying speed. Each of the 10 shocks we present is a “what-if” scenario—not a prediction, but a reminder of the need to think creatively about risk and to expect the unexpected. Among the topics covered this year are

  • quantum cryptography,
  • monetary populism,
  • affective computing
  • and the death of human rights.

In the Risk Reassessment section, experts share their insights about how to manage risks. John Graham writes about weighing the trade-offs between different risks, and András Tilcsik and Chris Clearfield write about how managers can minimize the risk of systemic failures in their organizations.

And in the Hindsight section, we revisit three of the topics covered in previous reports:

  • food security,
  • civil society
  • and infrastructure investment.

wef1

wef2

click here to access wef-mmc-zurich’s global risks report 2019

 

Global Governance Insights on Emerging Risks

A HEIGHTENED FOCUS ON RESPONSE AND RECOVERY

Over a third of directors of US public companies now discuss cybersecurity at every board meeting. Cyber risks are being driven onto the agenda by

  • high-profile data breaches,
  • distributed denial of services (DDoS) attacks,
  • and rising ransomware and cyber extortion attacks.

The concern about cyber risks is justified. The annual economic cost of cyber-crime is estimated at US$1.5 trillion and only about 15% of that loss is currently covered by insurance.

MMC Global Risk Center conducted research and interviews with directors from WCD to understand the scope and depth of cyber risk management discussions in the boardroom. The risk of cyberattack is a constantly evolving threat and the interviews highlighted the rising focus on resilience and recovery in boardroom cyber discussions. Approaches to cyber risks are maturing as organizations recognize them as an enterprise business risk, not just an information technology (IT) problem.

However, board focus varies significantly across industries, geographies, organization size and regulatory context. For example, business executives ranked cyberattacks among the top five risks of doing business in the Asia Pacific region but Asian organizations take 1.7 times longer than the global median to discover a breach and spend on average 47% less on information security than North American firms.

REGULATION ON THE RISE

Tightening regulatory requirements for cybersecurity and breach notification across the globe such as

  • the EU GDPR,
  • China’s new Cyber Security Law,
  • and Australia’s Privacy Amendment,

are also propelling cyber onto the board agenda. Most recently, in February 2018, the USA’s Securities and Exchange Commission (SEC) provided interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents.

Regulations relating to transparency and notifications around cyber breaches drive greater discussion and awareness of cyber risks. Industries such as

  • financial services,
  • telecommunications
  • and utilities,

are subject to a large number of cyberattacks on a daily basis and have stringent regulatory requirements for cybersecurity.

Kris Manos, Director, KeyCorp, Columbia Forest Products, and Dexter Apache Holdings, observed, “The manufacturing sector is less advanced in addressing cyber threats; the NotPetya and WannaCry attacks flagged that sector’s vulnerability and has led to a greater focus in the boardroom.” For example, the virus forced a transportation company to shut down all of its communications with customers and also within the company. It took several weeks before business was back to normal, and the loss of business was estimated to have been as high as US$300 million. Overall, it is estimated that as a result of supply chain disruptions, consumer goods manufacturers, transport and logistics companies, pharmaceutical firms and utilities reportedly suffered, in aggregate, over US$1 billion in economic losses from the NotPetya attacks. Also, as Cristina Finocchi Mahne, Director, Inwit, Italiaonline, Banco Desio, Natuzzi and Trevi Group, noted, “The focus on cyber can vary across industries depending also on their perception of their own clients’ concerns regarding privacy and data breaches.”

LESSONS LEARNED: UPDATE RESPONSE PLANS AND EVALUATE THIRD-PARTY RISK

The high-profile cyberattacks in 2017, along with new and evolving ransomware onslaughts, were learning events for many organizations. Lessons included the need to establish relationships with organizations that can assist in the event of a cyberattack, such as l

  • aw enforcement,
  • regulatory agencies and recovery service providers
  • including forensic accountants and crisis management firms.

Many boards need to increase their focus on their organization’s cyber incident response plans. A recent global survey found that only 30% of companies have a cyber response plan and a survey by the National Association of Corporate Directors (NACD) suggests that only 60% of boards have reviewed their breach response plan over the past 12 months. Kris Manos noted, “[If an attack occurs,] it’s important to be able to quickly access a response plan. This also helps demonstrate that the organization was prepared to respond effectively.”

Experienced directors emphasized the need for effective response plans alongside robust cyber risk mitigation programs to ensure resilience, as well as operational and reputation recovery. As Jan Babiak, Director, Walgreens Boots Alliance, Euromoney Institutional Investor, and Bank of Montreal, stressed, “The importance of the ’respond and recover’ phase cannot be overstated, and this focus needs to rapidly improve.”

Directors need to review how the organization will communicate and report breaches. Response plans should include preliminary drafts of communications to all stakeholders including customers, suppliers, regulators, employees, the board, shareholders, and even the general public. The plan should also consider legal requirements around timelines to report breaches so the organization is not hit with financial penalties that can add to an already expensive and reputationally damaging situation. Finally, the response plan also needs to consider that normal methods of communication (websites, email, etc.) may be casualties of the breach. A cyber response plan housed only on the corporate network may be of little use in a ransomware attack.

Other lessons included the need to focus on cyber risks posed by third-party suppliers, vendors and other impacts throughout the supply chain. Shirley Daniel, Director, American Savings Bank, and Pacific Asian Management Institute, noted, “Such events highlight vulnerability beyond your organization’s control and are raising the focus on IT security throughout the supply chain.” Survey data suggests that about a third of organizations do not assess the cyber risk of vendors and suppliers. This is a critical area of focus as third-party service providers (e.g., software providers, cloud services providers, etc.) are increasingly embedded in value chains.

FRUSTRATIONS WITH OVERSIGHT

Most directors expressed frustrations and challenges with cyber risk oversight even though the topic is frequently on meeting agendas. Part of the challenge is that director-level cyber experts are thin on the ground; most boards have only one individual serving as the “tech” or “cyber” person. A Spencer Stuart survey found that 41% of respondents said their board had at least one director with cyber expertise, with an additional 7% who are in the process of recruiting one. Boards would benefit from the addition of experienced individuals who can identify the connections between cybersecurity and overall company strategy.

A crucial additional challenge is obtaining clarity on the organization’s overall cyber risk management framework. (See Exhibit 1: Boards Need More Information on Cyber Investments.) Olga Botero, Director, Evertec, Inc., and Founding Partner, C&S Customers and Strategy, observed, “There are still many questions unanswered for boards, including:

  • How good is our security program?
  • How do we compare to peers?

There is a big lack of benchmarking on practices.” Anastassia Lauterbach, Director, Dun & Bradstreet, and member of Evolution Partners Advisory Board, summarized it well, “Boards need a set of KPIs for cybersecurity highlighting their company’s

  • unique business model,
  • legacy IT,
  • supplier and partner relationships,
  • and geographical scope.”

CR Ex 1

Nearly a quarter of boards are dissatisfied with the quality of management-provided information related to cybersecurity because of insufficient transparency, inability to benchmark and difficulty of interpretation.

EFFECTIVE OVERSIGHT IS BUILT ON A COMPREHENSIVE CYBER RISK MANAGEMENT FRAMEWORK

Organizations are maturing from a “harden the shell” approach to a protocol based on understanding and protecting core assets and optimizing resources. This includes the application of risk disciplines to assess and manage risk, including quantification and analytics. (See Exhibit 2: Focus Areas of a Comprehensive Cyber Risk Management Framework.) Quantification shifts the conversation from a technical discussion about threat vectors and system vulnerabilities to one focused on maximizing the return on an organization’s cyber spending and lowering its total cost of risk.

CR Ex 2

Directors also emphasized the need to embed the process in an overall cyber risk management framework and culture. “The culture must emphasize openness and learning from mistakes. Culture and cyber risk oversight go hand in hand,” said Anastassia Lauterbach. Employees should be encouraged to flag and highlight potential cyber incidents, such as phishing attacks, as every employee plays a vital role in cyber risk management. Jan Babiak noted, “If every person in the organization doesn’t view themselves as a human firewall, you have a soft underbelly.” Mary Beth Vitale, Director, GEHA and CoBiz Financial, Inc., also noted, “Much of cyber risk mitigation is related to good housekeeping such as timely patching of servers and ongoing employee training and alertness.”

Boards also need to be alert. “Our board undertakes the same cybersecurity training as employees,” noted Wendy Webb, Director, ABM Industries. Other boards are putting cyber updates and visits to security centers on board “offsite” agendas.

THE ROLE OF CYBER INSURANCE

Although the perception of many directors is that cyber insurance provides for limited coverage, the insurance is increasingly viewed as an important component of a cyber risk management framework and can support response and recovery plans. Echoing this sentiment, Geeta Mathur, Director, Motherson Sumi Ltd, IIFL Holdings Ltd, and Tata Communication Transformation Services Ltd., commented, « There is a lack of information and discussion on risk transfer options at the board level. The perception is that it doesn’t cover much particularly relating to business interruption on account of cyber threats.” Cristina Finocchi Mahne also noted, “Currently, management teams may not have a positive awareness of cyber insurance, but we expect this to rapidly evolve over the short-term.”

Insurance does not release the board or management from the development and execution of a robust risk management plan but it can provide a financial safeguard against costs associated with a cyber event. Cyber insurance coverage should be considered in the context of an overall cyber risk management process and cyber risk appetite.

With a robust analysis, the organization can

  • quantify the price of cyber risk,
  • develop effective risk mitigation,
  • transfer and risk financing strategy,
  • and decide if – and how much – cyber insurance to purchase.

This allows the board to have a robust conversation on the relationship between risk, reward and the cost of mitigation and can also prompt an evaluation of potential consequences by using statistical modeling to assess different damage scenarios.

CYBER INSURANCE ADOPTION IS INCREASING

The role of insurance in enhancing cyber resilience is increasingly being recognized by policymakers around the world, and the Organisation of Economic Co-operation and Development (OECD) is recommending actions to stimulate cyber insurance adoption.

Globally, it is expected the level of future demand for cyber insurance will depend on the frequency of high-profile cyber incidents as well as the evolving legislative and regulatory environment for privacy protections in many countries. In India, for example, there was a 50% increase in companies buying cybersecurity coverage 2016 to 2017. Research suggests that only 40% of US boards have reviewed their organization’s cyber insurance coverage in the past 12 months.

LIMITING FINANCIAL LOSSES

In the event of a debilitating attack, cyber insurance and associated services can limit an organization’s financial damage from direct and indirect costs and help accelerate its recovery. (See Exhibit 3: Direct and Indirect Costs Associated with a Cyber Attack.) For example, as a result of the NotPetya attack, one global company reported a decline in operating margins and income, with losses in excess of US$500 million in the last fiscal year. The company noted the costs were driven by

  • investments in enhanced systems in order to prevent future attacks;
  • cost of incentives offered to customers to restore confidence and maintain business relationships;
  • additional costs due to claims for service failures; costs associated with data breach or data loss due to third-parties;
  • and “other consequences of which we are not currently aware but may subsequently discover.”

Indeed, the very process of assessing and purchasing cyber insurance can bolster cyber resilience by creating important incentives that drive behavioral change, including:

  • Raising awareness inside the organization on the importance of information security.
  • Fostering a broader dialogue among the cyber risk stakeholders within an organization.
  • Generating an organization-wide approach to ongoing cyber risk management by all aspects of the organization.
  • Assessing the strength of cyber defenses, particularly amid a rapidly changing cyber environment.

CR Ex 3

Click here to access Marsh’s and WCD’s detailed report