On 10 November 2022, the European Parliament voted to adopt a new EU regulation on digital operational resilience for the financial sector (DORA). With obligations under DORA coming into effect late in 2024 or early 2025 at the latest, in this briefing we take a closer look at its impact and consider what the regulation will mean for firms, their senior managers and operations and what firms should be doing now in preparation for day one compliance.
What is DORA?
Aimed at harmonising national rules around operational resilience and cybersecurity regulation across the EU, DORA establishes uniform requirements for the security of network and information systems of companies and organisations operating in the financial sector as well as critical third parties which provide services related to information communication technologies (ICT), such as cloud platforms or data analytics services.
DORA creates a regulatory framework on digital operational resilience whereby all in-scope firms need to make sure that they can withstand, respond to, and recover from, all types of ICT-related disruptions and threats. ICT is defined broadly to include digital and data services provided through ICT systems to one or more internal or external users, on an ongoing basis.
DORA forms part of the EU’s Digital Finance Package (DFP), which aims to develop a harmonised European approach to digital finance that fosters technological development and ensures financial stability and consumer protection. The DFP also includes legislative proposals on markets in cryptoassets (MiCA), distributed ledger technology and a digital finance strategy.
Who will need to comply with DORA?
DORA will apply to financial entities, including:
credit institutions,
payment institutions,
e-money institutions,
investment firms,
cryptoasset service providers (authorised under MiCA) and issuers of asset-referenced tokens,
central securities depositories,
central counterparties,
trading venues,
trade repositories,
managers of alternative investment funds and management companies,
data reporting service providers,
insurance and reinsurance undertakings,
insurance intermediaries,
reinsurance intermediaries and ancillary insurance intermediaries,
institutions for occupational retirement pensions,
credit rating agencies,
administrators of critical benchmarks,
crowdfunding service providers and
securitisation repositories (Financial Entities).
DORA will also apply to ICT third-party service providers which the European Supervisory Authorities (the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA), acting through their Joint Committee) (ESAs) designate as « critical » for Financial Entities (Critical ICT Third-Party Providers) through a newly established oversight framework.
The ESAs would make this designation based on a set of qualitative and quantitative criteria, including:
the systemic impact on the stability, continuity or quality of financial services in the event that the ICT third-party provider faced a large-scale operational failure to provide its services;
the systemic character or importance of Financial Entities that rely on the ICT third-party service provider;
the degree of reliance of those Financial Entities on the services provided by the ICT third-party service provider in relation to critical or important functions of those Financial Entities; and
the degree of substitutability of the ICT third-party service provider.
Any ICT third-party service provider not designated as critical would have the option to voluntarily « opt in » to the oversight. The ESAs may not make a designation in relation to certain excluded categories of ICT third–party service providers, including where Financial Entities are providing ICT services
to other Financial Entities,
to ICT third–party service providers delivering services predominantly to the entities of their own group or
to those providing ICT services solely in one Member State to financial entities that are active only in that Member State.
What are the key obligations?
DORA introduces targeted rules on ICT risk management capability, reporting and testing, in a way which enables Financial Entities to withstand, respond to and recover from ICT incidents. In principle, some of the requirements imposed by DORA, such as for ICT risk management, are already reflected to a certain extent in existing EU guidance (for example, the EBA Guidelines on ICT and security risk management).
The proposals include requirements relating to:
ICT risk management
DORA sets out key principles around internal controls and governance structures. A Financial Entity’s management body will be expected to be responsible for defining, approving, overseeing and being continuously accountable for a firm’s ICT risk management framework as part of its overall risk management framework. As part of the ICT risk management framework, Financial Entities need to maintain resilient ICT systems, revolving around specific functions in ICT risk management such as
identification of risks,
protection and prevention,
detection,
response and recovery and
stakeholder communication.
Reporting of ICT-related incidents
DORA aims to create a consistent incident reporting mechanism, including a management process to detect, manage and notify ICT-related incidents. Incidents deemed « major » would need to be reported to competent authorities within strict time frames, including initial notifications « without delay » on the same day or next day by using mandatory reporting templates. In some cases, communication to service users or customers may be required.
Testing
As part of the ICT risk management framework, DORA requires Financial Entities to adopt a robust and comprehensive digital operational resilience testing programme covering ICT tools, systems and processes. Certain Financial Entities must carry out advanced testing of their ICT tools, systems and processes at least every three years using threat-led penetration tests.
Information sharing
DORA contains provisions which should facilitate the sharing, among Financial Entities, of cyber threat information and intelligence, including
indicators of compromise,
tactics,
techniques and procedures,
cyber security alerts and
configuration tools
to strengthen digital operational resilience.
Localisation
Financial Entities will only be permitted to make use of the services of a third-country Critical ICT Third-Party Provider if such provider establishes a subsidiary in the EU within 12 months following its designation as a Critical ICT Third-Party Provider.
A simplified set of ICT risk framework requirements will apply to certain Financial Entities, including small and non-interconnected investment firms and payment institutions exempted under the Second Payment Services Directive. Such entities will need to comply with a reduced set of requirements under DORA, including the requirement to put in place and maintain a sound and documented risk management framework that details the mechanisms and measures aimed at a quick, efficient and comprehensive management of all ICT risks, including for the protection of relevant physical components and infrastructures.
What should firms be doing now to prepare?
Although it is not expected that DORA will apply to in-scope entities until late 2024 (see below), firms should now begin considering the steps that they will need to take to ensure day one compliance. These include:
Scope out impact
Taking a risk-based approach reflective of their size, nature, scale and the complexity of their services and operations, Financial Entities should begin to scope out the impact of DORA on their business. Firms should carry out a comprehensive gap analysis of their existing ICT-risk management processes against the new requirements introduced by DORA to identify any aspects of their existing processes that will be impacted by the new requirements and develop detailed implementation plans setting out the steps that will need to be taken to effect relevant changes. As part of this, Financial Entities should ensure that they have in place appropriate:
(i) capabilities to enable a strong and effective ICT risk management environment;
(ii) mechanisms and policies for handling all ICT-related incidents and reporting major incidents; and
(iii) policies for the testing of ICT systems, controls and processes and the management of ICT third-party risk.
This process will be iterative as some of the more detailed requirements of DORA will be further developed through technical standards to be published by the ESAs in due course.
Critical ICT Third-Party Providers
Critical ICT Third-Party Providers will be required to have in place comprehensive, sound and effective rules, procedures, mechanisms and arrangements to manage the ICT risks which they may pose to Financial Entities. Although DORA provides that the designation mechanism (pursuant to which the ESAs may designate an ICT third-party service provider as « critical ») must not be used until the Commission has adopted a delegated act specifying further details on the criteria to be used in making such an assessment (to be adopted within 18 months after the date on which DORA enters into force), it is expected that certain categories of providers, such as cloud computing service providers who provide ICT services to Financial Entities, will be designated as Critical Third-Party Providers.
Consequently, such providers may wish to begin the task of benchmarking their existing systems, controls and processes against existing guidelines, such as the EBA Guidelines on ICT and security risk management and Guidelines on outsourcing arrangements, to the extent required, to identify areas that require further investment and maturity. They will also need to consider whether new and existing contracts give them sufficient flexibility to comply with new regulatory rules, orders and directions, even if this would otherwise be inconsistent with their contractual obligations. As set out above, certain categories of ICT third-party service providers are expressly excluded from the designation mechanism, including Financial Entities providing ICT services to other Financial Entities, ICT intra-group service providers and ICT third-party service providers providing ICT services solely in one Member State to Financial Entities that are only active in that Member State.
Third Country Critical ICT – Third-Party Providers – Subsidiarisation
The EU subsidiarisation requirement that will apply to third country Critical ICT Third-Party Providers is one that will necessitate early engagement between such providers and the Financial Entities that they serve. While it is not clear what role the EU subsidiary must play in the provision of services to the relevant Financial Entity (e.g. whether the provider must act as contractual counterparty), Recital 58 of DORA indicates that the requirement to set up a subsidiary in the EU does not prevent ICT services and related technical support from being provided from facilities and infrastructures located outside the EU. Nevertheless, where a relevant third country ICT third-party provider that is likely to be designated as « critical » indicates that it does not intend to establish a subsidiary in the EU, even following a designation as such by the ESAs, Financial Entities may wish to commence the process of identifying alternative providers, since they will not be permitted to obtain ICT services from a third country Critical ICT Third-Party Provider that fails to establish a subsidiary in the EU within 12 months following its designation as critical.
Companies that consider they are likely to be classified as Critical ICT Third-Party Providers that do not already have an establishment or subsidiary located in the EU should begin to consider now which Member State would be most appropriate to establish a new subsidiary in, taking into account their business operations and the various applicable legal requirements.
Documentation impact
As noted above, DORA sets out core contractual rights in relation to several elements in the performance and termination of contracts with a view to enshrine certain minimum safeguards underpinning the ability of Financial Entities to monitor effectively all risk emerging at ICT third-party level. Some contractual requirements set out in DORA are mandatory and will need to be included in contracts, if not already reflected. Others take the form of principles and recommendations and may require negotiation between the relevant parties. Early mapping and engagement in this respect will be important. Additionally, parties may wish to consider benchmarking their existing contractual arrangements against relevant requirements set out in DORA, as well as existing standard contractual clauses developed by EU institutions.
For example, Recital 55 of DORA notes that « the voluntary use of contractual clauses developed by the Commission for cloud computing services may provide comfort for Financial Entities and ICT third-party providers by enhancing the level of legal certainty on the use of cloud computing services in full alignment with requirements and expectations set out by the financial services regulation ».
As the industry awaits more detailed technical standards to be developed and published by the relevant ESAs, as well as DORA compromise/Level 1 text, in-scope entities may consider using existing guidelines such as the EBA Guidelines on ICT and security risk management and Guidelines on outsourcing arrangements as useful benchmarking tools in preparation for day one compliance.
How does DORA interact with NIS2?
The second iteration of the Security of Network and Information Systems Directive (NIS2) aims to strengthen security requirements and provide further harmonisation of Member States’ cybersecurity laws, replacing the original NIS Directive of 2016 (NIS1). Its timeline is similar to that for DORA, with a provisional agreement among EU institutions reached in May 2022, and its adoption confirmed in a European Parliament plenary session vote on 10 November 2022. NIS2 significantly extends the scope of NIS1 by adding new sectors, including « digital providers » such as social media platforms and online marketplaces, for example, but importantly also introduces uniform size criteria for assessing whether certain financial institutions (and other entities) fall within its scope. NIS2 sets out cybersecurity risk management and reporting obligations for relevant organisations, as well as obligations on cybersecurity information sharing, so there is some overlap in coverage with DORA.
However, this has been addressed during the legislative process to ensure that financial entities will have full clarity on the different rules on digital operational resilience that they need to comply with when operating within the EU. NIS2 specifically provides that any overlap will be addressed by DORA being considered as lex specialis (ie a more specific law that will override the more general NIS2 provisions).
How does DORA compare with international developments?
The introduction of DORA in the EU reflects a global focus on operational resilience and strengthening cybersecurity standards in the wake of ever-increasing digitalisation of financial services and increasingly sophisticated cyber incidents. For example, in March 2021, the Basel Committee on Banking Supervision issued its Principles for operational resilience, as well as an updated set of Principles for the sound management of operational risk (PSMOR), which aim to make banks better able to withstand, adapt to and recover from severe adverse events.
In October 2022, following a G20 request, the Financial Stability Board (FSB) published a consultation on Achieving Greater Convergence in Cyber Incident Reporting, recognising that timely and accurate information on cyber incidents is crucial for effective incident response and recovery and promoting financial stability and with a view to ensuring that financial institutions operating across borders are not subject to multiple conflicting regimes. The FSB proposals include recommendations to address the challenges to achieving greater international convergence in cyber incident reporting, work on establishing common terminologies related to cyber incidents and a proposal to develop a common format for incident reporting exchange.
Following its departure from the EU, the UK has introduced a Financial Services and Markets Bill (the UK Bill) which includes proposals to regulate cloud service providers and other critical third parties supplying services to UK regulated firms and financial market infrastructures. HM Treasury would have powers to designate service suppliers as ‘critical’ and the UK regulators would have new powers to directly oversee designated suppliers, which would be subject to new minimum resilience standards. While the proposals have the same ambitions as, and there are similarities with, the requirements under DORA, there are a number of key differences between them.
For example, the proposed enforcement regime under DORA for Critical ICT Third-Party Providers is very different from the equivalent regime proposed by the UK Bill. Under DORA, the ESAs will be designated as « Lead Overseers », but with the power only to make ‘recommendations’ to Critical ICT Third-Party Providers, in contrast to the ability for UK regulators to make rules applying to, or to give directions to, critical third parties subject to the UK Bill, with the ability to issue sanctions for non-compliance. Under DORA, non-compliance by a Critical ICT Third-Party Provider with recommendations gives the Lead Overseer the ability to notify and publicise such non-compliance and « as a last resort » the option to require Financial Entities to temporarily suspend services provided by such provider until the relevant risks identified in the recommendations have been addressed.
This means that the liability and contractual issues for Critical ICT Third-Party Providers providing services in the EU will be different than for those providing services in the UK, and that contracts for each will need to be considered and negotiated carefully.
Next steps and legislative timeline
Following adoption of DORA by the European Parliament plenary session on 10 November 2022, the regulation is now passing through the final technical stages of the formal procedure for European legislation. The text still needs to be formally approved by the Council of the EU before being published in the Official Journal, which is expected in December 2022 or January 2023.
DORA will come into effect on the twentieth day following the day on which it is published in the Official Journal. It will apply, with direct effect, 24 months from the date on which it enters into force. Therefore, it is expected that DORA will apply to in-scope firms from late 2024 or early 2025 at the latest.
EXECUTIVE SUMMARY AND POLICY ACTIONS The recovery associated with the receding pandemic has slowed as a result of the Russian aggression in Ukraine. It has contributed to high inflation and is damaging the economic outlook, which led to increased financial market risks across the board. The economic and financial impact of the invasion has been felt globally, alongside enormous humanitarian consequences. Prices in energy and commodity markets have risen to record highs. Production and logistics costs have risen and household purchasing power has weakened. After a long period characterized by very low inflation and interest rates, policy rates are being raised in response to high inflation. The resulting higher financing costs and lower economic growth may put pressure on the government, and on corporate and household debt refinancing. It will likely also have negative impact on the credit quality of financial institution loan portfolios. Financial institutions are moreover faced with increased operational challenges associated with heightened cyber risks and the implementation of sanctions against Russia. The financial system has to date been resilient despite the increasing political and economic uncertainty.
In light of the above risks and uncertainties, the Joint Committee advises national competent authorities, financial institutions and market participants to take the following policy actions:
Financial institutions and supervisors should continue to be prepared for a deterioration in asset quality in the financial sector. In light of persistent risks that have been amplified by the Russian invasion and a deteriorating macroeconomic outlook, combined with a build-up of medium-term risks with high uncertainty, supervisors should continue to closely monitor asset quality, including in real estate lending, in assets that have benefitted from previous support measures related to the pandemic, and in assets that are particularly vulnerable to rising inflation and to high energy- and commodity prices.
The impact on financial institutions and market participants more broadly from further increases in policy rates and the potential for sudden increases in risk premia should be closely monitored. Inflationary pressures coupled with uncertainty on risk premia adjustment raise concerns over potential further market adjustments. Rising interest rates and yields are expected to improve the earnings outlook for banks given their interest rate sensitivity. They could also reduce the valuation of fixed income assets, and result in higher funding costs and operating costs, which might affect highly indebted borrowers’ abilities to service their loans. Credit risks related to the corporate and banking sector also remain a primary concern for insurers and for the credit quality of bond funds. High market volatility stemming from the above economic and geopolitical situation could also raise short-term concerns and disruptions for market infrastructures.
Financial institutions and supervisors should be aware and closely monitor the impact of inflation risks. The economic consequences of the Russian aggression mainly channel through energy and commodity markets, trade restrictions due to sanctions and the possible fragmentation of the global economy. Financial fragmentation, including fragmentation of funding costs, could threaten financial stability and put pressure on price stability. Inflation is not only relevant from a risk perspective, but is expected to reflect also on the actual benefits and pensions, inflationary trends should be taken into account in the product testing, product monitoring and product review phases. Financial institutions and regulators should make extra efforts to ensure investor awareness on the effects of inflation on real returns of assets, and how these can vary across different types of assets.
Supervisors should continue to monitor risks to retail investors some of whom buy assets, in particular crypto-assets and related products, without fully realizing the high risks involved. Some retail investors may not be fully aware of the long-term effects of rising inflation on their assets and purchasing power. In the context of growing retail participation and significant volatility in crypto-assets and related products, retail investors should be aware of the risks stemming from these. The recent events and subsequent sell-off of crypto assets raises concerns on the appropriate assessment of the risks and the developments of this market segment going forward and requires particular attention of financial institutions and supervisors. Where disclosures are ineffective, these risks are compounded.
Financial institutions and supervisors should continue to carefully manage environmental related risks and cyber risks. They should ensure that appropriate technologies and adequate control frameworks are in place to address threats to information security and business continuity, including risks stemming from increasingly sophisticated cyber-attacks.
1 MARKET DEVELOPMENTS The Russian invasion and inflationary pressures have significantly impacted the risk environment of EU securities markets. Recoveries in most equity indices from the beginning of 2022 came to a halt, following the March 2020 market stress, with global equity indices broadly declining (in 1H22: Europe -18%, China -8%, US -20%). This was mostly linked to energy costs and lower trade flows due to the Russian invasion, supply-side bottlenecks linked to the continued effects of the COVID-19 pandemic and the tightening of credit conditions for firms. At the same time, volatility as measured by the European volatility index VSTOXX rose in early March (41%) to about half the levels of March 2020. In Europe, more energy intensive sectors, such as consumer discretionary (-31% YTD), industrials (-29%), and technology (-36%), saw larger price falls than other sectors. Price-earnings ratios tumbled, though they remained above 10-year historical averages (at 3% EU and 9% US respectively). The decreases partly reflect lower earnings expectations for the future, due to the potential long term effects of the pandemic and the impacts of higher long-term interest rates.
Fixed income markets were characterized by investor expectations of slower economic growth, higher inflation and a less accommodating interest rate environment. Despite a short-lived fall right after the invasion, EU sovereign bond yields rose in 1H22 to levels unseen since 2016 with significant news-flow related volatility (IT +213bps, GR +230bps, DE +150bps). As of end-June, spreads to the Bund also widened, e.g. for Italy (1.9%, +70bps) and Spain (1.1%, +39bps). Corporate bond markets showed sensitivity to the evolving outlook, recording significant selloffs across all rating categories and reduced liquidity. Investment grade (IG) bonds experienced a peak-to-trough fall of 15% (August 2021 to May 2022), nearly twice that of the pandemic, and declined by 12% in the year to June. High-yield (HY) bonds performed slightly worse (‑15%) but their peak-tot rough losses were lower than during the pandemic. Credit spreads widened on concerns that the slowdown could weigh on firms’ debt capacity. Significant spreads upswings were also seen in February with the invasion, and in May and June as rates hikes occurred in the US and were announced for the EA.
The crypto-asset market experienced a continued sell-off in 2Q22 in line with the decline of traditional financial assets (especially tech equities) with which Bitcoin (BTC) shares a close (40%) correlation. The collapse of crypto-asset TerraUSD in May and the pausing of customer withdrawals by crypto-asset Celsius in June, added to the shift in investor sentiment away from these assets, sending BTC price to an 18-month low. In May, the largest algorithmic stablecoin (third largest overall), TerraUSD, failed to maintain its peg to the USD after its underlying decentralised finance (DeFi) protocol, Anchor, suffered a confidence run on its deposits. The combination of the sharp fall in crypto-asset prices, and the demise of the Anchor protocol linked to TerraUSD, caused the total value of assets ‘locked’ (deposited) in DeFi smart contracts to fall from over EUR 186bn at the start of May to EUR 62bn by June. In another development in June, centralized finance (CeFi) lending platform, Celsius, halted customer withdrawals of deposits, signaling that it had liquidity issues or a deeper insolvency problem. This coincided with a 21% fall in the Bitcoin price and led Binance to temporarily suspend Bitcoin withdrawals from its exchange. The Celsius token price had fallen by 94% since the start of 2022 with market speculation that it could sell a sizeable stake in crypto asset Ethereum to avoid collapse.
The turmoil triggered by the Russian invasion also affected environmental, social and governance (ESG) markets. In 1Q22, EU ESG equity funds had net outflows of EUR 5bn, compared with average inflows of EUR 11bn per quarter in 2021. ESG bond issuance volumes fell 29% from the start of the year to June, as compared with the same period in 2021. In the banking sector, ESG bond issuance as a share of total bond issuance decreased compared to 2021, though they often enjoy higher subscription levels than non-ESG bonds, allowing banks to pay lower risk premia on new issuances. Despite this, some fundamental factors driving the rise of ESG investing remain in place. Most importantly, investor preferences continue to shift towards sustainable investments, with portfolio allocations increasingly tilted towards ESG investments. Similarly, issuance of ESG bonds by EU corporates remained on par with early 2021, supported by a rapid expansion of the sustainability-linked bond market. This contrasts with a 32% fall in broader EU corporate bond issuance.
2 DEVELOPMENTS IN THE FINANCIAL SECTOR In 1H22, European investment funds faced heightened volatility in securities markets given the increasingly uncertain economic outlook and the expected increase in interest rates. The performance of most EU fund categories dropped significantly, from a 12-month average monthly performance of 1.6% for equity funds in December 2021 to 0.9% in June 2022. In the meantime, the performance of bond funds turned negative (-0.7%). In contrast, commodity funds outperformed the sector in 1Q22, reflecting the surge in commodity prices following the Russia’s invasion of Ukraine and the sanctions on Russia, before slightly receding, to 2.1%, in end-June. Equity fund flows were also negative (-0.9%). Declining performance led to redemption requests with net outflows in 1H22 totalling 1.6% of the net asset value (NAV) of the fund sector. Bond funds were particularly affected (-4.8% NAV) due to negative performance (-0.7%) and exposures to growing credit and interest risks. Commodity funds experienced outflows (-5.8%), albeit from a low base and only in 2Q22, when their performance declined. MMFs funds also experienced substantial outflows ( -9.2% NAV exceeding the -4.6% NAV observed during COVID-19 stress). MMFs denominated in all currencies experienced outflows, though USD MMFs experienced higher returns (1.1% average monthly performance) than EUR denominated MMFs (-0.1%). While MMFs may generally benefit from a flight-to-quality during uncertain market conditions, investors currently appear to be turning away from fixed-income funds in general. Outflows were partly driven by the expected increase in interest rates. In contrast, real estate funds (1.7% of NAV) and mixed funds (1% of NAV) recorded inflows in 1H22.
The European insurance sector entered 2022 in good shape notwithstanding the adverse developments since the COVID-19 outbreak. During 2021, gross written premiums (GWP) for the life business grew (y-o-y) quite substantially (+14%), while growth was lower for the non-life business (8%). The positive change has partially been driven by the previous reduction in GWP throughout 2020 during the pandemic; although GWP remain still below pre-Covid levels, in particular for life business. The good performance of financial markets and the high returns obtained during 2021 pushed insurer’s profitability up to the levels reached back in 2019, with a median return on assets standing at 0.57% in 4Q21 (0.38% in 4Q20).
At the beginning of 2022 insurers’ capital buffers on aggregate were solid with a median SCR ratio of 216%. An improvement was observed for life insurers while a slight decline was observed for non-life insurers. As the risk-free interest rate increased throughout 2021, due to the long maturities of life insurers’ liabilities the value of technical provision decreased relatively more than the value of assets, with a positive effect on net capital. This contributed to an increase the median SCR ratio for life insurers, from 216% to 225%. However, the SCR ratio did not reach the high levels observed at the end of 2019 (236%). On the other hand, the median SCR ratio for non-life insurers slightly decreased from 218% towards 211%. This might be driven by the increase in claims negatively affecting the liabilities of some representative undertakings, combined with the fact that asset values declined more than liabilities when interest rates increased given that non-life insurers tend to be characterized by a positive duration gap. Likewise, the financial position of EEA IORPs displayed a recovery in 2021. The total amount of assets grew to EUR 2,713 bn in 4Q21 (From EUR 2,491 bn. in 4Q20), while liabilities remained more or less unchanged. Similarly, the Excess of Assets over Liabilities exhibited a positive trend.
The European banking sector entered 2022 with relatively strong capital- and liquidity positions. The capital ratio (CET1 fully loaded) is, at 15.0% in 1Q22, at the same level as it was before the pandemic broke out (in 4Q19). Yet the capital ratio was 50bps lower than in the previous quarter, mainly driven by rising risk weighted assets (RWA). After a steadily rise in previous quarters, the liquidity coverage ratio (LCR) also slightly deteriorated in 1Q22. A reported LCR ratio of 168.1% in 1Q22 (174.8% in 4Q21) was nevertheless still substantial.
EU banks are facing additional challenges to asset quality and profitability while pandemic-related vulnerabilities continue to loom. Deteriorating economic prospects, high uncertainties and high inflation with a phasing-out of accommodative monetary policy are affecting the outlook for EU banking sector. Loan portfolios with pre-existing vulnerabilities from disruptions caused by the pandemic may also be further affected in a slower economic recovery. Accordingly, 45% banks responding to the EBA’s spring 2022 risk assessment questionnaire (RAQ) indicated their plans to maintain their overlays related to the pandemic to cover potential losses that may materialize in the next quarters, while 35% of banks indicated plan to release them fully or partially. Supervisors should continue to closely monitor the adequacy of banks’ provisions.
The NPL ratio further improved in the first quarter of the year (to 1.9%), mainly driven by decreasing volumes of non-performing loans (NPL). However, rising cost of risks and an increasing share of loans allocated under Stage 2 under IFRS points to slightly deteriorating asset quality. The quality of loans under previous support measures related to the pandemic continues to show signs of deterioration and also requires vigilance. The total volume of loans with expired EBA-compliant moratoria reached EUR 649bn in 1Q22, a 7.8% decline compared to the previous quarter. The volume of subject to public guarantee schemes (PGS) stood at EUR 366bn in 1Q22, almost unchanged compared to the previous quarter. The NPL ratio of loans under expired moratoria and of loans subject to PGS is, at 6.1% and 3.5% in 1Q22, respectively, substantially higher than the overall NPL ratio, and has increased further since 4Q21. PGS loans are mostly concentrated to a few countries only. The allocation of Stage 2 under IRFS 9 for loans under previous support measures is, at 24.5% for loans under expired moratoria and 22.7% for loans subject to PGS, substantially higher than stage 2 allocations for all loans and advances (9.1% in 1Q22). In spite of their slight deterioration in 1Q22, EU banks’ capital and liquidity positions nevertheless provide, for the time being, sufficient cushioning in banks’ balance sheets should the economic situation deteriorate further, or heightened market volatility persist.
Positive operating trends were observed for European banks in 1Q 2022, with a profitability of 6.6% return on equity (ROE) achieved under difficult market conditions, though this is lower than the 7.7% ROE reported in the previous year (1Q21) and lower than the 7.3% ROE of the previous quarter. The contraction can be explained mainly by rising contributions to deposit guarantees schemes and resolutions funds in some countries and various one-off effects, whereas net operating income improved. In 1Q21, lending growth offset a slight decline in net interest margins (NIM) and led to improved net interest income (NII). Net trading income also increased, supported by market volatility. Overall increasing net operating income also outweighed the impact of rising inflation on operating expenses in the first quarter of 2021.
3 IMPACT OF RU-UA WAR ON THE EUROPEAN FINANCIAL SECTORS Securities markets experienced volatility with some key commodity markets strongly impacted by the Russian invasion and sanctions. Bond yields rose in response to the increasing inflation and anticipated higher rates, while equity markets were volatile and experienced periodic sell-offs. Such volatility can create short-term risks on financial markets. Margin calls on derivatives related to commodities can create liquidity strains for counterparties, as was witnessed by the calls for emergency liquidity assistance for energy traders and the London Metal Exchange suspending nickel trading for five trading days in early March. While commodity derivatives markets in the EU are of limited size relative to EU derivative markets as a whole, these markets create sensitive interlinkages between commodity producing or processing companies, commodity traders, banks acting as intermediaries in the clearing process, central counterparties, and other financial institutions.
The Russian invasion negatively affected credit rating agencies’ (CRA) credit outlook for EEA30 debt. The number of corporate downgrades grew relative to upgrades over 1H22, with a jump in downgrades around the time of the invasion. Russian and Ukrainian ratings were mainly affected, with a series of downgrades in late February and March among both corporates and sovereigns. By mid-April CRAs had withdrawn their Russian ratings in response to the EU measures banning the rating of Russian debt and the provision of rating services to Russian clients. In addition, sanctions have made it difficult for Russia to make sovereign coupon payments. In this context, Russia defaulted on some debt payments due in late June.
Direct impacts of the invasion on investment funds were limited. Exposures to both Russian and Ukrainian counterparties were EUR 50bn (below 0.5% of EU fund assets as of end-January 2022). Some fund exposures were higher, with 300 funds holding over 5% of their portfolios in Russian and Ukrainian assets (total EUR 225bn). The massive fall in prices and liquidity of Russian financial instruments led to serious valuation issues for exposed EU funds. In 1H22, 100 Russia-exposed EU funds (EUR 15bn in combined assets) temporarily suspended redemptions. However, funds with material Russian exposures before the invasion account for a very small share of the EU fund population (less than 0.1% of the EU industry). A number of ETFs tracking Russian benchmarks also suspended share creation. While direct impacts of the Russian invasion on funds, such as losses, were limited, existing risks were amplified by the invasion and the deteriorating macroeconomic outlook. Credit, valuation and liquidity risks remained elevated in the bond fund sector, linked to multiple factors. Bond fund exposures to credit risk stayed elevated, especially for HY funds. The credit quality of the portfolio of HY funds remained close to an average rating between BB- and B+ (5-year low). The likelihood of credit risk materialization also increased with the deteriorating macroeconomic environment and rising interest rates, as visible in the higher credit spreads. In comparison, liquidity risk remained steady for corporate bond funds. Based on asset quality and cash holdings, portfolio liquidity remained stable in 1H22.
EU insurers’ exposure to assets issued in Russia, Ukraine and Belarus is also limited. These assets amount to EUR 8.3 bn, less than 0.1% of the total investment of the sector. The exposure to Russia is EUR 6.3 bn, which is 0.066% of total investments and the asset exposure to Ukraine is EUR 1.8 bn, 0.019% of total Investments. The exposure to Belarus is negligible. Most of the investments in Russia are through investment funds (84% of total investments). Within funds, the largest asset classes are represented by sovereign bonds and equities associated to unit linked portfolios. A large share of investments to Russia, Ukraine and Belarus (42%) is in index- and unit-linked portfolios, whose risk is born directly by policyholders.
EU insurers have limited activities in the Russian, Ukrainian and Belarusian markets. A small number of EEA groups are active in those countries through subsidiaries. Their size in terms of total assets is minimal if compared to the total assets of the groups. In terms of liability portfolios exposures are also limited. Total technical provision in Russia, Ukraine and Belarus is EUR 0.36 bn., mostly concentrated in the life business.
With regards to IORPs, asset exposures are also limited, at EUR 7.5 bn. (0.23% of total investments). In absolute numbers this is similar to the exposure of the insurance sector. It is worth noting that the size of the IORPs total investment is smaller with respect to the insurance sector.
In the banking sector, direct exposure to Russia and Ukraine appears limited on an EU level and country level. In 1Q22, exposures of the EU/EEA banking sector were at EUR 75.3bn (ca. 0.3% of total assets) towards Russian counterparties, at EUR 10.0bn towards Ukrainian counterparties, and at EUR 2.0bn towards Belorussian counterparties, slightly decreasing towards the three countries compared to the previous quarter. However, exposures are concentrated in a few countries, and a few banks report an up to 10% share of their exposures towards Russia and Ukraine. Some banks also booked substantive provisions related to their exposure to Russia and related to the deteriorating economic environment in the first quarter of this year.
While immediate, first round implications from the Russian invasion appear contained for financial institutions across sectors, the possibility of second round effects is a source of concern. The invasion, heightened uncertainties and inflation are not only weighing on economic prospects, but also affect consumer- and business confidence. Exposures of economic sectors more sensitive to rising energy- and commodity prices require attention across sectors.
In the insurance sector, second-round effects could emerge via exposures to sectors which, in turn, are highly exposed to the current crisis. Losses in these sectors could have spill-over effects through losses on investments. Two areas could be the most relevant: the exposures of insurers to the banking sector and the exposure to sectors of the economy that are more sensitive to energy and gas prices. Insurers have significant holdings of bank assets, and in this context also hold a significant amount of assets issued by banks that are assumed to be more vulnerable to the evolution of the current crisis. The exposure of EEA insurers to those banks is estimated to only a total amount of EUR 55 bn (0.57% to total investments). Furthermore, insurers have significant asset exposure to sectors sensitive to energy and gas prices.6 The total exposures sum to EUR 174 bn, which includes almost 3% of the equity portfolio of insurers and 7.5% of corporate bond holdings.
In the banking sector, second-round effects could emerge via deteriorating asset quality and further increasing provisioning needs in a deteriorating economic environment. Fee and commission income might also be affected. Banks’ securities portfolios might moreover be negatively affected as fair value declines when interest rates rise. The worsening economic outlook has already resulted in slightly deteriorating early warning indicators for asset quality. The cost of risk increased to 0.51% in 1Q22, a 4bps increase compared to the previous quarter, as borrowers’ debt servicing capacity might be affected by lower economic growth. The increase was mainly driven by the numerator, i.e. by increasing allowances for credit losses. Also, the share of loans allocated under Stage 2 under IFRS increased in 1Q22 and 4Q21, and it another early-warning indicator pointing to slightly deteriorating asset quality. Responses to the EBA RAQ moreover indicate that a majority of banks expect asset quality to deteriorate.
In line with the deteriorating economic outlook and heightened market- and interest rate volatility, bank funding conditions have worsened since the Ukrainian war started and since interest rates increased. Wholesale bank debt spreads have widened for debt and capital instruments across the capital ladder, and particularly for subordinated instruments. Interest rates for bank debt instruments have risen substantially across durations, albeit from extremely low levels. Since the beginning of the war, bank debt issuance activity has been mainly focused on issuing covered bonds, amid challenging market conditions and as banks have begun to roll over expiring long-term central bank funding facilities. Bank funding conditions are likely to stay more challenging while volatility persists and as interest rates continue to rise. Yet current ample liquidity buffers should allow banks to withstand further periods of market turmoil for the time being. In the medium-term, the substitution of expiring extraordinary central bank funding with other sources of funding could prove challenging for some banks.
In spite of positive operating trends in 1Q2022, the outlook for EU bank profitability is subdued. The deteriorating economic environment might affect lending growth and might result in lower loan- and payment-related fee income. Inflationary pressure, higher provisioning needs for expected deteriorating asset quality, costs related to digital transformation and higher compliance costs, e.g. related to the enforcement of sanctions will all likely affect costs, and may offset operating cost savings achieved. While rising rates may have a positive impact on interest income, rising funding costs might also offset additional income from asset repricing.
4 INFLATION AND INTEREST RATE RISKS The Russian aggression and the sanctions applied contributed to inflation pressures via the resulting supply shocks in energy, food and metals commodities, which added to the supply chain bottlenecks related to the pandemic. Higher energy prices particularly contribute to inflation, widely increasing input and distribution costs. In terms of investment impacts, inflation directly lowers real returns. Inflation changes relative attractiveness of assets both across asset classes and within asset classes. Higher inflation reduces the values of existing assets with fixed returns, such as (most) bonds. By reducing short-term growth, higher rates lower profitability and typically reduce equity values. However, if a rate rise is expected to be effective in increasing long-term growth, it can also increase equity values. Inflation has indirect impacts through its effects on actual and anticipated monetary policy, especially interest rate rises, to reduce demand and bring inflation down. Higher interest rates increase returns on savings and raise borrowing and refinancing costs, reducing debt sustainability. Variable-rate loans face higher debt servicing costs, raising credit risk, including for securitizations backed by variable-rate loans.
In the investment fund sector, interest rate risk increased in a context of rising inflation expectations. Fund portfolios with a longer duration will see their value fall, as inflation drives rates up. However, adjustments are already being made in some funds. Bond fund portfolio durations fell in 1H22, remaining higher for Government (7.6 years, down from 8.6 years) and IG bond funds (6.5 years, down from 7.3 years) than for HY funds (4.3 years, down from 4.8 years). Based on current duration, a 100bps increase of in yield could have a potential impact of -7% on bond fund NAV, about EUR 270bn, which could lead to significant fund outflows. In the MMF sector, funds also significantly reduced the weighted average maturity of their portfolios from 44 days to 30 days (a 3-year low) to lower interest rate risk and improve resilience to a rate rise.
As a period of low inflation and low interest rate is coming to an abrupt end, medium-term risks for asset managers are considerable. Impacts on performance and fund flows are likely to vary across asset classes. For example, the recent US increase in rates led to significant reallocation across fund types from bond funds (-4.7% NAV in 1H22) towards funds offering some form of protection against higher rates. To-date, this contrasts with the EU. In 1H22, US cumulative flows into funds offering protection against higher inflation or rates, such as inflation-protected funds (EUR 1.5bn), loan funds (EUR 13.9bn) and commodity funds (EUR 16.3bn), outpaced their EU equivalents.
Inflation can have a significant impact on borrowers and retail investors. It can heighten vulnerabilities of debtors exposed to flexible lending rates, or where low interest rates on their loans will expire in the near term, including in mortgage lending. Inflation can also have large effects on real returns on savings and investments of retail investors both in the immediate term as well as in the long term. Retail investors may be unaware of inflation or not pay enough attention to its effects on their assets and purchasing power. Consumers can suffer from behavioral biases, such as money illusion or exponential growth bias, that can lead to insufficient saving and investing. Moreover, when inflation is rising, the effects of insufficient saving on long-term wealth become more pronounced.
Insurer positions are affected by inflation on both on the asset and liabilities side typically negative net effects for the non-life segment. On the asset side, insurer investments whose market prices are sensitive to inflation will see a direct or indirect impact through movements of the interest rates. On the liability side, inflation affects insurers through higher costs of claims. This is mostly relevant for non-life lines of business, because non-life guarantees are in nominal terms; crucially, insurers’ build-up provisions for future claims payments and in doing so they must make assumptions today about future price developments. Life insurers are less affected by costs of claims, these typically have liabilities in nominal terms, i.e. claims do not increase with the price development; this is because potential future benefits are often stipulated at inception. Higher general costs can have negative profitability implication for both life and non-life. Finally, the sensitivity on inflation and to interest rate depends also crucially on the duration gap of the undertakings: those with positive duration gaps are more likely to be negatively affected by inflation than those with negative long duration gap, such as life insurers.
On the liability side, the price development relevant for claims expenses, i.e. claims inflation, is particularly important for insurers. Claims inflation tends to outpace the general inflation rate, claims cost depends only to a small extent on inflation as measured by the Harmonized Index of Consumer Prices (HICP); the reason is that the goods for which insurers pay are significantly different from those which consumers buy. Moreover, claims of insurers encompass various costs, not just costs of goods and services. For Europe, there are no time series available on estimates of future claims inflation; each insurer makes its own business line specific forecast.
Developments in the term structure and risk premia, which remain uncertain, are also having an impact on the net effect on insurer positions, through their exposure to interest rate sensitive assets and the duration of their liabilities. A potential increase in long-term rates would be accompanied by a repricing of the risk premia, and the negative impact on the asset side would not be limited to the fixed income assets but would be reflected to other asset classes through the reduction of market prices. A similar scenario was tested in the EIOPA 2018 Stress Test exercise (Yield Curve Up scenario). This showed relatively high resilience of the insurance sector as a result of the solid capital buffers of the sector in aggregate.
Insurance products can be sensitive to inflation, policyholders and pension beneficiaries face the risk of inflation eroding the real value of their benefits. This ultimately depends on the particular features and details of each contract sold. In the traditional business case of nominal interest rate guarantees, higher inflation than expected (relative to that already factored in the guarantees) has a negative impact in real terms for the policyholder, while contracts with profit sharing may help policyholder returns. In case of unit-linked policies, the policyholder can select the underlying assets from a range of investments e.g. mutual funds. The allocation could involve assets that provide inflation protection or not. Crucially, it requires policyholder financial knowledge/literacy to navigate through the complex dynamics of how investments affect their benefits. In the last years, the share of unit-linked in the life segment continues to increase, now reaching a peak of 39% since the introduction of Solvency II reporting, notwithstanding the considerable differences in the popularity of unit-linked products that remain across countries.
In the banking sector, increasing interest rates are usually expected to have a positive impact on interest income and on net interest margins (NIMs). Accordingly, a vast majority of banks responding to the spring 2022 EBA RAQ expect a positive impact on their profitability from rising interest rates with a repricing of assets. Both banks and analysts are optimistic about the impact of rising rates, and 85% of banks responding to the RAQ expect rising rates to have a positive impact on their profitability. However, analysts also expect an increase in provisions and impairments (at 80%, compared to 15% in the previous RAQ). Since 2014 NIMs have steadily decreased in the very low interest rate environment, and have remained nearly stable since Q1 2021 (1.25% in Q2 2022).
In spite of positive expectations, historic episodes of rising interest rates globally, as well as bank profitability trends in some European countries with an earlier cycle of increasing interest rates offer some indication that NIM may not improve substantially with rising interest rates. Expectations for a substantively positive impact on profitability may be overly optimistic. For example, during periods of stagflation in the USA between 1971 and 1973 and between 1976 and 1980, the sensitivity of NIM to interest rate rises was negligible. Disclosures from banks’ interest rate risks in the banking book (IRRBB) indicate that a parallel shift up of the yield curve positively affects NII for most banks. Yet, while about half of banks disclosing their IRRBB assume that a 200bp parallel rise of the yield curve will add at least a 10% to their NII, a majority of banks assume a negative net impact on their economic value of equity (EVE), a long-term measure of their interest rate risk.
On the liabilities’ side, bank funding costs have increased considerably in line with rising interest rates, which affects profitability. In the next months, analysts expect a broad-based increase in funding costs, including for deposits. Banks, particularly those relying more on wholesale funding, may be affected by a potential substantial increase in funding costs that could even offset positive effects from asset repricing. Banks that need to further build up their loss absorbing capacity could be particularly affected, as a majority of banks consider pricing as main constraint to issuing instruments eligible for MREL. In line with rising inflation, EU banks’ operating costs are also expected to increase further and have already increased substantially in 1Q22.
While general expectations suggest that banks will benefit from a repricing of assets amid rising interest rates, increasing rates might also affect borrower ability to service their debt, and could thus affect asset quality. Coupled with a deteriorating economic outlook, the rising interest rate environment risks in resulting in a reversal of the long-term trend of declining NPL in the banking sector. Rising rates could also contribute to adjustments to the already high real estate valuations in Europe, while the high levels of real estate exposure of EU banks has been identified as a risk. Monetary tightening might also impact lending growth, when, e.g., tightening is accompanied by lower GDP growth, and so could affect interest income.
5 DIGITAL RELATED RISKS The Russian war in Ukraine and the increasingly volatile geopolitical environment have heightened cybersecurity risks. The frequency of cyber incidents impacting all sectors of activity, as measured by publicly available data, increased significantly in the first quarter of 2022 compared to the same quarter of last year. The potential for escalation involving cyberattacks remains, and a successful attack on a major financial institution or on a critical infrastructure could spread across the entire financial system. Potential consequences also grow ever more far-reaching as the digitalization trend of the financial sector continues. These include disruptions to business continuity, as well as impact on reputation and, in extreme scenarios, liquidity and financial stability. Potential cyberattacks might not be limited to the financial sector only, but also to consumers. In a severe scenario, access to basic services could be impaired, including financial services, and personal data could be compromised.
The sharp market sell-off in May and June 2022 once again demonstrated the extremely volatile and speculative nature of many crypto-assets and related products and the high risks involved for investors, as highlighted in the recent joint-ESAs Warning. The collapse of the Terra ecosystem in May exposed fragilities in stable coins markets, which if left unmanaged, could have ripple effects with negative implications for financial stability, calling for a swift implementation of the Markets in Crypto Assets (MiCA) proposed regulation.
The current geopolitical situation underscores the relevance of the legislation on digital operational resilience (DORA). DORA, which builds on the ESAs Joint Advice in the area of information and communication technology (ICT), is expected to enter into force in early 2023. On 10 May 2022 co-legislators reached a provisional political agreement on its final text. DORA aims to establish a comprehensive framework on digital operational resilience for EU financial entities, and consolidate and upgrade ICT risk requirements spread over various financial services legislation (e.g. PSD2, MiFID, NIS). The geopolitical situation has highlighted some of the risks that DORA will address and underscores the importance of the legislation. The ESAs will be working closely together on the many joint deliverables and new tasks under DORA to help implement the legislation. Moreover, the ESAs, in cooperation with NCAs, have launched a high-level exercise (covering a sample of financial entities) to obtain a better understanding of the exposure of the financial sector to ICT third party providers. The exercise will help authorities and entities to prepare for the forthcoming DORA regime for oversight of critical third-party providers of ICT services.
Digitalization and cyber risks are currently assessed as high and show an increasing trend for the financial sector. In the banking sector, cyber risks are assessed to be very high by both banks and supervisors. The insurance, banking and markets sectors likewise remain on high alert. Since the beginning of the war, cyber-related incidents and disruptions beyond Ukraine and Russia have been rather limited to date, but related risks nevertheless remain unabatedly high. Cyber negative sentiment in the insurance sector, measured as the frequency of negative cyber terms pronounced during insurers’ earning calls, indicates an increased concern in the first quarter of 2022. From an insurance cyber underwriting perspective, cyber-related claims are increasing alongside a growth in the frequency and sophistication of cyber-attacks across financial sectors. In response to increasing cyber-attacks, cyber insurers are strengthening the wording to protect them against losses and could eventually also adjust pricing. Insurers seem to have pushed up attempts to tighten policies and to clarify coverage in the case of a retaliation by Russia and its allies in response to sanctions – the so-called war exclusion, which dictates that losses caused by armed conflict are usually not compensated. In this context, clear communication and disclosure to policyholders on the scope of the coverage and level of protection offered by insurance policies is crucial, in order to avoid a mismatch between their expectations and the actual coverage provided.
Supervisors aim at enhancing monitoring of cyber-related risk framework due to the increased relevance of digitalization and cyber risks. ESMA has recently facilitated increased information-sharing among its competent authorities to ensure supervisors receive timely updates on cyber incidents to inform their work. Turning to the insurance sector, EIOPA has produced exploratory indicators that rely on supervisor responses to the EIOPA Insurance Bottom-Up Survey and on publicly available external data. They will be improved once new supervisory data becomes available. To establish an adequate assessment and mitigation tools to address potential systemic cyber and extreme risks, throughout 2022 and 2023 EIOPA will be working on improving its methodological framework for bottom-up insurance stress tests, including cyber risk.
The unexpected COVID-19 virus outbreak led European countries to shut down major part of their economies aiming at containing the outbreak. Financial markets experienced huge losses and flight-to-quality investment behaviour. Governments and central banks committed to the provision of significant emergency packages to support the economy, as the economic shock, caused by demand and supply disruptions accompanied by its reflection to the financial markets, is expected to challenge economic growth, labour market and the consumer sentiment across Europe for an uncertain period of time.
Amid an unprecedented downward shift of interest rate curves during March, reflecting the flight-to-quality behaviour, credit spreads of corporates and sovereigns increased for riskier assets, leading effectively to a double-hit scenario. Equity markets dramatically dropped showing extreme levels of volatility responding to the uncertainties on virus effects and on the status of government and central banks support programs and their effectiveness. Despite the stressed market environment, there were signs of improvement following the announcements of the support packages and during the course of the initiatives of gradually reopening the economies. The virus outbreak also led to extraordinary working conditions, with part of the services sector working from home, which rises the potential of those conditions being preserved after the virus outbreak, which could decrease demand and market value for commercial real estate investments.
Within this challenging environment, insurers are exposed in terms of solvency risk, profitability risk and reinvestment risk. The sudden reassessment of risk premia and the increase of default risk could trigger large-scale rating downgrades and result in decreased investments’ value for insurers and IORPs, especially for exposures to highly indebted corporates and sovereigns. On the other hand, the risk of ultra-low interest rates for long has further increased. Factoring in the knock on effects of the weakening macro economy, future own funds position of the insurers could be further challenged, due to potential lower levels of profitable new business written accompanied by increased volume of profitable in-force policies being surrendered or lapsed.
Finally, liquidity risk has resurfaced, due to the potential of mass lapse type of events and higher than expected virus and litigation related claims accompanied by the decreased inflows of premiums.
For the European occupational pension sector, the negative impact of COVID-19 on the asset side is mainly driven by deteriorating equity market prices, as, in a number of Member States, IORPs allocate significant proportions of the asset portfolio (up to nearly 60%) in equity investments. However, the investment allocation is highly divergent amongst Member States, so that IORPs in other Member States hold up to 70% of their investments in bonds, mostly sovereign bonds, where the widening of credit spreads impair their market value. The liability side is already pressured due to low interest rates and, where market-consistent valuation is applied, due to low discount rates. The funding and solvency ratios of IORPs are determined by national law and, as could be seen in the 2019 IORP stress test results, have been under pressure and are certainly negatively impacted by this crisis. The current situation may lead to benefit cuts for members and may require sponsoring undertakings to finance funding gaps, which may lead to additional pressure on the real economy and on entities sponsoring an IORP.
Climate risks remain one of the focal points for the insurance and pension industry, with Environmental, Social and Governance (ESG) factors increasingly shaping investment decisions of insurers and pension funds but also affecting their underwriting. In response to climate related risks, the EU presented in mid-December the European Green Deal, a roadmap for making the EU climate neutral by 2050, providing actions meant to boost the efficient use of resources by
moving to a clean, circular economy and stop climate change,
revert biodiversity loss
and cut pollution.
At the same time, natural catastrophe related losses were milder than previous year, but asymmetrically shifted towards poorer countries lacking relevant insurance coverages.
Cyber risks have become increasingly relevant across the financial system in particular during the virus outbreak due to the new working conditions that the confinement measures imposed. Amid the extraordinary en masse remote working arrangements an increased number of cyber-attacks has been reported on both individuals and healthcare systems. With increasing attention for cyber risks both at national and European level, EIOPA contributed to building a strong, reliable, cyber insurance market by publishing its strategy for cyber underwriting and has also been actively involved in promoting cyber resilience in the insurance and pensions sectors.
The ebb and flow of attitudes on the adoption and use of technology has evolving ramifications for financial services firms and their compliance functions, according to the findings of the Thomson Reuters Regulatory Intelligence’s fourth annual survey on fintech, regtech and the role of compliance. This year’s survey results represent the views and experiences of almost 400 compliance and risk practitioners worldwide.
During the lifetime of the report it has had nearly 2,000 responses and been downloaded nearly 10,000 times by firms, risk and compliance practitioners, regulators, consultancies, law firms and global systemically-important financial institutions (G-SIFIs). The report also highlights the shifting role of the regulator and concerns about best or better practice approaches to tackle the rise of cyber risk. The findings have become a trusted source of insight for firms, regulators and their advisers alike. They are intended to help regulated firms with planning, resourcing and direction, and to allow them to benchmark whether their resources, skills, strategy and expectations are in line with those of the wider industry. As with previous reports, regional and G-SIFI results are split out where they highlight any particular trend. One challenge for firms is the need to acquire the skill sets which are essential if they are to reap the expected benefits of technological solutions. Equally, regulators and policymakers need to have the appropriate up-todate skillsets to enable consistent oversight of the use of technology in financial services. Firms themselves, and G-SIFIs in particular, have made substantial investments in skills and the upgrading of legacy systems.
Key findings
The involvement of risk and compliance functions in their firm’s approach to fintech, regtech and insurtech continues to evolve. Some 65% of firms reported their risk and compliance function was either fully engaged and consulted or had some involvement (59% in prior year). In the G-SIFI population 69% reported at least some involvement with those reporting their compliance function as being fully engaged and consulted almost doubling from 13% in 2018, to 25% in 2019. There is an even more positive picture presented on increasing board involvement in the firm’s approach to fintech, regtech and insurtech. A total of 62% of firms reported their board being fully engaged and consulted or having some involvement, up from 54% in the prior year. For G-SIFIs 85% reported their board being fully engaged and consulted or having some involvement, up from 56% in the prior year. In particular, 37% of G-SIFIs reported their board was fully engaged with and consulted on the firm’s approach to fintech, regtech and insurtech, up from 13% in the prior year.
Opinion on technological innovation and digital disruption has fluctuated in the past couple of years. Overall, the level of positivity about fintech innovation and digital disruption has increased, after a slight dip in 2018. In 2019, 83% of firms have a positive view of fintech innovation (23% extremely positive, 60% mostly positive), compared with 74% in 2018 and 83% in 2017. In the G-SIFI population the positivity rises to 92%. There are regional variations, with the UK and Europe reporting a 97% positive view at one end going down to a 75% positive view in the United States.
There has been a similar ebb and flow of opinion about regtech innovation and digital disruption although at lower levels. A total of 77% reported either an extremely or mostly positive view, up from 71% in the prior year. For G-SIFIs 81% had a positive view, up from 76% in the prior year.
G-SIFIs have reported a significant investment in specialist skills for both risk and compliance functions and at board level. Some 21% of G-SIFIs reported they had invested in and/or appointed people with specialist skills to the board to accommodate developments in fintech, insurtech and regtech, up from 2% in the prior year. This means in turn 79% of G-SIFIs have not completed their work in this area, which is potentially disturbing. Similarly, 25% of G-SIFIs have invested in specialist skills for the risk and compliance functions, up from 9% in the prior year. In the wider population 10% reported investing in specialist skills at board level and 16% reported investing in specialist skills for the risk and compliance function. A quarter (26%) reported they have yet to invest in specialist skills for the risk and compliance function, but they know it is needed (32% for board-level specialist skills). Again, these figures suggest 75% of G-SIFIs have not fully upgraded their risk and compliance functions, rising to 84% in the wider population.
The greatest financial technology challenge firms expect to face in the next 12 months have changed in nature since the previous survey, with the top three challenges cited as keeping up with technological advancements; budgetary limitations, lack of investment and cost; and data security. In prior years, the biggest challenges related to the need to upgrade legacy systems and processes as well as budgetary limitations, the adequacy and availability of skilled resources together with the need for cyber resilience. In terms of the greatest benefits expected to be seen from financial technology in the next 12 months the top three are a strengthening of operational efficiency, improved services for customers and greater business opportunities.
G-SIFIs are leading the way on the implementation of regtech solutions. Some 14% of G-SIFIs have implemented a regtech solution, up from 9% in the prior year with 75% (52% in the prior year) reporting they have either fully or partially implemented a regtech solution to help manage compliance. In the wider population, 17% reported implementing a regtech solution, up from 8% in the prior year. The 2018 numbers overall showed a profound dip from 2017 when 29% of G-SIFIs and 30% of firms reported implementing a regtech solution, perhaps highlighting that early adoption of regtech solutions was less than smooth.
Where firms have not yet deployed fintech or regtech solutions various reasons were cited as to what was holding them back. Significantly, one third of firms cited lack of investment; a similar number of firms pointed to a lack of in-house skills and information security/data protection concerns. Some 14% of firms and 12% of G-SIFIs reported they had taken a deliberate strategic decision not to deploy fintech or regtech solutions yet.
There continues to be substantial variation in the overall budget available for regtech solutions. A total of 38% of firms (31% in prior year) reported that the expected budget would grow in the coming year, however, 31% said they lack a budget for regtech (25% in the prior year). For G-SIFIs 48% expected the budget to grow (36% in prior year), with 12% reporting no budget for regtech solutions (6% in the prior year).
Focus : Challenges for firms
Technological challenges for firms come in all shapes and sizes. There is the potential, marketplace changing, challenge posed by the rise of bigtech. There is also the evolving approach of regulators and the need to invest in specialist skill sets. Lastly, there is the emerging need to keep up with technological advances themselves.
The challenges for firms have moved on. In the first three years of the report the biggest financial technology challenge facing firms was that of the need to upgrade legacy systems and processes. This year the top three challenges are expected to be the need to keep up with technology advancements; perceived budgetary limitations, lack of investment and cost, and then data security.
Focus : Cyber risk
Cyber risk and the need to be cyber-resilient is a major challenge for financial services firms which are targets for hackers. They must be prepared and be able to respond to any kind of cyber incident. Good customer outcomes will be under threat if cyber resilience fails.
One of the most prevalent forms of cyber attack is ransomware. There are different types of ransomware, all of which will seek to prevent a firm or an individual from using their IT systems and will ask for something (usually payment of a ransom) to be done before access will be restored. Even then, there is no guarantee that paying the fine or acceding to the ransomware attacker’s demands will restore full access to all IT systems, data or files. Many firms have found that critical files often containing client data have been encrypted as part of an attack and large amounts of money are demanded for restoration. Encryption is in this instance used as a weapon and it can be practically impossible to reverse-engineer the encryption or “crack” the files without the original encryption key – which cyber attackers deliberately withhold. What was previously viewed often as an IT problem has become a significant issue for risk and compliance functions. The regulatory stance is typified by the UK Financial Conduct Authority (FCA) which has said its goal is to “help firms become more resilient to cyber attacks, while ensuring that consumers are protected and market integrity is upheld”. Regulators do not expect firms to be impervious but do expect cyber risk management to become a core competency.
Good and better practice on defending against ransomware attacks Risk and compliance officers do not need to become technological experts overnight but must ensure cyber risks are effectively managed and reported on within their firm’s corporate governance framework. For some compliance officers, cyber risk may be well outside their comfort zone but there is evidence that simple steps implemented rigorously can go a long way towards protecting a firm and its customers. Any basic cyber-security hygiene aimed at protecting businesses from ransomware attacks should make full use of the wide range of resources available on cyber resilience, IT security and protecting against malware attacks. The UK National Cyber Security Centre has produced some practical guidance on how organizations can protect themselves in cyberspace, which it updates regularly. Indeed, the NCSC’s 10 steps to cyber security have now been adopted by most of the FTSE350.
Closing thoughts
The financial services industry has much to gain from the effective implementation of fintech, regtech and insurtech but practical reality is there are numerous challenges to overcome before the potential benefits can be realised. Investment continues to be needed in skill sets, systems upgrades and cyber resilience before firms can deliver technological innovation without endangering good customer outcomes.
An added complication is the business need to innovate while looking over one shoulder at the threat posed by bigtech. There are also concerns for solution providers. The last year has seen many technology start-ups going bust and far fewer new start-ups getting off the ground – an apparent parallel, at least on the surface, to the bubble that was around dotcom. Solutions need to be practical, providers need to be careful not to over promise and under deliver and above all developments should be aimed at genuine problems and not be solutions looking for a problem. There are nevertheless potentially substantive benefits to be gained from implementing fintech, regtech and insurtech solutions. For risk and compliance functions much of the benefit may come from the ability to automate rote processes with increasing accuracy and speed. Indeed, when 900 respondents to the 10th annual cost of compliance survey report were asked to look into their crystal balls and predict the biggest change for compliance in the next 10 years, the largest response was automation.
Technology and its failure or misuse is increasingly being linked to the personal liability and accountability of senior managers. Chief executives, board members and other senior individuals will be held accountable for failures in technology and should therefore ensure their skill set is up-to-date. Regulators and politicians alike have shown themselves to be increasingly intolerant of senior managers who fail to take the expected reasonable steps with regards to any lack of resilience in their firm’s technology.
This year’s findings suggest firms may find it beneficial to consider:
Is fintech (and regtech) properly considered as part of the firm’s strategy? It is important for regtech especially not to be forgotten about in strategic terms: a systemic failure arising from a regtech solution has great capacity to cause problems for the firm – the UK FCA’s actions on regulatory reporting, among other things, are an indicator of this.
Not all firms seem to have fully tackled the governance challenge fintech implies: greater specialist skills may be needed at board level and in risk and compliance functions.
Lack of in-house skills was given as a main reason for failing to develop fintech or regtech solutions. It is heartening that firms understand the need for those skills. As fintech/regtech becomes mainstream, however, firms may be pressed into developing such solutions. Is there a plan in place to plug the skills gap?
Only 22% of firms reported that they need more resources to evaluate, understand and deploy fintech/ regtech solutions. This suggests 78% of firms are unduly relaxed about the resources needed in the second line of defence to ensure fintech/regtech solutions are properly monitored. This may be a correct conclusion, but seems potentially bullish.
The global and European economic outlook has deteriorated in the past months with weakening industrial production and business sentiment and ongoing uncertainties about trade disputes and Brexit. In particular, the “low for long” risk has resurfaced in the EU, as interest rates reached record lows in August 2019 and an increasing number of countries move into negative yield territory for their sovereign bonds even at longer maturities in anticipation of a further round of monetary easing by central banks and a general flight to safety. Bond yields and swap rates have since slightly recovered again, but protracted low interest rates form the key risk for both insurers and pension funds and put pressure on both the capital position and long-term profitability. Large declines in interest rates can also create further incentives for insurers and pension funds to search for yield, which could add to the build-up of vulnerabilities in the financial sector if not properly managed.
Despite the challenging environment, the European insurance sector remains overall well capitalized with a median SCR ratio of 212% as of Q2 2019. However, a slight deterioration could be observed for life insurers in the first half of 2019 and the low interest rate environment is expected to put further pressures on the capital positions of life insurers in the second half of 2019. At the same time, profitability improved in the first half of 2019, mainly due to valuation gains in the equity and bond portfolios of insurers. Nevertheless, the low yield environment is expected to put additional strains on the medium to long term profitability of insurers as higher yielding bonds will have to be replaced by lower yielding bonds, which may make it increasingly difficult for insurers to make investment returns in excess of guaranteed returns issued in the past, which are still prevalent in many countries.
THE EUROPEAN INSURANCE SECTOR
The challenging macroeconomic environment is leading insurance undertakings to further adapt their business models. In order to address the challenges associated with the low yield environment and improve profitability, life insurers are lowering guaranteed rates in traditional products and are increasingly focusing on unit-linked products. On the investment side, insurers are slowly moving towards more alternative investments and illiquid assets, such as unlisted equity, mortgages & loans, infrastructure and property. For non-life insurers, the challenge is mostly focused on managing increasing losses stemming from climate-related risks and cyber events, which may not be adequately reflected in risk models based on historical data, and continued competitive pressures.
Despite the challenging environment, the European insurance sector overall gross written premiums slightly grew by 1.6% on an annual basis in Q2 2019. This growth is particularly driven by the increase in non life GWP (3.7%), in comparison to a slightly decrease in life (-0.5%). This reduction growth rate in life GWP is associated to the slowdown in the economic growth; however this does not seem to have affected the growth of non-life GWP to the same extent. Overall GWP as a percentage of GDP slightly increased from 9% to 11% for the European insurance market, likewise total assets as a share of GDP improved from 70% to 74%. The share of unit-linked business has slightly declined notwithstanding the growth expectations. Even though insurers are increasingly trying to shift towards unit-linked business in the current low yield environment, the total share of unit-linked business in life GWP has slightly decreased from 42% in Q2 2018 to 40% in Q2 2019, likewise the share for the median insurance company declined from 34% in Q2 2018 to 31% in Q2 2019. Considerable differences remain across countries, with some countries still being plagued by low trust due to misselling issues in the past. Overall, the trend towards unit-lead business means that investment risks are increasingly transferred to policyholders with potential reputational risks to the insurance sector in case investment returns turn out lower than anticipated.
The liquid asset ratio slightly deteriorated in the first half of 2019. The median value for liquid asset increased by 1.5% from 63.3% in 2018 Q2 to 64.8% in 2018 Q4, and after slightly decreased to 63.8% in Q2 2019. Furthermore, the distribution moved down (10th percentile reduced in the past year by 6 p.p. to 47.9%). Liquid assets are necessary in order to meet payment obligations when they are due. Furthermore, a potential increase in interest rate yields might directly impact the liquidity needs of insurers due to a significant increase in the lapse rate as policyholders might look for more attractive alternative investments.
Lapse rates in the life business remained stable slightly increased in the first half of 2019. The median value increased from 1.34% in Q2 2018 to 1.38% in Q2 2019. Moreover, a potential sudden reversal of risk premia and abruptly rising yields could trigger an increase in lapse rates and surrender ratios as policyholders might look for more attractive investments. Although several contractual and fiscal implications could limit the impact of lapses and surrenders in some countries, potential lapses by policyholders could add additional strains on insurers’ financial position once yields start increasing.
The return on investment has substantially declined further over 2018. The investment returns have significantly deteriorated for the main investment classes (bonds, equity and collective instruments). The median return on investment decreased to only 0.31% in 2018, compared to 2.83% in 2016 and 1.95% in 2017. In particular the four main investment options (government and corporate bonds, equity instruments and collective investment undertakings) – which approximately account for two-thirds of insurers’ total investment portfolios – have generated considerably lower or even negative returns in 2018. As a consequence, insurers may increasingly look for alternative investments, such as unlisted equities, mortgages and infrastructure to improve investment returns. This potential search for yield behaviour might differ per country and warrants close monitoring by supervisory authorities as insurers may suffer substantial losses on these more illiquid investments when markets turn sour.
Despite the challenging investment climate, overall insurer profitability improved in the first half of 2019. The median return on assets (ROA) increased from 0.24% in Q2 2018 to 0.32% in Q2 2019, whereas the median return on excess of assets over liabilities (used as a proxy of return on equity), increased from 2.8% in Q2 2018 to 4.9 % in Q2 2019. The improvement in overall profitability seems to stem mainly from valuation gains in the investment portolio of insurers driven by a strong rebound in equity prices and declining yields (and hence increasing values of bond holdings) throughout the first half of 2019, while profitability could be further supported by strong underwriting results and insurers’ continued focus on cost optimisation. However, decreased expected profits in future premiums (EPIFP) from 11% in Q1 2019 to 10.3% in Q2 2019 suggest expectations of deteriorating profitability looking ahead. Underwriting profitability remained stable and overall positive in the first half of 2019. The median Gross Combined Ratio for non-life business remained below 100% in the first half of 2019 across all lines of business, indicating that most EEA insurers were able to generate positive underwriting results (excluding profits from investments). However, significant outliers can still be observed across lines of business, in particular for credit and suretyship insurance, indicating that several insurers have experienced substantial underwriting losses in this line of business. Furthermore, concerns of underpricing and underreserving remain in the highly competitive motor insurance markets.
Solvency positions slightly deteriorated in the first half of 2019 and the low interest rate environment is expected to put further pressures on the capital positions in the second half of the year, especially for life insurers. Furthermore, the number of life insurance undertakings with SCR ratios below the 100% threshold increased in comparison with the previous year from 1 in Q2 2018 to 4 in Q2 2019 mainly due to the low interest rate environment, while the number of non-life insurance undertakings with SCR ratios below 100% threshold decreased from 9 in Q2 2018 to 7 in Q2 2019. The median SCR ratio for life insurers is still the highest compared to non-life insurers and composite undertakings. However, the SCR ratio differs substantially among countries.
The impact of the LTG and transitional measures varies considerably across insurers and countries. The long term guarantees (LTG) and transitional measures were introduced in the Solvency II Directive to ensure an appropriate treatment of insurance products that include long-term guarantees and facilitate a smooth transition of the new regime. These measures can have a significant impact on the SCR ratio by allowing insurance undertakings, among others, to apply a premium to the risk free interest rate used for discounting technical provions. The impact of applying these measures is highest in DE and the UK, where the distribution of SCR ratios is signicantly lower without LTG and transitional measures (Figure 2.16). While it is important to take the effect of LTG measures and transitional measures into account when comparing across insurers and countries, the LTG measures do provide a potential financial stability cushion by reducing overall volatility.
On October 15th 2019, EIOPA launched a public consultation on an Opinion that sets out technical advice for the 2020 review of Solvency II. The call for advice comprises 19 separate topics. Broadly speaking, these can be divided into three parts.
The review of the LTG measures, where a number of different options are being consulted on, notably on extrapolation and on the volatility adjustment.
The potential introduction of new regulatory tools in the Solvency II framework, notably on macro-prudential issues, recovery and resolution, and insurance guarantee schemes. These new regulatory tools are considered thoroughly in the consultation.
Revisions to the existing Solvency II framework including in relation to
freedom of services and establishment;
reporting and disclosure;
and the solvency capital requirement.
The main specific considerations and proposals of this consultation are as follows:
Considerations to choose a later starting point for the extrapolation of risk-free interest rates for the euro or to change the extrapolation method to take into account market information beyond the starting point.
Considerations to change the calculation of the volatility adjustment to risk-free interest rates, in particular to address overshooting effects and to reflect the illiquidity of insurance liabilities.
The proposal to increase the calibration of the interest rate risk sub-module in line with empirical evidence, in particular the existence of negative interest rates. The proposal is consistent with the technical advice EIOPA provided on the Solvency Capital Requirement standard formula in 2018.
The proposal to include macro-prudential tools in the Solvency II Directive.
The proposal to establish a minimum harmonised and comprehensive recovery and resolution framework for insurance.
The European Supervisory Authorities (ESAs) published on the 4th October 2019 a Joint Opinion on the risks of money laundering and terrorist financing affecting the European Union’s financial sector. In this Joint Opinion, the ESAs identify and analyse current and emerging money laundering and terrorist financing (ML/ TF) risks to which the EU’s financial sector is exposed. In particular, the ESAs have identified that the main cross-cutting risks arise from
the withdrawal of the United Kingdom (UK) from the EU,
new technologies,
virtual currencies,
legislative divergence and divergent supervisory practices,
weaknesses in internal controls,
terrorist financing and de-risking;
in order to mitigate these risks, the ESAs have proposed a number of potential actions for the Competent Authorities.
Following its advice to the European Commission on the integration of sustainability risks in Solvency II and the Insurance Distribution Directive on April 2019, EIOPA has published on 30th September 2019 an Opinion on Sustainability within Solvency II, which addresses the integration of climate-related risks in Solvency II Pillar I requirements. EIOPA found no current evidence to support a change in the calibration of capital requirements for “green” or “brown” assets. In the opinion, EIOPA calls insurance and reinsurance undertakings to implement measures linked with climate change-related risks, especially in view of a substantial impact to their business strategy; in that respect, the importance of scenario analysis in the undertakings’ risk management is highlighted. To increase the European market and citizens’ resilience to climate change, undertakings are called to consider the impact of their underwriting practices on the environment. EIOPA also supports the development of new insurance products, adjustments in the design and pricing of the products and the engagement with public authorities, as part of the industry’s stewardship activity.
On the 15th July 2019 EIOPA submitted to the European Commission draft amendments to the Implementing technical standards (ITS) on reporting and the ITS on public disclosure. The proposed amendments are mainly intended to reflect the changes in the Solvency II Delegated Regulation by the Commission Delegated Regulation (EU) 2019/981 and the Commission Delegated Regulation 2018/1221 as regards the calculation of regulatory capital requirements for securitisations and simple, transparent and standardised securitisations held by insurance and reinsurance undertakings. A more detailed review of the reporting and disclosure requirements will be part of the 2020 review of Solvency II.
On 18th June 2019 the Commission Delegated Regulation (EU) 2019/981 amending the Solvency II Delegated Regulation with respect to the calculation of the SCR for standard formula users was published. The new regulation includes the majority of the changes proposed by EIOPA in its advice to the Commission in February 2018 with the exception of the proposed change regarding interest rate risk. Most of the changes are applicable since July 2019, although changes to the calculation of the loss-absorbing capacity of deferred taxes and non-life and health premium and reserve risk will apply from 1 January 2020.
RISK ASSESSMENT
QUALITATIVE RISK ASSESSMENT
EIOPA conducts twice a year a bottom-up survey among national supervisors to determine the key risks and challenges for the European insurance and pension fund sectors, based on their probability and potential impact.
The EIOPA qualitative Autumn 2019 Survey reveals that low interest rates remain the main risks for both the insurance and pension fund sectors. Equity risks also remain prevalent, ranking as the 3rd and 2nd biggest risk for the insurance and pension funds sectors respectively. The cyber risk category is now rank as the 2nd biggest risk for the insurance sector, as insurers need to adapt their business models to this new type of risk both from an operational risk perspective and an underwriting perspective. Geopolitical risks have become more significant for both markets, along with Macro risks, which continue to be present in the insurance and pension fund sectors, partially due to concerns over protectionism, trade tensions, debt sustainability, sudden increase in risk premia and uncertainty relating to the potential future post-Brexit landscape.
The survey further suggests that all the risks are expected to increase over the coming year. The increased risk of the low for long interest rate environment is in line with the observed market developments, particulary after the ECB’s announcement of renewed monetary easing in September 2019. The significant expected raise of cyber, property, equity, macro and geopolitical risks in the following year is also in line with the observed market developments, indicating increased geopolitical uncertainty, trade tensions, stretched valuations in equity and real estate markets and more frequent and sophisticated cyber attacks which could all potentially affect the financial position of insurers and pension funds. On the other hand, ALM risks and Credit risk for financials are expected to increase in the coming year, while in the last survey in Spring 2019 the expectations were following the opposite direction.
Although cyber risk is ranking as one of the top risks and expected to increase in the following year, many jurisdictions also see cyber-related insurance activities as a growth opportunity. The rapid pace of technological innovation and digitalisation is a challenge for the insurance market and insurers need to be able to adapt their business models to this challenging environment, nonetheless from a profitability perspective, increased digitalisation may offer significant cost-saving and revenue-increasing opportunities for insurance companies. The increase of awareness of cyber-risk and higher vulnerability to cyber threats among undertakings due to the increased adoption of digital technologies could drive a growth in cyber insurance underwriting.
The survey shows the exposure of an sudden correction of the risk premia significantly differs across EU countries. In the event of a sudden correction in the risk premia, insurance undertakings and pension funds with ample exposure to bonds and real estate, could suffer significant asset value variations that could lead to forced asset sales and potentially amplify the original shock to asset prices in less liquid markets. Some juridictions, however, confirm the limited exposure to this risk due to the low holding of fixed income instruments and well diversified portfolios.
The survey further indicates that national authorities expect the increase of investments in alternative asset classes and more illiquid assets. Conversely, holdings of governement bonds are expected to decrease in favour of corporate bonds within the next 12 months. Overall this might indicate potential search for yield behaviour and a shift towards more illiquid assets continues throughout numerous EU jurisdictions. Property investments – through for instance mortgages and infrastructure investment – are also expected to increase in some jurisdictions, for both insurers and pension funds. A potential downturn of real estate markets could therefore also affect the soundness of the insurance and pension fund sectors.
QUANTITATIVE RISK ASSESSMENT EUROPEAN INSURANCE SECTOR
This section further assesses the key risks and vulnerabilities for the European insurance sector identified in this report. A detailed breakdown of the investment portfolio and asset allocation is provided with a focus on specific country exposures and interconnectedness with the banking sector. The chapter also analyses in more detail the implications of the current low yield environment for insurers.
INVESTMENTS
Insurance companies’ investments remain broadly stable, with a slight move towards less liquid investment. Government and corporate bonds continue to make up the majority of the investment portfolio, with only a slight movement towards more non-traditional investment instruments such as unlisted equity and mortgage and loans. Life insurers in particular rely on fixed-income assets, due to the importance of asset-liability matching of their long-term obligations. At the same time, the high shares of fixed-income investments could give rise to significant reinvestment risk in the current low yield environment, in case the maturing fixed-income securities can only be replaced by lower yielding fixed-income securities for the same credit quality.
The overall credit quality of the bond portfolio is broadly satisfactory, although slight changes are observed in 2018. The vast majority of bonds held by European insurers are investment grade, with most rated as CQS1 (AA). However, the share of CQS2 has increased in the first half of 2019, and significant differences can be observed for insurers across countries.
INTERCONNECTEDNESS BETWEEN INSURERS AND BANKS
The overall exposures towards the banking sector remain significant for insurers in certain countries, which could be one potential transmission channel in case of a sudden reassessment of risk premia. The interconnectedness between insurers and banks could intensify contagion across the financial system through common risk exposures. A potential sudden reassessment of risk premia may not only affect insurers directly, but also indirectly through exposures to the banking sector. This is also a potential transmission channel of emerging markets distress, as banks have on average larger exposures to emerging markets when compared to insurers.
Another channel of risk transmission could be through different types of bank instruments bundled together and credited by institutional investors such as insurers and pension funds.
Insurers’ exposures towards banks are heterogeneous across the EU/EEA countries, with different levels of home bias as well. Hence, countries with primary banks exposed to emerging markets or weak banking sectors could be impacted more in case of economic distress. On average, 15.95% of the EU/EEA insurers’ assets are issued by the banking sector through different types of instruments, mostly bank bonds.
Rapidly evolving threats and infiltration techniques have rendered traditional cyber defense strategies insufficient and ineffective. The emerging threat vectors and speed of change amplified by the digital transformation cannot be addressed by traditional means. Globally, laws are also changing to keep pace as cybercrime evolves, knowing no
boundaries. Therefore, organizations must be nimble and agile to keep pace with policy changes, especially when expanding across different jurisdictions.
This report highlights three strategic imperatives to strengthen cyber resilience:
Understand (know your threats): Identify organization and industry-specific cyber threats and regulations calls for robust strategies that include cross-disciplinary considerations.
Measure (know yourself): Quantify the potential financial impact of cyber exposures to compare against the level of risk appetite acceptable to the board. This will determine the amount of investment necessary to mitigate and transfer any residual risk.
Manage (know what you can do): Proactively manage cyber risks by having clear action plans based on your capabilities and capacities to protect against cyber criminals.
It is inefficient and impractical to expect organizations to be ahead of every threat, but organizations should at least be on par with the evolution of cyber threats while ensuring compliance with changing laws and regulations. While cyber attacks are inevitable, proper preparation is the essential element that sets resilient organizations apart from the rest in managing risk, minimizing damage, and recovering quickly from any incidents.
Cyber Risk: A Top Concern
Technology continues to play a profound role in shaping the global risk landscape for individuals, businesses, and governments. Risk experts around the world continue to rank massive data fraud and theft and cyber attacks as their greatest and most likely risks over the next decade, a pattern that is consistent with previous years. Most risk experts also expect cyber attacks to have a much greater impact through business disruption and the targeted theft of money, data and intellectual property. Our increased dependence on pervasive, integrated digital technologies also increases anxiety around cyber security.
Rapid Innovation
The pace of business innovation has been driven by technology and connectivity megatrends such as mobile, the Internet of Things (IoT), big data and cloud solutions. The adoption and use of mobile devices have surpassed that of desktops since the last quarter of 2016, with mobile traffic accounting for 52 percent of total internet traffic in 2018. While business benefits include greater convenience and productivity, the use of mobile devices for both work and personal reasons has blurred the lines between sensitive corporate and confidential personal data, which are increasingly exposed to weaker application security features, mobile malware and other vulnerabilities.
Pervasive, Sophisticated Technologies
A recent study by FireEye Mandiant revealed that cyber attackers have followed cloud-reliant organizations, such as software-as-a-service and cloud computing, into the cloud. Mandiant researchers observed an increased volume of attacks against organizations with access to vast amounts of personal and confidential data, such as cloud providers, telecommunications, and retail and hospitality. More than 730 investigations were performed by Mandiant experts globally in 2018, a higher volume than any year before and an increase of more than 30 percent over 2017.
Devious, Organized Threat Actors
The modern cyber risk landscape is rapidly evolving and populated by threat actors with a myriad of motivations and attack sophistication levels. The methodologies can vary from highly-targeted and deliberate, to mass-scale with self-distributing malware. Different threat actors also have different motivations and ambitions that can be uniquely destructive.
Motivations and methodologies of threat actors can also overlap with one another. In many cases, similar tools and techniques are used by different groups since those may be the only tools available. In some cases, state-sponsored actors may even work with hacktivists to carry out an attack. Some threat groups demonstrate increased determination by maintaining persistence in victims’ networks. Some APT attackers plan out their modus operandi and patiently pursue their goals over a long period of time—months or years—before they launch their attack. They rapidly adapt to a victim organization’s attempts to remove them from the network and frequently target the same victim again if access is lost.
After an organization has been successfully attacked, there is a higher probability of re-compromise. According to FireEye, globally two in three (64 percent) compromised organizations were successfully attacked again within a year. It is more significant in APAC where almost eight in 10 (78 percent) of compromised organizations are likely to face at least one additional significant attack over the next year.
Organizations that have been attacked should strengthen their cyber security defenses and close any identified gaps to mitigate risks; unfortunately, this doesn’t always happen.
Data Sharing Economies
Data sharing is inevitable as we accelerate into the digital economy. Our growing interconnectedness is combined with a massive increase in velocity, volume, and variety of data shared across boundaries and jurisdictions. The accelerated digitalization of countries and industries amplifies the systemic effects from cyber attacks and increases the severity of successful cyber attacks.
With the advent of digital and transformative technologies that change the nature of business, policymakers are challenged to maintain the robustness of cyber laws and legislations. The anonymity of the Internet further ensures little or no risk of repercussion for cyber criminals.
According to FireEye CEO Kevin Mandia, ”We are on a slippery slope in terms of frequency and seriousness of cyber attacks” and it is likely to get worse unless serious consequences can be put in place for criminal behavior.
Although cyber regulations have lagged behind evolving cyber threats, the past years have seen a substantial increase in new cyber laws and other regulatory schemes, and this is expected to continue. Most regulatory schemes aim to protect data and privacy and fulfil notification obligations by breached organizations, but disclosures and notifications are critical first steps to reveal the volume, frequency and complexity of breaches before data protection and privacy can be further improved.
Complications That Impact Cyber Resilience
In an increasingly complex business and cyber landscape, organizations encounter greater challenges when trying to balance their business resilience and cyber security priorities.
Between 2016 and 2018, the rate of growth for internet users was 10 times faster than the global population. Correspondingly, the surface area for attack has expanded exponentially. The exposure is estimated to impact up to six billion internet users by 2022, approximately three-quarters of the projected world population. Increased connectivity coupled with the expanded adoption of mobile devices makes building cyber security defenses much more challenging since every employee or web-connected device now represents a potential vulnerability.
Underlying Trends Impose Additional Layers of Fiduciary Responsibilities
Rapid digitalization amplifies the systemic effect of cyber threats, which leads to more cyber regulations and policies. In addition to safeguarding the interests of individuals and businesses, governments and policymakers also aim provide a conducive and well-regulated environment to develop transformative technologies to spearhead their respective digital economies.
Unsurprisingly, their business models are impacted by new cyber laws and regulations. As these laws are introduced, revised and enacted, companies can find themselves in a continually reactive state when attempting to comply with changing policies. Organizations with operations across national boundaries face additional compliance costs as they attempt to navigate diverse regulations in different jurisdictions. While GDPR has led to the convergence of cyber security and data protection laws in the EU, cyber regulations in other parts of the world remain largely localized and diverse.
Re-Thinking a Cyber Resilient Culture
To reduce our growing vulnerability to humanenabled cyber threats, workplace culture needs to change. The outlook, attitudes, values, moral goals and legacy systems shared within an organization have a direct impact on how cyber threats are perceived and managed. While cyber security involves many different technical and information solutions, necessary defenses and resilience cannot be fully achieved without the right mindset.
To establish a cyber resilient culture, everyone in the organization—from executive leadership and management to data analysts and salespeople—have an equal and important role to play in defense.
Through social engineering, threat actors increasingly exploit individuals as the weakest link of the cyber security chain. Therefore, cyber security and resilience must begin with the individual. Although Finance or HR departments may be primary targets for potential access to sensitive information, other executives and employees may also be targeted to gain network access.
How To Line Up Your Defense
Given the reality of the cyber threat landscape, you need to determine the tools you need to mitigate and respond to inevitable cyber attacks. Unfortunately, while both the aggressiveness and sophistication of cyber attacks have accelerated, defensive capabilities have been relatively slow to evolve and respond.
Darren Thayre, Partner in the Digital, Technology and Analytics Practice for Asia Pacific at Oliver Wyman, mentioned that typical cyber security discussions are often absent when organizations initially strategize on cloud implementation, a process normally driven by developers or infrastructure demands.
Many victim organizations and those working diligently on defensive improvements still lack the fundamental security controls and capabilities to either prevent breaches or to minimize the damages and consequences of an inevitable compromise.
Based on trend observations, Kelly Butler, Head of Cyber Practice, Pacific, Marsh, stated that while security remains important in the 2019 cyber landscape, it is becoming more about resilience.
Organizations must maintain a posture of continuous cyber resilience to prepare for and adapt to the changing threat landscape and recover from the disruptive attacks. Otherwise, they risk facing significant gaps in both basic security controls and—more critically—visibility and detection of targeted attacks. The saying goes, “what gets measured, gets managed,” but you can only measure what you understand.
Understand Cyber Risks from a Business Perspective
Cyber risk is now at the forefront of most corporate risk agendas. Organizations are increasingly looking to understand and assess the nature and extent of their potential cyber-related losses—a necessary first step to mitigate those losses.
A cyber defense strategy delivers substantial benefits for both the senior management and the organization, especially when the strategy and associated action plans are mandated from the top and prioritized with the necessary investments and budgets. A proactive cyber defense strategy demonstrates to regulators that the organization takes cyber risk management seriously and has clear priorities in place.
A cyber security strategy is how you direct and focus the creation of an actionable roadmap and build a comprehensive cyber security program. This process allows you to clearly link gaps identified in the program assessment to your organization’s cyber security investments. However, developing a fit-for-purpose strategy and obtaining buy-in for the cyber security program from senior management can be difficult.
After you understand cyber risks from a business perspective, you need to identify how much cyber risk is acceptable (to be absorbed) across your entire organization. This baseline helps make decisions related to cyber risk and implement controls.
For example, you can use a structured methodology to determine your organization’s cyber risk appetite. Ideally, you should break down and prioritize your cyber risk appetite, and the metrics you need to inform and measure the risk appetite. Later, you can develop recommendations regarding governance and operating model requirements, which in turn will determine and influence corporate decisions with respect to cyber security investments.
After you assess the amount of acceptable cyber risk, work to quantify your potential cyber risk exposure. Measure its financial impact to inform the business case for cyber security investments as well as cyber insurance that can mitigate or transfer risk.
Quantification determines nature and extent of risk impacts for different threats and scenarios. However, boards and senior executives often struggle to clearly and comprehensively gain a current understanding of their organization’s cyber risk profile.
The increase in awareness, cyber data breaches and adoption of cloud-based services are a few of the factors that drive the growth of the cyber insurance market, while high costs inhibit growth. High premiums can be effectively overcome by systematically and clearly understanding organization-specific cyber risks to lower risk exposure and enhance risk profile. For example, the use of data analytics to quantify risk exposure and underwrite cyber risks has proved to drive more efficient and effective risk profiling and provide more accurate policy coverage.
With an internally aligned cyber risk strategy and adequately measured risk exposure around expected losses due to cyber attacks, organizations can better insure and secure stronger financials to respond and recover from an incident. An incident response plan requires the support of proper security technologies and expertise. At a minimum, a response plan requires full view of IT assets, strong detection capabilities, clear roles and responsibilities and fast reaction times. The plan must also be regularly practiced through drills to ensure that personnel know their roles and to track and record various metrics that measure their performance. Frequent testing can help identify areas for improvement and provide opportunities to continually refine processes and protocols.
Financial institutions are acutely aware that cyber risk is one of the most significant perils they face and one of the most challenging to manage. The perceived intensity of the threats, and Board level concern about the effectiveness of defensive measures, ramp up continually as bad actors increase the sophistication, number, and frequency of their attacks.
Cyber risk management is high on or at the top of the agenda for financial institutions across the sector globally. Highly visible attacks of increasing insidiousness and sophistication are headline news on an almost daily basis. The line between criminal and political bad actors is increasingly blurred with each faction learning from the other. In addition, with cyberattack tools and techniques becoming more available via the dark web and other sources, the population of attackers continues to increase, with recent estimates putting the number of cyberattackers globally in the hundreds of thousands.
Cyber offenses against banks, clearers, insurers, and other major financial services sector participants will not abate any time soon. Looking at the velocity and frequency of attacks, the motivation for cyberattack upon financial services institutions can be several hundred times higher than for non-financial services organizations.
Observing these developments, regulators are prescribing increasingly stringent requirements for cyber risk management. New and emerging regulation will force changes on many fronts and will compel firms to demonstrate that they are taking cyber seriously in all that they do. However, compliance with these regulations will only be one step towards assuring effective governance and control of institutions’ Cyber Risk.
We explore the underlying challenges with regard to cyber risk management and analyze the nature of increasingly stringent regulatory demands. Putting these pieces together, we frame five strategic moves which we believe will enable businesses to satisfy business needs, their fiduciary responsibilities with regard to cyber risk, and regulatory requirements:
Seek to quantify cyber risk in terms of capital and earnings at risk.
Anchor all cyber risk governance through risk appetite.
Ensure effectiveness of independent cyber risk oversight using specialized skills.
Comprehensively map and test controls, especially for third-party interactions.
Develop and exercise major incident management playbooks.
These points are consistent with global trends for cyber risk management. Further, we believe that our observations on industry challenges and the steps we recommend to address them are applicable across geographies, especially when considering prioritization of cyber risk investments.
FIVE STRATEGIC MOVES
The current environment poses major challenges for Boards and management. Leadership has to fully understand the cyber risk profile the organization faces to simultaneously protect the institution against everchanging threats and be on the front foot with regard to increasing regulatory pressures, while prioritizing the deployment of scarce resources. This is especially important given that regulation is still maturing and it is not yet clear how high the compliance bars will be set and what resources will need to be committed to achieve passing grades.
With this in mind, we propose five strategic moves which we believe, based on our experience, will help institutions position themselves well to address existing cyber risk management challenges.
1) Seek to quantify cyber risk in terms of capital and earnings at risk
Boards of Directors and all levels of management intuitively relate to risks that are quantified in economic terms. Explaining any type of risk, opportunity, or tradeoff relative to the bottom line brings sharper focus to the debate.
For all financial and many non-financial risks, institutions have developed methods for quantifying expected and unexpected losses in dollar terms that can readily be compared to earnings and capital. Further, regulators have expected this as a component of regulatory and economic capital, CCAR, and/or resolution and recovery planning. Predicting losses due to Cyber is particularly difficult because it consists of a combination of direct, indirect, and reputational elements which are not easy to quantify. In addition, there is limited historical cyber loss exposure data available to support robust cyber risk quantification.
Nevertheless, institutions still need to develop a view of their financial exposures of cyber risk with different levels of confidence and understand how this varies by business line, process, or platform. In some cases, these views may be more expert based, using scenario analysis approaches as opposed to raw statistical modeling outputs. The objectives are still the same – to challenge perspectives as to
how much risk exposure exists,
how it could manifest within the organization,
and how specific response strategies are reducing the institution’s inherent cyber risk.
2) Anchor all cyber risk governance through risk appetite
Regulators are specifically insisting on the establishment of a cyber risk strategy, which is typically shaped by a cyber risk appetite. This should represent an effective governance anchor to help address the Board’s concerns about whether appropriate risks are being considered and managed effectively.
Setting a risk appetite enables the Board and senior management to more deeply understand exposure to specific cyber risks, establish clarity on the Cyber imperatives for the organization, work out tradeoffs, and determine priorities.
Considering cyber risk in this way also enables it to be brought into a common framework with all other risks and provides a starting point to discuss whether the exposure is affordable (given capital and earnings) and strategically acceptable.
Cyber risk appetite should be cascaded down through the organization and provide a coherent management and monitoring framework consisting of
metrics,
assessments,
and practical tests or exercises
at multiple levels of granularity. Such cascading establishes a relatable chain of information at each management level across business lines and functions. Each management layer can hold the next layer more specifically accountable. Parallel business units and operations can have common standards for comparing results and sharing best practices.
Finally, Second and Third Line can have focal points to review and assure compliance. A risk appetite chain further provides a means for the attestation of the effectiveness of controls and adherence to governance directives and standards.
Where it can be demonstrated that risk appetite is being upheld to procedural levels, management will be more confident in providing the attestations that regulators require.
3) Ensure effectiveness of independent cyber risk oversight using specialized skills
From our perspective, firms face challenges when attempting to practically fit cyber risk management into a “Three Lines of Defense” model and align cyber risk holistically within an enterprise risk management framework.
CROs and risk management functions have traditionally developed specialized skills for many risk types, but often have not evolved as much depth on IT and cyber risks. Organizations have overcome this challenge by weaving risk management into the IT organization as a First Line function.
In order to more clearly segregate the roles between IT, business, and Information Security (IS), the Chief Information Security Officer (CISO) and the IS team will typically need to be positioned as a « 1.5 Line of Defense » position. This allows an Information Security group to provide more formal oversight and guidance on the cyber requirements and to monitor day-today compliance across business and technology teams.
Further independent risk oversight and audit is clearly needed as part of the Third Line of Defense. Defining what oversight and audit means becomes more traceable and tractable when specific governance mandates and metrics from the Board down are established.
Institutions will also need to deal with the practical challenge of building and maintaining Cyber talent that can understand the business imperatives, compliance requirements, and associated cyber risk exposures.
At the leadership level, some organizations have introduced the concept of a Risk Technology Officer who interfaces with the CISO and is responsible for integration of cyber risk with operational risk.
4) Comprehensively map and test controls, especially for the third party interactions
Institutions need to undertake more rigorous and more frequent assessments of cyber risks across operations, technology, and people. These assessments need to test
the efficacy of surveillance,
the effectiveness of protection and defensive controls,
the responsiveness of the organization,
and the ability to recover
in a manner consistent with expectations of the Board.
Given the new and emerging regulatory requirements, firms will need to pay closer attention to the ongoing assessment and management of third parties. Third parties need to be tiered based on their access and interaction with the institution’s high value assets. Through this assessment of process, institutions need to obtain a more practical understanding of their ability to get early warning signals against cyber threats. In a number of cases, a firm may choose to outsource more IT or data services to third party providers (e.g., Cloud) where they consider that this option represents a more attractive and acceptable solution relative to the cost or talent demands associated with maintaining Information Security in-house for certain capabilities. At the same time, the risk of third party compromise needs to be fully understood with respect to the overall risk appetite.
5) Develop and exercise incident management playbooks
A critical test of an institution’s cyber risk readiness is its ability to quickly and effectively respond when a cyberattack occurs.
As part of raising the bar on cyber resilience, institutions need to ensure that they have clearly documented and proven cyber incident response plans that include
a comprehensive array of attack scenarios,
clear identification of accountabilities across the organization,
response strategies,
and associated internal and external communication scenarios.
Institutions need to thoroughly test their incident response plan on an ongoing basis via table top exercises and practical drills. As part of a table top exercise, key stakeholders walk through specific attack scenarios to test their knowledge of response strategies. This exercise provides an avenue for exposing key stakeholders to more tangible aspects of cyber risk and their respective roles in the event of a cyberattack. It also can reveal gaps in specific response processes, roles, and communications that the institution will need to address.
Last but not least, incident management plans need to be reviewed and refined based on changes in the overall threat landscape and an assessment of the institution’s cyber threat profile; on a yearly or more frequent basis depending on the nature and volatility of the risk for a given business line or platform.
CONCLUSION
Cyber adversaries are increasingly sophisticated, innovative, organized, and relentless in developing new and nefarious ways to attack institutions. Cyber risk represents a relatively new class of risk which brings with it the need to grasp the often complex technological aspects, social engineering factors, and changing nature of Operational Risk as a consequence of cyber.
Leadership has to understand the threat landscape and be fully prepared to address the associated challenges. It would be impractical to have zero tolerance to cyber risk, so institutions will need to determine their risk appetite with regard to cyber, and consequently, make direct governance, investment, and operational design decisions.
The new and emerging regulations are a clear directive to financial institutions to keep cyber risk at the center of their enterprise-wide business strategy, raising the overall bar for cyber resilience. The associated directives and requirements across the many regulatory bodies represent a good and often strong basis for cyber management practices but each institution will need to further ensure that they are tackling cyber risk in a manner fully aligned with the risk management strategy and principles of their firm. In this context, we believe the five moves represent multiple strategically important advances almost all financial services firms will need to make to meet business security, resiliency, and regulatory requirements.
Is the world sleepwalking into a crisis? Global risks are intensifying but the collective will to tackle them appears to be lacking. Instead, divisions are hardening. The world’s move into a new phase of strongly state-centred politics, noted in last year’s Global Risks Report, continued throughout 2018. The idea of “taking back control”— whether domestically from political rivals or externally from multilateral or supranational organizations — resonates across many countries and many issues. The energy now expended on consolidating or recovering national control risks weakening collective responses to emerging global challenges. We are drifting deeper into global problems from which we will struggle to extricate ourselves.
During 2018, macroeconomic risks moved into sharper focus. Financial market volatility increased and the headwinds facing the global economy intensified. The rate of global growth appears to have peaked: the latest International Monetary Fund (IMF) forecasts point to a gradual slowdown over the next few years. This is mainly the result of developments in advanced economies, but projections of a slowdown in China—from 6.6% growth in 2018 to 6.2% this year and 5.8% by 2022—are a source of concern. So too is the global debt burden, which is significantly higher than before the global financial crisis, at around 225% of GDP. In addition, a tightening of global financial conditions has placed particular strain on countries that built up dollar-denominated liabilities while interest rates were low.
Geopolitical and geo-economic tensions are rising among the world’s major powers. These tensions represent the most urgent global risks at present. The world is evolving into a period of divergence following a period of globalization that profoundly altered the global political economy. Reconfiguring the relations of deeply integrated countries is fraught with potential risks, and trade and investment relations among many of the world’s powers were difficult during 2018.
Against this backdrop, it is likely to become more difficult to make collective progress on other global challenges—from protecting the environment to responding to the ethical challenges of the Fourth Industrial Revolution. Deepening fissures in the international system suggest that systemic risks may be building. If another global crisis were to hit, would the necessary levels of cooperation and support be forthcoming? Probably, but the tension between the globalization of the world economy and the growing nationalism of world politics is a deepening risk.
Environmental riskscontinue to dominate the results of our annual Global Risks Perception Survey (GRPS). This year, they accounted for three of the top five risks by likelihood and four by impact. Extreme weather was the risk of greatest concern, but our survey respondents are increasingly worried about environmental policy failure: having fallen in the rankings after Paris, “failure of climate-change mitigation and adaptation” jumped back to number two in terms of impact this year. The results of climate inaction are becoming increasingly clear. The accelerating pace of biodiversity loss is a particular concern. Species abundance is down by 60% since 1970. In the human food chain, biodiversity loss is affecting health and socioeconomic development, with implications for well-being, productivity, and even regional security.
Technologycontinues to play a profound role in shaping the global risks landscape. Concerns about data fraud and cyber-attacks were prominent again in the GRPS, which also highlighted a number of other technological vulnerabilities: around two-thirds of respondents expect the risks associated with fake news and identity theft to increase in 2019, while three-fifths said the same about loss of privacy to companies and governments. There were further massive data breaches in 2018, new hardware weaknesses were revealed, and research pointed to the potential uses of artificial intelligence to engineer more potent cyberattacks. Last year also provided further evidence that cyber-attacks pose risks to critical infrastructure, prompting countries to strengthen their screening of cross-border partnerships on national grounds.
The importance of the various structural changes that are under way should not distract us from the human side of global risks. For many people, this is an increasingly anxious, unhappy and lonely world. Worldwide, mental health problems now affect an estimated 700 million people. Complex transformations— societal, technological and work-related—are having a profound impact on people’s lived experiences. A common theme is psychological stress related to a feeling of lack of control in the face of uncertainty. These issues deserve more attention: declining psychological and emotional wellbeing is a risk in itself—and one that also affects the wider global risks landscape, notably via impacts on social cohesion and politics.
Another set of risks being amplified by global transformations relate to biological pathogens. Changes in how we live have increased the risk of a devastating outbreak occurring naturally, and emerging technologies are making it increasingly easy for new biological threats to be manufactured and released either deliberately or by accident. The world is badly under-prepared for even modest biological threats, leaving us vulnerable to potentially huge impacts on individual lives, societal well-being, economic activity and national security. Revolutionary new biotechnologies promise miraculous advances, but also create daunting challenges of oversight and control—as demonstrated by claims in 2018 that the world’s first genemodified babies had been created.
Rapidly growing cities and ongoing effects of climate change are making more people vulnerable to rising sea levels. Two-thirds of the global population is expected to live in cities by 2050 and already an estimated 800 million people live in more than 570 coastal cities vulnerable to a sea-level rise of 0.5 metres by 2050. In a vicious circle, urbanization not only concentrates people and property in areas of potential damage and disruption, it also exacerbates those risks— for example by destroying natural sources of resilience such as coastal mangroves and increasing the strain on groundwater reserves. Intensifying impacts will render an increasing amount of land uninhabitable. There are three main strategies for adapting to rising sea-levels:
engineering projects to keep water out,
naturebased defences,
and peoplebased strategies, such as moving households and businesses to safer ground or investing in social capital
to make flood-risk communities more resilient.
In this year’s Future Shocks section, we focus again on the potential for threshold effects that could trigger dramatic deteriorations and cause cascading risks to crystallize with dizzying speed. Each of the 10 shocks we present is a “what-if” scenario—not a prediction, but a reminder of the need to think creatively about risk and to expect the unexpected. Among the topics covered this year are
quantum cryptography,
monetary populism,
affective computing
and the death of human rights.
In the Risk Reassessment section, experts share their insights about how to manage risks. John Graham writes about weighing the trade-offs between different risks, and András Tilcsik and Chris Clearfield write about how managers can minimize the risk of systemic failures in their organizations.
And in the Hindsight section, we revisit three of the topics covered in previous reports:
Over a third of directors of US public companies now discuss cybersecurity at every board meeting. Cyber risks are being driven onto the agenda by
high-profile data breaches,
distributed denial of services (DDoS) attacks,
and rising ransomware and cyber extortion attacks.
The concern about cyber risks is justified. The annual economic cost of cyber-crime is estimated at US$1.5 trillion and only about 15% of that loss is currently covered by insurance.
MMC Global Risk Center conducted research and interviews with directors from WCD to understand the scope and depth of cyber risk management discussions in the boardroom. The risk of cyberattack is a constantly evolving threat and the interviews highlighted the rising focus on resilience and recovery in boardroom cyber discussions. Approaches to cyber risks are maturing as organizations recognize them as an enterprise business risk, not just an information technology (IT) problem.
However, board focus varies significantly across industries, geographies, organization size and regulatory context. For example, business executives ranked cyberattacks among the top five risks of doing business in the Asia Pacific region but Asian organizations take 1.7 times longer than the global median to discover a breach and spend on average 47% less on information security than North American firms.
REGULATION ON THE RISE
Tightening regulatory requirements for cybersecurity and breach notification across the globe such as
the EU GDPR,
China’s new Cyber Security Law,
and Australia’s Privacy Amendment,
are also propelling cyber onto the board agenda. Most recently, in February 2018, the USA’s Securities and Exchange Commission (SEC) provided interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents.
Regulations relating to transparency and notifications around cyber breaches drive greater discussion and awareness of cyber risks. Industries such as
financial services,
telecommunications
and utilities,
are subject to a large number of cyberattacks on a daily basis and have stringent regulatory requirements for cybersecurity.
Kris Manos, Director, KeyCorp, Columbia Forest Products, and Dexter Apache Holdings, observed, “The manufacturing sector is less advanced in addressing cyber threats; the NotPetya and WannaCry attacks flagged that sector’s vulnerability and has led to a greater focus in the boardroom.” For example, the virus forced a transportation company to shut down all of its communications with customers and also within the company. It took several weeks before business was back to normal, and the loss of business was estimated to have been as high as US$300 million. Overall, it is estimated that as a result of supply chain disruptions, consumer goods manufacturers, transport and logistics companies, pharmaceutical firms and utilities reportedly suffered, in aggregate, over US$1 billion in economic losses from the NotPetya attacks. Also, as Cristina Finocchi Mahne, Director, Inwit, Italiaonline, Banco Desio, Natuzzi and Trevi Group, noted, “The focus on cyber can vary across industries depending also on their perception of their own clients’ concerns regarding privacy and data breaches.”
LESSONS LEARNED: UPDATE RESPONSE PLANS AND EVALUATE THIRD-PARTY RISK
The high-profile cyberattacks in 2017, along with new and evolving ransomware onslaughts, were learning events for many organizations. Lessons included the need to establish relationships with organizations that can assist in the event of a cyberattack, such as l
aw enforcement,
regulatory agencies and recovery service providers
including forensic accountants and crisis management firms.
Many boards need to increase their focus on their organization’s cyber incident response plans. A recent global survey found that only 30% of companies have a cyber response plan and a survey by the National Association of Corporate Directors (NACD) suggests that only 60% of boards have reviewed their breach response plan over the past 12 months. Kris Manos noted, “[If an attack occurs,] it’s important to be able to quickly access a response plan. This also helps demonstrate that the organization was prepared to respond effectively.”
Experienced directors emphasized the need for effective response plans alongside robust cyber risk mitigation programs to ensure resilience, as well as operational and reputation recovery. As Jan Babiak, Director, Walgreens Boots Alliance, Euromoney Institutional Investor, and Bank of Montreal, stressed, “The importance of the ’respond and recover’ phase cannot be overstated, and this focus needs to rapidly improve.”
Directors need to review how the organization will communicate and report breaches. Response plans should include preliminary drafts of communications to all stakeholders including customers, suppliers, regulators, employees, the board, shareholders, and even the general public. The plan should also consider legal requirements around timelines to report breaches so the organization is not hit with financial penalties that can add to an already expensive and reputationally damaging situation. Finally, the response plan also needs to consider that normal methods of communication (websites, email, etc.) may be casualties of the breach. A cyber response plan housed only on the corporate network may be of little use in a ransomware attack.
Other lessons included the need to focus on cyber risks posed by third-party suppliers, vendors and other impacts throughout the supply chain. Shirley Daniel, Director, American Savings Bank, and Pacific Asian Management Institute, noted, “Such events highlight vulnerability beyond your organization’s control and are raising the focus on IT security throughout the supply chain.” Survey data suggests that about a third of organizations do not assess the cyber risk of vendors and suppliers. This is a critical area of focus as third-party service providers (e.g., software providers, cloud services providers, etc.) are increasingly embedded in value chains.
FRUSTRATIONS WITH OVERSIGHT
Most directors expressed frustrations and challenges with cyber risk oversight even though the topic is frequently on meeting agendas. Part of the challenge is that director-level cyber experts are thin on the ground; most boards have only one individual serving as the “tech” or “cyber” person. A Spencer Stuart survey found that 41% of respondents said their board had at least one director with cyber expertise, with an additional 7% who are in the process of recruiting one. Boards would benefit from the addition of experienced individuals who can identify the connections between cybersecurity and overall company strategy.
A crucial additional challenge is obtaining clarity on the organization’s overall cyber risk management framework. (See Exhibit 1: Boards Need More Information on Cyber Investments.) Olga Botero, Director, Evertec, Inc., and Founding Partner, C&S Customers and Strategy, observed, “There are still many questions unanswered for boards, including:
How good is our security program?
How do we compare to peers?
There is a big lack of benchmarking on practices.” Anastassia Lauterbach, Director, Dun & Bradstreet, and member of Evolution Partners Advisory Board, summarized it well, “Boards need a set of KPIs for cybersecurity highlighting their company’s
unique business model,
legacy IT,
supplier and partner relationships,
and geographical scope.”
Nearly a quarter of boards are dissatisfied with the quality of management-provided information related to cybersecurity because of insufficient transparency, inability to benchmark and difficulty of interpretation.
EFFECTIVE OVERSIGHT IS BUILT ON A COMPREHENSIVE CYBER RISK MANAGEMENT FRAMEWORK
Organizations are maturing from a “harden the shell” approach to a protocol based on understanding and protecting core assets and optimizing resources. This includes the application of risk disciplines to assess and manage risk, including quantification and analytics. (See Exhibit 2: Focus Areas of a Comprehensive Cyber Risk Management Framework.) Quantification shifts the conversation from a technical discussion about threat vectors and system vulnerabilities to one focused on maximizing the return on an organization’s cyber spending and lowering its total cost of risk.
Directors also emphasized the need to embed the process in an overall cyber risk management framework and culture. “The culture must emphasize openness and learning from mistakes. Culture and cyber risk oversight go hand in hand,” said Anastassia Lauterbach. Employees should be encouraged to flag and highlight potential cyber incidents, such as phishing attacks, as every employee plays a vital role in cyber risk management. Jan Babiak noted, “If every person in the organization doesn’t view themselves as a human firewall, you have a soft underbelly.” Mary Beth Vitale, Director, GEHA and CoBiz Financial, Inc., also noted, “Much of cyber risk mitigation is related to good housekeeping such as timely patching of servers and ongoing employee training and alertness.”
Boards also need to be alert. “Our board undertakes the same cybersecurity training as employees,” noted Wendy Webb, Director, ABM Industries. Other boards are putting cyber updates and visits to security centers on board “offsite” agendas.
THE ROLE OF CYBER INSURANCE
Although the perception of many directors is that cyber insurance provides for limited coverage, the insurance is increasingly viewed as an important component of a cyber risk management framework and can support response and recovery plans. Echoing this sentiment, Geeta Mathur, Director, Motherson Sumi Ltd, IIFL Holdings Ltd, and Tata Communication Transformation Services Ltd., commented, « There is a lack of information and discussion on risk transfer options at the board level. The perception is that it doesn’t cover much particularly relating to business interruption on account of cyber threats.” Cristina Finocchi Mahne also noted, “Currently, management teams may not have a positive awareness of cyber insurance, but we expect this to rapidly evolve over the short-term.”
Insurance does not release the board or management from the development and execution of a robust risk management plan but it can provide a financial safeguard against costs associated with a cyber event. Cyber insurance coverage should be considered in the context of an overall cyber risk management process and cyber risk appetite.
With a robust analysis, the organization can
quantify the price of cyber risk,
develop effective risk mitigation,
transfer and risk financing strategy,
and decide if – and how much – cyber insurance to purchase.
This allows the board to have a robust conversation on the relationship between risk, reward and the cost of mitigation and can also prompt an evaluation of potential consequences by using statistical modeling to assess different damage scenarios.
CYBER INSURANCE ADOPTION IS INCREASING
The role of insurance in enhancing cyber resilience is increasingly being recognized by policymakers around the world, and the Organisation of Economic Co-operation and Development (OECD) is recommending actions to stimulate cyber insurance adoption.
Globally, it is expected the level of future demand for cyber insurance will depend on the frequency of high-profile cyber incidents as well as the evolving legislative and regulatory environment for privacy protections in many countries. In India, for example, there was a 50% increase in companies buying cybersecurity coverage 2016 to 2017. Research suggests that only 40% of US boards have reviewed their organization’s cyber insurance coverage in the past 12 months.
LIMITING FINANCIAL LOSSES
In the event of a debilitating attack, cyber insurance and associated services can limit an organization’s financial damage from direct and indirect costs and help accelerate its recovery. (See Exhibit 3: Direct and Indirect Costs Associated with a Cyber Attack.) For example, as a result of the NotPetya attack, one global company reported a decline in operating margins and income, with losses in excess of US$500 million in the last fiscal year. The company noted the costs were driven by
investments in enhanced systems in order to prevent future attacks;
cost of incentives offered to customers to restore confidence and maintain business relationships;
additional costs due to claims for service failures; costs associated with data breach or data loss due to third-parties;
and “other consequences of which we are not currently aware but may subsequently discover.”
Indeed, the very process of assessing and purchasing cyber insurance can bolster cyber resilience by creating important incentives that drive behavioral change, including:
Raising awareness inside the organization on the importance of information security.
Fostering a broader dialogue among the cyber risk stakeholders within an organization.
Generating an organization-wide approach to ongoing cyber risk management by all aspects of the organization.
Assessing the strength of cyber defenses, particularly amid a rapidly changing cyber environment.
bleu-azur-consulting.eu 