EIOPA has identified cyber, including silent cyber, aggregation as a key risk. What must the (re)insurance sector do to ensure it can to write this risk prudently and effectively – and how might governments or government agencies help, for example, through the provision of data?
The issue of potential accumulation risk for cyber insurance mainly stems from a) the lack of historical data –which makes it difficult to correctly measure and price cyber exposures – and b) from non-affirmative cyber exposures – where coverage for cyber risk is neither explicitly included nor excluded from traditional insurance policies.
The industry should therefore carefully review its current contracts to address potential nonaffirmative cyber exposures and rewrite contracts where necessary. While common efforts to assess and address non-affirmative cyber risks are under way, the lack of quantitative approaches, explicit cyber exclusions and action plans to address non-affirmative cyber exposures suggest insurers are currently not fully aware of the potential exposures to cyber risk. Indeed, we see that some insurers have adopted a ‘wait-and-see’ approach to address non-affirmative cyber risk, where the implementation of actions plans to address nonaffirmative exposure depends to on the materialization of future events. This approach in dealing with cyber risks can be particularly problematic, as insurers may suffer substantial unforeseen losses in traditional polices if a cyber incident materializes.
The lack of transparency in non-affirmative exposures also creates uncertainty for policyholders, as often it is not clear whether their insurance policies would cover their cyber claims. Therefore, to tackle properly non-affirmative cyber exposures further effort is needed to address the issue of potential accumulation risk and provide clarity to policyholders.
Going forward, through more and a better collection of data on cyber incidents and losses, insurers should be in a better position to manage and price their affirmative cyber risk exposures by making use of policy limits and/or reinsurance to transfer accumulation/tail risks. A European wide cyber incident reporting taxonomy could help to foster data collection and data sharing on cyber risk exposures. This could ultimately underpin the further development of the European cyber insurance industry and act as an enabler of the digital economy.
What are the pros and cons of having state cyber pools acting as reinsurance backstops for the sector, as some carriers have suggested?
The insurance industry does not have the capacity to deal alone with systemic cyber events. Naturally, cyber incidents are not bound by geographical borders, unlike nat-cat events where geographical diversification allows for risk pooling at a global level. Furthermore, given the potential for significant accumulation of losses and the difficulties in estimating the extent of major cyber incidents, some form of government backstop might be needed to address potential systemic cyber events. At the same time, a government backstop may also lead to moral hazard, where private companies and the insurance industry would not do enough to enhance cyber resilience and/or would deem cyber insurance too expensive, knowing that the government would step in case of an emergency.
Therefore, to strike the right balance any government backstop would have to be considered carefully. EIOPA will further investigate the possibility of a government backstop, in consultation with the industry and other regulatory bodies.
You have talked about the possibility of making cyber insurance compulsory – are we heading in that direction?
Cyber insurance is a crucial enabler of the digital economy. Without proper insurance for new technologies, businesses may be reluctant to adopt these technologies and innovate further.
The innovation and efficiency brought with the use of new technologies will only become a reality if we find collective solutions to deal appropriately with cyber risk. That calls for an appropriate framework for cyber risk assessment, resilience and coverage. The insurance sector has an important role to play in establishing good risk management practices and the associated insurance coverage.
As the cyber insurance market matures further and better data on cyber risk becomes available, we expect more standardized products adopted increasingly by businesses independent of size, organisations and individuals. At the point in time, when cyber insurance has been well established, then we may also discuss the potential mandatory cyber insurance to support the provisions of services in the digital economy.
Can you describe the practical challenges and benefits as the euro-zone supervisor of supervisors of promoting regulatory convergence while allowing scope for national regulators to react to local conditions and for governments to implement EU directives in their own way?
EIOPA's main strategic priority is the convergence of supervisory practices. The aim is to ensure high quality supervision in order to prevent regulatory arbitrage and to safeguard a similar level of protection for all policyholders and beneficiaries in the European Union.
EIOPA has recently published a report on its supervisory activities in 2018 and the priorities for 2019, highlighting three priority areas for action:
- Development of new common supervisory instruments, with particular attention to the supervision of technical provisions of insurance companies
- Supervision of cross-border service delivery, focusing on the detection and supervision of companies with unsustainable business models
- Supervision of emerging risks, with a special look at the supervision of the specialized companies in run-off and the role of private equity
In 2019, EIOPA attaches special attention to the supervision of market conduct, in particular to the identification of business models and products that potentially represent a significant concern regarding consumer protection. To this end, EIOPA will analyse a set of risk indicators, promote a Europe-wide review of practices in certain business areas and establish a program of "mystery-shop" activities to be implemented across the European Union.
In February, you called on member states to establish statutory frameworks to provide for contract continuity after Brexit. From what you have seen so far, will these ensure consumers and other insureds get claims paid - and that insurers and brokers are not sued in the process?
The member states mainly concerned by cross-border business from insurers of the United Kingdom (UK) - such as Germany, Spain, France, Ireland and Italy - implemented transitional measures to allow the orderly run-off of residual cross-border contracts from UK insurers.
These measures will ensure service continuity and claims payments on a proper legal basis for contracts where the timely finalisation of the contingency plans, in particular the portfolio transfer to an undertaking or branch based in countries of the European Economic Area (EEA) is not feasible. Besides ensuring the orderly run-off of the insurance business national supervisory authorities have to ensure also the appropriate supervision.
Furthermore, as a first priority EIOPA together with the national supervisory authorities are closely monitoring the developments requesting the firms to make every effort to finalise the implementation of the contingency plans before the Brexit date. Moreover, EIOPA facilitates the necessary cooperation through the establishment of cooperation platforms to address any issues arising from residual cross-border insurance.
What would a Brexit without an equivalence designation for the UK insurance sector mean for the sector as a whole and for insureds in the EEA - and given that the political agreement looks so uncertain, how do you high do you rate the risk of that happening?
As part of the political declaration in case of the endorsement of the Withdrawal Agreement, an equivalence assessment is foreseen. In case of a no-deal scenario, the multilateral memoranda of understanding established between EIOPA and all national supervisory authorities of the 30 EEA countries with the Bank of England and the Financial Conduct Authority will take effect. These Memoranda of Understandings ensure cooperation in the fields of insurance prudential and conduct supervision (‘supervisory cooperation’), for mutual assistance and regular exchange of information with the aim:
- To maintain sound prudential and conduct supervision over (re)insurance undertakings and groups based either in the UK or in an EEA member state, with crossborder business activities in the EEA or the UK respectively
- To maintain financial stability of the financial markets within the EEA and/or the UK
These Memoranda of Understandings contribute to meet our primary objective of protecting policyholders and beneficiaries in the EEA member states and the UK, in case of “No-deal” Brexit scenario. They will ensure a continuous strong and close cooperation with our UK colleagues in any scenario. In addition, the benefits of conducting a full equivalence assessment of the UK solvency regime will be further evaluated in due course.
Given that current arrangements between UK insurance undertakings and intermediaries for post-Brexit trading vary somewhat from member state to member state, how likely is it that national supervisory authorities will change their initial requirements of the entities – for example on the issue of management substance?
Already in July 2017, EIOPA issued principles on the supervisory approach to the relocations from the UK with the objective to foster supervisory convergence and to ensure sound and convergent practices linked with the authorisation process. The principles include granting authorisation and approvals, governance and risk management, the outsourcing of critical and important activities and the on-going supervision as well as monitoring by EIOPA.
Sound supervision demands appropriate location of management and key functions. Empty shells or letter boxes are not acceptable. Since then EIOPA is continuing to monitor closely the developments and any possible effects on financial stability and consumer protection by applying a risk-based approach and using information collected from the national supervisory authorities. EIOPA conducts its analysis and makes use of its powers and oversight tools to support supervisory convergence through bilateral engagements with the national supervisory authorities, providing opinions and initiating investigations as the need arises.
Guidance on the application of the Insurance Distribution Directive (IDD), the legal framework for insurance intermediation, regarding UK distributors after the withdrawal is part of the EIOPA Recommendations issued in February this year. According to the Recommendations, national supervisory authorities should ensure that intermediaries, which are legal persons established and registered in the European Union, demonstrate an appropriate level of corporate substance, proportionate to the nature, scale and complexity of their business. Again, these intermediaries should not display the characteristics of an empty shell. Moreover, the professional and organisational requirements of the IDD must be met on a continuous basis. This is without prejudice to the right of the Member States to introduce special provisions in their national law for third country intermediaries if equal treatment of ntermediaries in the respective market is guaranteed.
How well do you feel regulators have achieved the balance between creating the conditions for InsurTechs to thrive and ensuring their regulation is robust enough?
The challenge with innovation and digitalisation is that the situation is evolving fast. The situation is dynamic and a normal balance cannot be easily found or indeed anticipated. New techniques, business models as well as products and services emerge at an increasing pace, while traditional activities are potentially transformed from an efficiency perspective and a depth of analytics perspective. As our work on Big Data Analytics shows, to put it simply, the regulatory target is moving.
EIOPA aims to enable consumers and the industry to harness the benefits arising from InsurTech, but at the same time to ensure adequate levels of consumer protection and financial stability in the markets. In this context, I find it encouraging that regulators are putting significant resources into building capacity lines of communication with firms, new fora for engagement with stakeholders (innovation hubs and sandboxes) and new formations amongst national supervisory authorities and within EIOPA our InsurTech Taskforce, alongside exploring the human resources and skills needed to address innovation fully.
On this basis, in my view we have a chance of striking a good balance in the basis of proper understanding and a risk-based and evidence-led perspective, both of which are critical for the regulation of our sector from both prudential and conduct perspectives.
You’ve just opened a consultation on outsourcing to cloud service providers. How great do you see the concentration risk for individual insurance undertakings – and could the industry’s increasing reliance on this type of service even be described as posing a systemic risk?
Given the specific characteristics of cloud services, there is a natural concentration of players in the market. In general the bigger the provider the more reliable and cheaper its
services are. For this reason the concentration of cloud service providers could represent a risk not only from the point of view of individual undertakings but also at industry level, as large suppliers of cloud services can become a single point of failure when many undertakings rely on them.
While recognising that there is a potential systemic risk on the large transition to the cloud, the use of cloud computing is an enabler for innovation in the financial sector and this – thanks to its specific characteristics – is even more true for the insurance sector and risks and benefits should be properly weighted.
In terms of benefits, the use of use of cloud solutions for core operations and support functions gives the undertakings the opportunity to be customer centric companies thanks to – among other things:
- Artificial intelligence embedded within their processes
- Use of big data analysis - just think about the data from black-boxes or from wearables
- Process automation and increased customer service
- Culture of experiments - growing of InsurTech, new products and business models
Moreover, the use of cloud solutions brings new opportunities to the undertakings, such as to scale up their operations to manage peaks of workloads, to increase their resiliency and under certain conditions to increase IT security for the services on the cloud.
However, mainly due to the specific characteristics of cloud services (i.e. standardised delivery model and shared responsibility model) the transition towards its adoption and cloud day-to-day management poses some challenges. These challenges need careful assessment. They consist mainly of cultural shift of the management, the business, the IT risk management and control functions; the management of data protection requirements and data location; IT security issues and concentration risk.
From a regulatory perspective, in the insurance sector and likewise in the other financial sectors, the purchase of cloud computing services falls within the broader scope of outsourcing, which is the framework to manage these risks. This framework requires the undertakings to be fully responsible to comply with all the regulatory obligations when they outsource to cloud service providers. EIOPA decided to issue guidelines to provide clarity to the market participants on how to apply the outsourcing provisions in the context of purchasing cloud services.
Regarding the possible systemic nature of this risk further work is needed in the context of the overall financial sector and not of the insurance sector only.
GDPR is almost 14 months old. What are you observations about how the (re)insurance sector is managing under the new regime?
The General Data Protection Regulation (GDPR) sets the standards for the collection and processing of personal data across the different sectors of our economy. This is very relevant for the insurance industry, since the processing of personal and non-personal data has historically been at the very core of the business of insurance undertakings. Moreover, indeed data has always been used to inform underwriting decisions, price policies, settle claims and prevent fraud. Therefore, the processing of this data and the mathematical calibration and validation of models based on this data is a crucial and already wellestablished step in the insurance sector where the different key functions of the undertakings (compliance, audit, actuary and risk management functions) are involved. The GDPR has added a number of new relevant requirements, such as requirement to appoint Data Protection Officers or develop data privacy impact assessments (DPIA) or rules regarding the legal grounds for processing personal data. Moreover, many of the principles underpinning the GDPR are in line with the requirements of the insurance legislation; this is particularly the case of the requirement to treat consumers fairly or to have in place sound governance arrangements.
Earlier this year, EIOPA published its key findings of a thematic review on the use of Big Data analytics (BDA) on motor and health insurance, which concluded that although insurance firms generally already have in place or are developing sound data governance arrangements, there are also risks arising from BDA that need to be further addressed in practice. Some of these risks are not new, but their significance is amplified in the context of BDA. This is particularly the case regarding ethical issues with the fairness of the use of BDA, as well as regarding the accuracy and explainability of certain BDA tools such as Artificial Intelligence (AI) and Machine Learning (ML). We are going to continue working on these two key areas in close collaboration with stakeholders. To this extent, we recently launched a call for candidates for a Consultative Expert Group on digital ethics insurance, to assist EIOPA in the development of digital responsibility principles in insurance, which will address the use of new business models, technologies and data sources in insurance.
Across Europe, how do you perceive the heavy natural catastrophe losses of 2017 and 2018 to have affected underwriting decisions?
In 2017, apart from the hurricane trio of Harvey, Irma and Maria, which has cost the insurance industry a record amount, unusually low temperatures in April in Europe caused billions in damage to European farmers. Losses caused by the late frost amounted to €3.3bn, of which only around €600m was insured, given the low insurance penetration in the agricultural sector1. In 2018, the most expensive natural catastrophes was a wildfire in northern California with overall losses of US$ 16.5bn. In Europe, the sustained drought, which caused substantial agricultural losses and many wildfires, was Europe’s costliest natural disaster of the year. Direct losses were up to €3.2bn, with only a small proportion of these losses insured.
These latest climate-related events show that there is a clear need to change the way risks is assessed for perils such as wildfire or drought, which can be strongly impacted by climate change. For example for wildfire, most (re)insurers used historical data to price their risk, which did not necessarily reflect the amount of losses seen in the last two years due to wildfire. Some (re)insurers and model vendors are now very active in developing new probabilistic wildfire models to allow for a better risk estimation. The contract wordings for climate-related perils need an update as under the soft market conditions, hours’ clauses were typically lengthened, leading to greater losses for reinsurers, with cedants able to choose whether to name the loss as one event or two.
Finally, it should be noted that the insurance penetration for the 2017 and 2018 events in Europe was very low showing clearly that there is a risk of a protection gap in the agricultural sector.
Many (re)insurers have concerns about the European Commission’s Sustanable Finance Action Plan, including pressure for them to stop underwriting fossil fuel assets. As sustainability factors and risks are integrated into Solvency II and the IDD what reassurance an you give of flexibility?
The European Commission’s Action Plan on Sustainable Finance recognises that the insurance sector plays a key role in the movement towards a more sustainable economy. At the same time, it acknowledges that (re)insurers are exposed to risks related to unsustainable economic development. In its Advice to the European Commission on the integration of sustainability risks in the delegated acts under Solvency II and IDD, EIOPA highlighted that sustainability risks could affect both the assets and the liabilities of insurance and reinsurance undertakings’ balance sheets. For example, an increase in environmental risks may have an impact on losses, or would require additional data in the underwriting process.
Some insurers may decide to stop underwriting certain assets due to environmental or social considerations. From the prudential point of view, the main concern is that undertakings properly identify, assess and manage their exposure of risks including the reputational risk. Currently the majority of undertakings do not take explicit account of sustainability risks in their underwriting policies and pricing decisions and this is something that should change. The proposed amendments by EIOPA in the Solvency II and IDD delegated acts are sufficiently flexible to allow for quite different relevant approaches and strategies.
A key aspect of EIOPA’s advice is the integration of sustainability in the prudent person principle for investments under Solvency II. In particular, insurers should reflect the impact of their investments on sustainability, promoting a stewardship approach by insurers and reinsurers. At the same time, EIOPA emphasises the relevance of integrating sustainability risks in the investment decisions and underwriting practices.
As we approach the Solvency II review next year what report card would you give the near-four-year old regulation and what is in most urgent need of fixing?
First, it should be note that the implementation of Solvency II is a success. It allowed for better alignment of capital to the risks incurred by operators, a significant reinforcement of risk management practices and increased transparency. Thus, overall the European insurance industry is well capitalized.
The review of Solvency II must ensure that it is adapted to the new realities of the market without changing its basic principles. An evolution, no revolution. The first phase of the review, already completed, focused on reducing complexity, increasing proportionality and updating the risk loads of some assets (for example, unrated debt and unlisted shares) in light of the existing information.
The most comprehensive review, to be carried out in 2020, includes among others the following essential points:
- The design and calibration of the long-term life insurance scheme
- Proportionality of the information provided to supervisors and the market, with the aim of simplifying and standardizing
- New macro-prudential instruments and powers aimed at strengthening supervision of systemic risk
- A European minimum harmonization regime for the recovery and settlement of insurance undertakings, including a system of guarantee funds.
EIOPA is working in all these areas. We will submit our proposed amendments to the European Commission in June 2020. In this context, EIOPA published last week the first consultation package on increased proportionality of supervisory reporting and public disclosure as well as its consultation on the harmonisation of national insurance guarantee schemes.