CYBER RISKS
Inside and out
A focus on both insurers’ own cybersecurity and their underwriting of the cyber risks of others
By Stephen Simchak, chair of the GFIA Cyber Risks Working Group
GFIA’s Cyber Risks Working Group has spent much of its time over the last 12 months engaging with international organisations such as the International Association of Insurance Supervisors (IAIS) and the OECD on their cyber projects.
2022 has been a busy year at the IAIS on cyber issues, with two major workstreams underway on cybersecurity and cyber underwriting. The OECD, meanwhile, has been working on a project aimed at examining the insurance sector’s use of emerging technologies and innovations in supporting risk management and any constraints to leveraging the contribution of these technologies. The report from this project is expected to have a particular focus on cyber insurance. Issues around cyber risks have been discussed at the global level from various angles.
Fully operational
The IAIS’s Operational Resilience Task Force (ORTF) is developing an exploratory paper called an issues paper on cyber resilience in the insurance sector, which will provide background and describe current practices in insurers’ cyber security, including the use of third-party service providers (TPSPs) such as cloud service providers (CSPs).
GFIA greatly appreciated the ORTF’s willingness to engage with it during the drafting process, and I was pleased to be invited to present GFIA’s views on the supervision of insurers’ cyber resilience to the ORTF in a meeting in April 2022. The Working Group developed a set of “General principles of effective supervision of insurers’ operational resilience” to present to the IAIS and other international organisations. Those principles include:
GFIA looks forward to contributing to the IAIS work through the public consultation launched in October 2022 on the draft ORTF issues paper and through other opportunities to engage as the paper is finalised.
“Supervisory approaches to operational resilience in the insurance sector should not adopt inappropriate systemic risk frameworks from other financial sectors.”
Diving into cyber underwriting
The IAIS has also made cyber underwriting the 2022 “special topic” for its forthcoming Global Insurance Market Report (GIMAR). The GIMAR is an annual IAIS report on the outcomes of its Global Monitoring Exercise, aimed at identifying global insurance market trends and developments and assessing perceived systemic risk in the global insurance sector.
IAIS representatives have said on several occasions that in the GIMAR they are “undertaking a deep dive to assess cyber risk to the insurance sector, and how cyber underwriting could potentially mitigate or amplify financial stability risks”. While GFIA agrees that cyber underwriting helps mitigate financial stability risks, it is unclear how cyber underwriting could be viewed as “amplifying” them. GFIA has been in contact with the IAIS as it develops the GIMAR to share its views. The GIMAR is expected to be published later this year.
“It is unclear how cyber underwriting could be viewed as ‘amplifying’ financial stability risks.”
Awareness-raising campaigns
Insurers across Europe are involved in a broad range of awareness-raising campaigns. For instance, in Germany, risk-awareness campaigns are implemented jointly by state authorities, consumer protection organisations, the insurance industry, architects and other stakeholders. Their collaboration is built around a common goal: to raise awareness of the effects of climate change and natural hazards, of the benefits of loss prevention, and of best practices as regards natural catastrophe-resilient buildings. The high level of risk awareness in Germany is one of the reasons for the relatively low protection gap; indeed, the insurance penetration rate for natural perils such as storm or hail is more than 90%.
Most European insurance associations have initiatives to raise risk awareness, such as dedicated workshops, events and educational seminars, as well as frequent in-depth articles, themed newsletters, presentations and other publications.
Many French insurers have launched prevention campaigns and also support the campaigns of “Assurance Prévention”, an association founded by the French insurance association (France Assureurs). Assurance Prévention has produced numerous leaflets, infographics, quizzes, etc. to raise awareness of natural risks. Through its initiatives, it aims to develop a “culture of risk prevention” among students and teachers.
Education
The European insurance industry works to increase financial literacy in relation to risk awareness, insurance protection and long-term savings:
The Croatian Insurance Bureau (HUO) launched a first educational project in 2009, “Financial literacy in the Republic of Croatia”, which was followed by a range of educational activities, often implemented jointly with independent insurers. One of these activities, “Safer Tomorrow”, was initiated in 2021, and aims to raise citizens’ awareness of the benefits of insurance. Within the framework of the project, HUO launched several videos and infographics, some of which specifically target young people.
The HUO organises a yearly competition for the best scientific paper, the best graduate thesis and the best undergraduate thesis in the field of insurance. HUO also publishes the “Croatian magazine for INSURANCE”, a scientific journal for professionals to advance good practice in the sector. Finally, some insurers in Croatia created a colouring book for children to promote financial literacy at a young age in a fun and simple way.
In Italy, the ANIA Academy, together with CeTIF (Research Centre on Technologies, Innovation and Finance of the Università Cattolica del Sacro Cuore), launched the second edition (2022) of the 2nd level master’s in insurance management to train professionals and enable them to respond to the challenges of the “new normal”.
ANIA is also collaborating with LUISS Business School to develop a major course in insurance management as part of its Executive Master in Financial Management.
Insurance Europe produces information for consumers as part of its “InsureWisely” financial education initiative. This includes one-pagers on different insurance topics, including how to limit the effects of natural catastrophes.
The French insurance association (France Assureurs) developed a series of educational booklets within the framework of EDUCFI (the French national strategy for economic, budgetary, and financial education), an initiative launched by the French Central Bank. These booklets help users to better understand how insurance works and what insurance products do and do not cover.
The Spanish insurance association (UNESPA) set up a financial education programme for schools, “El Riesgo y Yo” (“The Risk and I”). It involves 40 insurance undertakings and 164 volunteers and aims to give 2 500 teenage school students basic financial knowledge and insights into risk management.
Tools and solutions for consumers
Several insurers have developed tools or applications to inform consumers of extreme weather events and whether their properties are at risk from such events.
In 2021, the German insurance association (GDV) introduced a new system for making the risk to buildings of heavy rain damage more transparent. Buildings are placed into one of three risk categories, depending on their location.
The German insurance sector has also developed the “Naturgefahrencheck” (Natural hazards check) and “Hochwassercheck” (Flood check) online tools. With one click, every citizen can check the degree to which their home is at risk of flood, hail and storms. It is quick and easy to understand, it provides the information by postal code area free of charge and it does not require registration.
Swedish insurers developed VisAdapt, a tool designed to help homeowners to decrease the risk of weather-related events affecting their houses.
The Austrian association of insurers (VVO) and the Austrian government jointly developed the HORA app/website (Natural Hazard Overview and Risk Assessment Austria), which helps to determine whether there is an impending risk of flooding or other natural hazards. The website also presents up-to-date weather data on floods, including on water levels, as well as earthquakes, storms, hail, lightning and snow.
French insurers participate in the National Observatory for Natural Risks, a project involving three major partners: the Ministry of Ecological Transition, the CCR (Caisse Centrale de Réassurance) and the MRN (Mission Risques Naturels), an association created by the French insurance association (France Assureurs). This initiative aims to boost prevention and contribute to increased awareness of the risk of natural disasters by keeping citizens informed of their exposure to potential natural hazards.
The Salvage Foundation was established as an independent foundation in 1986 at the initiative of Dutch fire insurers, which are all members of the Dutch insurance association (VVN). The Salvage Foundation is unique in Europe and provides aid after fire, water, lightning, explosion or storm damage. Salvage arrives on site within an hour, undertakes damage mitigation activities, arranges shelter and provides the insurance company with the information it needs to carry out the claim settlement process without delay.
Tools and solutions for insurers
Some associations have developed tools to help insurers assess the risks and consequences of natural hazards.
In Germany, ZÜRS Geo (Zonierungssystem für Überschwemmungsrisiko und Einschätzung von Umweltrisiken) is an online zoning tool that allows insurers to calculate accurately different types of flood risk and offer risk-related premiums.
ANIA Safe, a subsidiary of Italian insurance association ANIA, created GeoSafe, a platform that uses AI-based calculations and models to help insurance companies evaluate the risks and consequences of natural hazards and disasters, such as floods, earthquakes and crop damage.
The French insurance association (France Assureurs) created a dedicated technical body, Mission Risques Naturels (MRN) and MRN GIS (General Information System), to assist private insurers in analysing their customers’ and prospective customers’ exposure to different natural hazards. MRN GIS also gives insurers access to public authorities’ hazard-zoning data, and data on land-use planning restrictions by risk level.
The French CERES tool (accessible to insurers via the CCR website) helps private insurers to benchmark their geolocalised loss records against those of the market.
In Spain, UNESPA published a report to help insurers navigate the recommendations and opinions issued by supervisors and international organisations on the procedures for insurers to integrate sustainability risks and factors into the different areas of their governance.
Forecasting and early warnings
The Dutch insurance association (VVN) publishes an annual Climate Impact Monitor (Klimaat Impact Monitor) in collaboration with Wageningen University & Research (WUR). The Climate Impact Monitor provides a compilation of extreme weather data and loss data, and other climate-related data. The VVN collaborates with the Royal Netherlands Meteorological Institute (KNMI) on issuing early warnings of extreme weather events. Combining data from the KNMI with risk and loss data from Dutch insurers allows for greater preparedness in the face of changing weather patterns, and the development of solutions to prevent damage from future extreme weather events.
UK insurers carry out a range of activities to support national and regional forecasting of future weather and catastrophe patterns. They use these outputs to inform their business practices, including pricing decisions and risk-based capital assessments. The UK insurance sector also uses such modelling in its dialogue with policymakers and has lobbied for robust action on climate change by the government.
Floods
The Czech insurance association (ČAP) and Intermap Technologies, with the support of reinsurer Swiss Re, created flood maps that are used to assess the likelihood of floods occurring in the Czech Republic. ČAP members use the system to evaluate risks and calculate property insurance premiums. It is also a useful free tool for consumers, as it helps them to determine whether their property is situated in a flood zone and it provides them with important information about insurance options, indicating for instance where there would be a possible premium increase. (Commercial and company use requires a contract with Intermap Technologies). The map data is updated regularly to ensure consistency with the information used by ČAP members.
The German insurance sector has also developed the “Naturgefahrencheck” (Natural hazards check) und “Hochwassercheck” (Flood check) online tools. With one click, every citizen can check the degree to which their home is at risk of flood, hail and storms. It is quick and easy to understand, it provides the information by postal code area free of charge and it does not require registration.
Swedish insurers developed VisAdapt, a tool designed to help homeowners to decrease the risk of weather-related events affecting their houses.
The Austrian association of insurers (VVO) and the Austrian government jointly developed the HORA app/website (Natural Hazard Overview and Risk Assessment Austria), which helps to determine whether there is an impending risk of flooding or other natural hazards. The website also presents up-to-date weather data on floods, including on water levels, as well as earthquakes, storms, hail, lightning and snow.
In Germany, ZÜRS Geo (Zonierungssystem für Überschwemmungsrisiko und Einschätzung von Umweltrisiken) is an online zoning tool that allows insurers to calculate accurately different types of flood risk and offer risk-related premiums.
What are the ICS and AM?
The IAIS is seeking to create a common supervisory language for group solvency and to enhance the global convergence of group capital standards with the ultimate goal of introducing a global Insurance Capital Standard (ICS) for international groups. Since the beginning of 2020, a version of the ICS (ICS 2.0) is being monitored for a five-year period.
By the end of that five-year monitoring period, the IAIS also aims to have assessed whether the Aggregation Method (AM), which has been developed by the US and other interested jurisdictions, provides comparable outcomes to the ICS and can be considered an outcome-equivalent approach to ICS implementation.