Advancing operational resilience

Initiatives and developments to strengthen cyber resilience

By Robert Gordon, chair of the GFIA Cyber Risks Working Group

GFIA’s Cyber Risks Working Group had an active year responding to a variety of standard setter projects and various international developments, as well as sharing insights on domestic initiatives.

Engagement with IAIS on cyber resilience

In 2024, the working group engaged with the International Association of Insurance Supervisors (IAIS) in response to the Draft IAIS Application Paper on Operational Resilience Objectives [and Toolkit]. The IAIS developed the Objectives for the insurance sector to create a consistent foundation that supports supervisory authorities to develop and strengthen their approaches to supervising insurers’ operational resilience and to provide clarity on the application of existing supervisory materials. According to the IAIS, the Objectives were developed in recognition of the insurance sector’s complex, interconnected, cross border nature, where insurers are increasingly embracing digital innovation, relying on third-party services to support their critical operations, and subject to operational risks that may be systemic in nature.

The Objectives address:

• The relationship between operational resilience, governance and operational risk management
• Key elements of a sound approach to operational resilience that encourage the effective and holistic management of insurers’ people and processes
• Objectives for insurance supervisors

“Global cyber insurance premiums have continued to grow despite tighter terms and conditions and stricter risk selection.”

Managing risks: striking the right balance

While AI offers undeniable potential, it also brings challenges that must be carefully managed. A core challenge lies in ensuring that AI does not inadvertently lead to discrimination of groups or individuals. For instance, AI algorithms used in underwriting or claims handling must be carefully designed and tested to prevent unfair outcomes that could harm consumers and erode trust in the industry. Robust internal oversight measures are essential to ensure that these systems operate fairly.

In addition to insurers’ internal governance systems, an extensive regulatory and supervisory framework already addresses key aspects such as privacy, cyber security, anti-discrimination and more general consumer protection aspects. This combination of internal and external governance requirements makes the sector better equipped and prepared than many others to address potential AI-related risks.

In response to the IAIS consultation on the proposed Objectives, GFIA urged a proportional approach in developing supervisory practices taking into account regional and jurisdictional circumstances. GFIA suggested that the IAIS clarify that the Application Paper does not set new standards or expectations but provides supporting material to assist in the implementation of existing standards. GFIA also encouraged alignment of key definitions with existing regulators’ definitions to support consistency across supervisory authorities.

The Operational Resilience Objectives represent the first phase of a two-part consultation. The second phase, to develop a draft Toolkit, is underway and will set out supervisory practices.

Cyber resilience: protecting against increasing and evolving risks

As cyber threats like ransomware draw intensified international attention, the insurance industry is increasingly engaged in shaping advocacy and strengthening its positioning on these pressing risks. In late 2024, the Cyber Risks Working Group exchanged insights with the IAIS Operational Resilience Working Group chair and IAIS staff on the latest IAIS and FSB developments, aligning on priorities for the coming year.

GFIA has also actively contributed its perspective to significant publications, including the Counter Ransomware Initiative (CRI) ransomware guidance and a joint statement released in October in conjunction with a CRI meeting in Washington, D.C.

The Cyber Risks Working Group and GFIA members continue to stay on top of the rapidly changing industry developments, publications and consultations, and are committed to serving as an authoritative voice on cyber resilience and operational risk, making substantive contributions to IAIS and other regulatory frameworks.

With rapid technological change and innovation continually heightening cyber threats, addressing risks to cyber resilience is more urgent than ever.

"[The] combination of internal and external governance requirements makes the [insurance] sector better equipped and prepared than many others to address potential AI-related risks."