Like many other industries, the insurance sector is continuously evolving. Regulators are taking note of constant changes and are adapting by introducing policies to accommodate new technologies and business practices to prevent malicious exploits of these new developments. In this article, we discuss their strategies and their implications for the Dutch insurance industry. We have identified three focus topics, including information security management, combating financial crime, and sustainability & climate risks.
Information Security Management
Due to growing adoption of digitalization and interdependence between data-systems, institutions are becoming increasingly vulnerable to cybercrime. Moreover, cyber-attacks are becoming consistently more advanced in nature. Industry professionals estimate cybercrime to generate $1.5 trillion in profits for criminals. If the ‘Republic of Cybercrime’ were to exist today, their income in terms of GDP would place them just behind Russia as the 13th largest in the world. There has been a rapid increase of cyber-attacks in terms of volume and complexity. Additionally, the rise in the volume and importance of data have become the primary catalysts for regulators to shift their focus towards cyber security.
Although seasoned professionals in the insurance industry might not think this to be a new development, this time, it is different. New policies will require firms to demonstrate that the implemented policies and frameworks work more effectively than their previous versions to justify the high costs of the cyber-security tools and processes that have failed to provide sufficient sense of information security.
Therefore, our key take-aways from the DNB’s strategy regarding cyber security are:
- Insurers will need to implement the COBIT 5.0 standard (an IT Management and Governance Framework)
- Information Security professionals can no longer work in a silo but must be integrated in all aspects of business
- Security measures will be tested in practice, either through red team testing simulations by DNB or a level-4 maturity level requirement in the COBIT-framework.
Combating financial crime
In the financial sector, ‘Know Your Customer’ (KYC) and ‘Anti-Money Laundering’ (AML) are established topics, especially for banks. Failure to meet AML and KYC requirements is very costly. A recent report finds that high levels of noncompliance is present in Europe, with 90 percent of the regional banks being heavily fined for money laundering in the past decade. According to the United Nations Office on Drugs and Crime (UNODC), approximately $2 trillion is the estimated market of global money laundering. A recent example from the Dutch market is when ING settled allegations of insufficient AML practices for the record-breaking amount of €775 million. With the recent crackdown on bank’s KYC-policies, it is expected that criminals will explore other options for money laundering. Despite being a lower risk product, one of the potential alternatives that can bring an influx of criminal money into the sector is insurance products. It is, therefore, important and inevitable for insurers to review, enhance, and, if required, revise their KYC and AML practices.
Insurance products that require large payments upfront in exchange of pay-outs later, such as annuities or single, premium life insurance policies, are potentially high-risk products. Alternatively, criminals can exploit the weaknesses in AML policies by switching a product’s beneficiary in light of insurers forgoing due diligence or abusing refund policies. In the latter example, criminals pay premiums up front and go for an early withdrawal, or refund at a reduced rate and subsequently have the pay-out sent to a different beneficiary.
Insurers should consider all relevant risk factors to combat financial crimes, which include product, geography, distribution, and customer risk factors. One option to initialize this is to begin with a risk assessment. A risk-based approach is especially important for life insurance, as shown in the policy paper written by the Financial Action Task Force (FATF) last October. Hence, if you work at an insurance company, ask yourself, “Do we, as a company, have a risk management model in place, and if so, are we aware of this model?”
Sustainability and Climate Risks
Another area of interest for insurers is sustainability and climate-related risks. Insurers’ liabilities consist primarily of long-term expected pay-outs. As sold products can remain active for decades, it is, therefore, important to consider slow changes, as the combination of these slow effects can compound to a vastly different risk profile. A research done by the DNB shows that a transition from a high-carbon to a low-carbon energy system will incur a loss of up to 11 percent in some scenarios. The scenarios can range from higher insurance pay-outs because of more extreme weather to higher health insurance liabilities because of the increasing life expectancy and obesity rate and even to the disappearance of car insurance because of the potential widespread use of self-driving cars. These instances are highly possible and can lead to potential losses to insurers. Therefore, it is important for the insurers to be aware of the changes in their business models and the negative consequences that might follow. Although their business models will drastically change, they will not disappear, and thus they have to be able to insure their expected claims.
We suggest insurers to critically look at their own business models by asking questions on whether their models are sustainable or sensitive to macro risks such as climate change or rapid technological innovation.
Our colleague, Rob van Dijk, has previously discussed the difficulty of measuring the extent and impact of financial institutions on the environment here.
Managers at insurance firms should be more attentive to information security, financial crimes, and sustainability related risks. More specifically, the need to implement the COBIT 5.0 framework and to pay close attention to the criteria that are tested at maturity level four cannot be taken for granted. In addition, the KYC and AML policies should be expanded more rigorously and used as an opportunity to reach out more to clients. Finally, sustainability risks are of vital importance and should be incorporated into the risk models, possibly through ‘stress testing’.