IAIS Paper Cites Importance of Insurers' Operational Resilience

While operational resilience is not a new concept to insurers, their increased reliance on digital systems as well as experiences gathered from the COVID-19 pandemic have heightened the focus on that resilience, as well as insurance supervisors' scrutiny of it.

In a new issues paper, the International Association of Insurance Supervisors (IAIS) examines factors affecting insurers' operational resilience and how insurance supervisors are approaching those developments. It does so with consideration of lessons learned from the pandemic.

"The digital age, as well as the accompanying risks posed by cyber threats and increasing reliance on technology, has been a reality for insurers for many decades," the IAIS says in its Issues Paper on Insurance Sector Operational Resilience. "The concept of operational resilience is not new, though recognition of the importance of adapting supervisory regimes to account for the growing reliance by insurers on digital systems is more recent."

The May 23, 2023, paper examines the issue of insurer operational resilience in three areas: cyber resilience, third-party outsourcing, and business continuity management. It also acknowledges that operational resilience is a broad and evolving area.

Cyber attacks grew as the COVID-19 pandemic spread and remote working became more widespread, the IAIS paper says. The IAIS cites international Financial Stability Board data showing the number of cyber attacks such as phishing, malware, and ransomware against financial institutions grew from fewer than 5,000 per week in February 2020 to more than 200,000 per week in late April 2021.

"The rapid move to hybrid and remote work presented risks to entities' operational resilience, in that it exposed certain new vulnerabilities to IT systems and increased the attack surface," the IAIS paper says. "In one third of cases, business continuity IT plans were not prepared for a long-term at-home work force. One fifth of the financial firms reported that their network operation activities were interrupted during the pandemic."

The paper notes that the pandemic provided further evidence of the need for insurance companies to have more comprehensive operational frameworks that consider risks that emerge from the use of digital technology, outsourcing critical business functions to third parties, and interruptions to normal business functions due to unforeseen events.

"While these considerations are applicable to near-term challenges, they may also empower the board and senior management (both present and future) to focus on operational resilience as an important strategic objective," the IAIS paper says.

Seeking to explain "operational resilience," the paper cites a 2021 definition by UK financial supervisory authorities that operational resilience is "the ability of firms, their groups, and the financial sector as a whole to prevent, adapt to, respond to, recover from, and learn from operational disruptions."

The UK approach considers that resilience is addressed most effectively by focusing on an insurer's important business services, rather than on systems and processes in isolation, the IAIS paper says.

"The UK policy underscores that, from time to time, disruptions will occur that prevent an insurer from operating as usual and that insurers need to consider a range of severe but plausible disruption scenarios," the IAIS paper says. "This approach acknowledges that blind spots can act as a substantial step towards shocks and disruptions becoming reality."

Meanwhile, in the United States, in 2020 the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, and the Federal Deposit Insurance Corporation offered their own definition of operational resilience, the IAIS says. The US agencies defined operational resilience as "the ability to deliver operations, including critical operations and core business lines, through a disruption from any hazard."

Operational resilience, the US agencies said, is the outcome of effective operational risk management, combined with sufficient financial and operational resources to allow an organization to prepare, adapt, withstand, and recover from disruptions.

"Drawing from these definitions, operational resilience can be considered as an outcome that emerges from a wide array of practices and disciplines currently used by insurers," the IAIS paper says. "An operationally resilient insurer is one that can encounter, withstand, mitigate, recover, and learn from the impact of a broad range of events that have the potential to disrupt the normal course of business by impacting critical operations or systems."

An essential premise in operational resilience is the assumption that disruptions will occur and that insurers should consider their tolerance for such disruptions, taking that tolerance into account as they shape their operational frameworks, the IAIS says.

According to the IAIS paper, many insurance supervisory authorities currently seek assurances that insurers have sound governance frameworks, and that boards and senior management are providing adequate oversight of the companies' resilience measures and strategies to mitigate risks associated with operational disruptions.

The IAIS paper says it's important for insurance supervisors to have access to a wide range of information in order to create effective operational resilience supervisory strategies. That information should include information on an entity's operational resilience framework and the potential threats to the insurance sector.

"To gather this information, some supervisors proactively engage with an entity's board and senior management to understand the effectiveness of an entity's operational resilience framework," the IAIS report says. "Maintaining an open and constructive communication channel can also aid both supervisors' and insurers' understanding of emerging issues of potential concern related to operational resilience."

The report added that effective information sharing among insurance supervisors and across the insurance sector could also help strengthen supervisors' oversight and insurers' management of their operational resilience.