The PRA published an update on its approach to insurance supervision on 31 October 2018. In the update, it introduced a new section on operational resilience.
This comes off the back of the discussion paper published jointly in July 2018 by the PRA, FCA and Bank of England, in which the regulators were very clear that the operational resilience of firms is a priority and “viewed as no less important than financial resilience”.
Sam Woods, Chief Executive of the PRA, has stressed that operational resilience matters more now due to:
- more consumers accessing banks and insurers digitally and operational failures becoming visible quicker in the age of social media; and
- the increase of cyber attacks.
This message has been consistent from the regulators. In October 2018, the FCA fined Tesco Bank £16.4m (which would have been £33.56m, but for early settlement and co-operation) following a cyber attack that exploited deficiencies in Tesco Bank’s financial crime controls and debit card payments systems. The fine was issued for failing to exercise due skill, care and diligence in protecting its personal current account holders against a cyber attack – essentially a failure to ensure cyber resilience. In the FCA’s press release, Mark Steward, Executive Director of Enforcement and Market Oversight at the FCA, said that the fine showed the FCA “has no tolerance for banks that fail to protect customers from foreseeable risks.” It can be assumed that the same approach would be taken with insurers.
All firms – big or small – are expected to put plans in place to resume essential and systemically important functions in the event of major disruption. In particular, the regulators expect firms to develop “impact tolerances” and “acknowledge that disruptive events will happen”.
However, having documented plans and procedures in place is only one element of a resilience framework, and firms must ensure also that their personnel understand them and have been appropriately trained in how to implement them.
While the increased use of technology can lead to vulnerabilities if it is not properly implemented, maintained and managed, it is also the case that firms are looking to technology to provide solutions and facilitate resilience. For example, third party cloud solutions may provide a more modern, secure and resilient infrastructure than a firm’s own legacy IT systems, as long as any risks of outsourcing are understood and managed.
The insurance market has argued against proposals for substantially changing recovery and resolution rules for insurers. Insurance Europe, a trade body comprised of insurance associations, asserted current safeguards under Solvency II are sufficient and that overhauling the current rules is unnecessary. See here for full comment by Steven McEwan, partner at Hogan Lovells.
Notwithstanding this, it is clear from the PRA’s updated approach that it will be pushing forward with the development of its supervision of operational resilience for insurers into 2019.