Canadian Underwriter
Feature

Risk and Disruption

The threat of extortion-driven cyber attacks is "a massive issue now" for insurance companies, while insurers' own risk and solvency assessments have been "quite well done," speakers told attendees of KPMG's recent insurance issues conference.


January 2, 2017   by Angela Stelmakowich, Editor; and Jason Contant, Online Editor


Print this page

KPMG’s 25th Annual Insurance Issues Conference
Toronto

 

At KPMG’s recent Insurance Issues Conference, speakers explained how insurance providers are responding to fintech, the challenge of assessing the impact of cyber risk on solvency and the risk to insurers of data breaches affecting healthcare organizations. One expert further suggested that industry consolidation could lead to fewer mid-sized players.

CYBER RISK

Data breaches involving personal and health-related information are a “huge risk for those in the insurance industry” given that the shelf-life of the data likely runs as long as the affected individual remains alive, Kevvie Fowler, national leader of cyber response for KPMG in Canada, suggested at KPMG’s 25th Annual Insurance Issues Conference, held this past December in Toronto.

Fowler made that observation during a panel discussion, Navigating today and tomorrow’s risk landscape.

How long is the shelf life of personal and health-related information? “Hopefully, infinite, but in reality, as long as the individual who owns the record stays alive,” Fowler told attendees, estimating that would likely be “40 or 50 years on average.”

Citing a recent KPMG review of some top breaches — involving a million records or more and occurring from December 2013 to the end of April 2016 — Fowler reported that personal and health-related information was the category most often involved.

That sort of information — “other” and financial data were the other categories — includes “medical and insurance information, personally identifiable information, usernames, passwords, anything along those lines,” Fowler said.

“A lot of people in the insurance industry have” all three types of information, he pointed out. And the shelf life of personal and health-related information dwarfs that of other information types, expected to be “a few weeks or a few months tops” before the breach is discovered and records cancelled.

Fowler argued that cyber criminals are looking for the longest possible expiring date. In some cases, criminals are “breaking into the banks, they’re walking right by the financial data and they’re downloading personal and health-related information,” he said.

Other developing risks in the cyber space include cyber extortion-driven attacks.

“That’s a massive issue now for organizations,” including those in the insurance industry, Fowler said. These attacks can, for example, mean people are unable to get on a company website, make policy changes or apply for policies, he noted.

“It really brings organizations down to a screeching halt,” Fowler told attendees.

However, cyber criminals are not necessarily even hitting organizations before getting paid; they are simply threatening to attack.

Called proactive extortion, “instead of sending an email, trying to entice someone to click on a link to infect a machine or to open a delicious attachment,” Fowler said, criminals are just selecting an organization and sending an email containing a threat.

These emails, he noted, might say something like the sender has not “done anything yet, but if you don’t pay us a ransom,” ransomware will be installed or the organization’s website will be disabled via a distributed denial of service attack.

Consider the liability associated with a warning that was received, but ignored. It is “important that organizations have a protocol in place to actually deal with these to qualify them and, where required, to actually act on,” Fowler said.

“Doing the right thing is half of the equation; being able to demonstrate proper oversight and governance at the senior levels of an organization are equally as important to put yourself in a cyber-defensible position,” he said.

LONG VIEW

The insurance industry as a whole needs to focus more on long-term issues, Neville Henderson, the assistant superintendent of the insurance supervision sector of the federal Office of the Superintendent of Financial Institutions (OSFI), suggested at KPMG’s 25th Annual Insurance Issues Conference.

Henderson told attendees that the industry often focuses its efforts on profitability and satisfying shareholders, with a tendency to focus more on the short-term than the long-term.

“I think companies need a heavier focus on the long-term issues,” Henderson said during the session, Regulation in a changing world.

The long-term is changing so dramatically, he said, using the example that “we can no longer say that interest rates are cyclical. We are in a position where it looks like there is a structural change in interest rates and they will remain low for some time in the future.”

Or consider an earthquake in the Toronto-Montreal corridor that has significant cost impacts right across the industry. “The real issue of catastrophes in Canada is the size of the industry and its ability to take on a significant catastrophe,” he said during the session, moderated by Mary Trussell, global insurance change lead partner at KPMG in Canada.

Looking long-term, “what could happen to the capital position if, in fact, some of these rather dire scenarios actually come to manifest?” Henderson asked.

Yet another example is ORSA, the Own Risk and Solvency Assessment, an insurer’s own assessment of its risks, capital needs and solvency position.

“I’ve always thought that ORSA should have been developed by the industry, not by us,” Henderson argued. “That would indicate they’re really thinking a long ways out and we don’t see that happening. The profession needs to think much further out.” For example, “stress testing is important in the long run to see what’s going to happen 30 and 40 years out and what changes could happen and how it could affect the company’s capital position,” he said.

Despite the challenges in the long-term approach, ORSA is improving considerably, Henderson reported. While OSFI doesn’t demand every ORSA report from companies, it does monitor the issue, he said, adding that “the ones we’ve seen are quite well done. It used to be they were very actuarial – full of tables – but now we’re actually seeing them written towards the audience.”

Henderson also touched upon insurers’ preparedness against cyber attacks, which he said is “kind of across the board,” with some companies pretty well-prepared and others less prepared. “The whole issue kind of took the industry by surprise,” he suggested.

But the insurance industry, by and large, has addressed the cyber issue.

Henderson said OSFI has asked companies to do a self-appraisal of where they stand with respect to cyber risk, and monitored the performance. “Some of them have been very progressive,” he reported. “They actually invite outside groups of hackers in and don’t tell their internal people and say, ‘Go to it. Try to bring down our service.'”

While recognizing that there is not a lot of experience on which to base cyber premiums, OSFI does look at whether companies follow a generally accepted pricing practice and have conducted appropriate stress testing. “It’s important that they can see what happens to their capital position if things get out of whack,” Henderson said. “We want to make sure companies have put reasonable protection inside their policies so they don’t take on more risk on an individual case that they can afford to manage. Their risk policies should reflect how they are going to manage that business. In other words, if it gets too large a block or if there is too much risk, when do I pull the trigger and either slow down sales or stop sales until I figure out the problem and fix it?”

While risk assessments are helpful, the reality is that the insurance environment is constantly changing, as are the needs for insurance, Henderson told attendees.

“I think it’s healthy for insurance companies to innovate and address those risks,” he suggested. “I think it creates new markets. I think if we ignore those markets, the industry will become redundant.”

CONSOLIDATION

The continued consolidation in both the insurance broker and carrier spaces in Canada could create an absence of mid-sized players, a speaker suggested at KPMG’s 25th Annual Insurance Issues Conference in Toronto.

“You could see a creation of an absence of mid-sized players, where there is a move to smaller, regional niche players and more on the larger players,” said Georges Pigeon, partner, deal advisory, with KPMG in Canada.

“Now, whether in the (property and casualty) carrier space, we are going to see a development of larger players as it continues to consolidate and some of the smaller, niche/regional players and the middle will empty itself, it’s still to see.”

Pigeon was a panel member of the Trends in P&C session at the conference. Moderated by Pierre Lepage, partner and business leader, p&c actuarial with KPMG in Canada, the panel also featured Joel Baker, president and chief executive officer at MSA Research Inc. and Houston Cheng, consulting actuary and senior manager at KPMG.

Pigeon discussed merger and acquisition (M&A) trends related to the p&c, life and distribution channels, focusing on expected “drivers and catalysts” for M&A activity in Canada in the coming year. One is succession planning, especially in the broker space while another is fintech and insurtech.

“Here, I would like to be careful,” Pigeon cautioned in relation to insurtech, or the application of technology in insurance. “Because having gone through the Internet bubble of the early 2000s, some would argue that maybe we are living through another bubble.”

He pointed to some of the fintech data that has come out recently that has shown a slowdown in funding of fintech. “It doesn’t mean that the market is going to disappear. I think it will just morph into the more reliable or more solid players will continue,” he suggested. “I’m not saying either that the money is coming out of the market. There is also some repositioning there.”

One recurring theme in the p&c space over the past 10 to 12 years has been one notable or sizable transaction per year, Pigeon continued. For 2016, he pointed to Aviva’s acquisition of the RBC General Insurance business “and turned it into a 15-year distribution agreement.”

Another major M&A trend – besides entering a new geographic market, new products, new services or equipping operations with new tools – is accessing new distribution channels.

DISRUPTION

The insurance industry is undergoing structural change with the emergence of platform-based business models and insurers need to ready themselves to be able to take part, Matthew Smith, insurance co-lead for the Global Strategy Group at KPMG, suggested during the firm’s 25th Annual Insurance Issues Conference.

“The insurance industry is facing into a structural change. This is not a cycle; this is a fundamental structural change,” Smith, who is based in the United Kingdom, reported in December during the KPMG event in downtown Toronto.

He spoke about fintech and insuretech developments around the world and what insurers and intermediaries are doing in response.

Consider platform-based business models. “Netflix is probably the biggest provider of cinema content, but owns no cinemas; Uber is the biggest taxi firm, but owns no taxis; Airbnb is one of the biggest providers of accommodation, but owns no hotels,” Smith said.

“This platform-based business model is about connecting and convening and finding easier ways to choose to get to the things that they want,” he told attendees.

One key driver of disruption is client experience. “People demand that experiences that are easy in parts of their lives are repeatable across all the experiences they have in their lives,” Smith said, adding that they are looking for something on par when interacting with insurance companies.

“That interaction doesn’t mean frequency; it doesn’t mean that we’re trying to be in contact with them every day about their insurance policy. That’s not what they’re looking for,” Smith explained. “It means when they have to have those points of interaction, it’s easy, it’s convenient, it’s fast,” he said.

But to get to that point, Smith suggested yet another driver of disruption may come into play: understanding opportunities from disruptors to extract value from the value chain.

“New and emerging insurtechs are really trying to enable incumbent players to be more successful, to be more effective and they actually want to partner and collaborate with you guys,” he said.

“Most of the disruption through insurtechs we’ve seen is in the distribution end of the conversation and the distribution end of the value chain. Why? Because that’s where they see more value to be extracted and more opportunity and lower barriers to entry.”

Smith told attendees that there looks to be opportunity in the emergence of new risks, such as virtual reality.

“These emerging risks provide a fantastic growth opportunity,” he said. “Understanding and responding to these emerging risks is definitely going to be another fuel for growth,” he argued.

Also emerging are on-demand solutions, Smith pointed out. “Whether it’s getting on a flight and having cover for the duration of that flight,” or something else, this is coming, he said.

Things like machine learning, artificial intelligence and sophisticated analytics are “changing the way that we do business. They’ll change to drive efficiency and, therefore, drive profitability, but it also means that it changes the profile of the industry and how we operate,” Smith emphasized.

Capitalizing on available opportunities – and being in a position to be able to do so – makes sense given that it is unlikely the soft market is likely to change anytime soon.

“In order for the market to harden from where it is today and then have (excess) capital go elsewhere, we would need a combination of factors,” Smith explained, such as catastrophe events and interest rate changes.