Address by Director of Insurance Supervision, Domhnall Cullinan, to the Insurance Ireland-Milliman CRO Forum

I’d like to thank Insurance Ireland and Milliman for inviting me here today for this Chief Risk Officer (CRO) Forum. I’d like to use this opportunity to briefly reflect on the recent turmoil we’ve seen in the banking sector, what this might mean for (re)insurers, and to highlight some of our supervisory priorities going forward.

Much commentary has already been devoted to the fallout from SVB and Signature Bank in the US, and to the acquisition of Credit Suisse by UBS. Whilst the exposure of Irish (re)insurance undertakings to the banking sector as a whole is significant, direct exposure to these institutions appears much more limited.

Events in recent weeks highlight the importance of financial institutions building and maintaining strong governance and risk management frameworks, of robust board oversight, as well as cultures which prioritise long term, stable performance over short term profits.  Together with EIOPA, the Central Bank is monitoring the situation in the global banking sector closely.

In a period of heightened market volatility as we are currently experiencing, we would expect firms to closely monitor market and credit risks in their investment portfolios, ensuring that these risks are not unduly concentrated within a particular counterparty, sector or region. Adherence to the Prudent Person Principle remains key. Firms should also be vigilant with regard to any exposure they might have through financial lines business written or assumed.

Whilst recent events have dominated headlines, they should not disrupt the Central Bank’s ongoing supervisory engagement, which is fundamental to safeguarding both individual firms and the wider financial system.

On 16 February 2023 Deputy Governor Sharon Donnery and Deputy Governor Derville Rowland wrote to the CEO’s of all Irish regulated financial services providers[1] to set out the Central Bank’s key regulation and supervision priorities for 2023.  Underpinning these high-level priorities are priorities at a sectoral level.  From an Insurance Supervision perspective our priorities for 2023 are (in no particular order): 

1. The implementation of the Individual Accountability Framework (IAF);
2. Financial Resilience;
3. Consumer Interests, specifically Payment Protection Insurance (PPI) and Value for Money (VfM) in unit linked products;
4. Climate Change;
5. Digitalisation & Technology;
6. Operational Resilience including Digital Operational Resilience Act (DORA); and
7. Financial Sanctions.

I’ve already touched on the potential impact of recent events on the financial resilience of (re)insurers so I’d like to take a moment to reflect briefly on the others.

Implementation of the IAF

As many of you will be aware, the Central Bank (Individual Accountability Framework) Act 2023 was signed into law on 9 March, with a public consultation (CP-153) now underway. The implementation of the IAF and the living of the framework by firms and individuals working in them will be an important step in preventing reoccurrence of past issues related to poor governance, lack of consumer focused cultures and weak structures of accountability that have been present in parts of the Irish financial services sector.

Amongst the actions firms should take to prepare for implementation are familiarisation with the inherent and prescribed responsibilities under SEAR, and review of their existing procedures, (in particular those related to Fitness & Probity), as well as comprehensive training for staff to ensure all individuals are familiar with their obligations.

The design of the IAF required some reflection on what the key accountabilities of a CRO should be. For example, the inherent responsibility of a PCF-14 CRO is set out in the IAF guidance as:

“Overall responsibility for managing the firm’s risk function including risk controls, setting and managing risk exposures and reporting directly to the Board on risk management matters”.[2]

Beyond this, the best CRO’s act as a trusted advisor to the Board, are capable of identifying and assessing the immediate risks facing their firm and risks arising from longer term shifts in our economy and society. These are considerations that insurance supervisors must also take into account.

Consumer Interests*

In relation to consumer interests, there are a number of important initiatives in 2023.  I would draw your attention to Consumer Protection Outlook Report that was published last month by my colleague and Director of Consumer Protection, Colm Kincaid.  I would also draw your attention to the ongoing Consumer Protection Code Review.  While I appreciate that many of you in attendance here today are CRO’s for (re)insurers that are not subject to the Code, there are a number of important issues such as digitalisation that are part of Review that are nonetheless relevant to your business and the Central Bank would welcome your input into the Review. 

In addition to the above, during 2023 a thematic review will be carried out of (re)insurers writing credit protection insurance on a cross border basis in response to the supervisory warning issued by EIOPA last year.  The Central Bank will also be carrying further work on foot of the results of the survey of the costs and charges associated with unit linked products that was completed by life companies in Q4 2022.   The Central Bank is also attuned to legislative proposals that could have profound social implications and in particular, the introduction of pension auto-enrolment.

Climate Risks

A focus on environmental factors and climate change in particular is a key area of supervisory focus for the Central Bank.  The Bank has established a Climate Change Unit in order to centrally oversee the integration of climate and sustainability considerations into all of its financial regulation and financial stability activities.  We have also established a Climate Risk and Sustainable Finance Forum, which brings together a selection of industry stakeholders and climate scientists with the Central Bank, to build shared capacity and understanding of the implications of climate change and to share best practices.

As supervisors, our current view of the insurance industry is that while some (re)insurers are more advanced in the management of climate change, many others are only starting to consider the implications for their business and the insurance cover they provide. With this backdrop in mind, we have focused our climate change efforts on four main areas during 2023: 

• First, setting clear expectations: Following a consultation process, the Central Bank has now published Guidance for (Re)insurance Undertakings on Climate Change Risk. The aim of this guidance is to help (re)insurers address climate change risks in their business and to assist them in developing appropriate governance and risk management frameworks. All (re)insurers, whether large or small, should assess and manage the climate change risks they are exposed to, and consider the impact that they themselves are having on the climate through the business that they write, or their investments. The Central Bank considers that (re)insurers have a key role to play in the transition to a more sustainable, climate neutral society.
• Second, focusing our own supervision on areas and firms with higher climate risk.  Within the Insurance Supervision Directorate, we have developed a ‘Heat Map’ that identifies (re)insurers with greater exposure to climate change risks.  This, in conjunction with training and guidance for supervisors, will enable us to strengthen our engagement with the (re)insurance sector, focussing on areas where risks appear concentrated. 
• Thirdly, examining how firms are undertaking processes relevant to climate change. In particular, we will examine how natural catastrophe risks are being modelled and managed, including how modelling is being adapted and revised to take climate change risks into account.
• Fourth, building on the results of the Central Bank's 2021 Climate & Emerging Risk Survey, consider how to better understand the flood protection gap in Ireland both today and into the future.

Identifying and managing the risks arising from the consequences of climate change for the financial system is a strategic priority for the Central Bank and will remain so into the future. 

Digitalisation, Technology & Cyber Risks

A proactive and forward looking approach will be adopted when it comes to digitalisation related topics. (Re)insurers should clearly understand risks, opportunities and challenges presented by innovation and the rapidly evolving technological landscape within which they operate (both to their own business models, and from the perspective of consumers).  In particular, the Central Bank’s focus will be on: 

• Analysis of responses to the digitalisation survey issued to a sample of Irish (re)insurers in Q4 last year, complementing previous work undertaken in relation to data ethics. Overall, the survey results indicate that the Irish (re)insurance sector is currently at a relatively early stage regarding the digitalisation of business models and adoption of innovative technologies, and that the pace of change over the next three years will be ‘moderate’ rather than ‘transformational’ in most instances. This contrasts somewhat with other parts of the financial services sector, and is perhaps reflective of lower levels of (re)insurance ‘disruption’ to date. Whilst it is acknowledged that the level of digitalisation, and the type of innovative technologies deployed vary significantly from firm to firm, all firms need a clear strategy and robust oversight is fundamental as digitalisation progresses. This analysis will inform our supervisory strategy and support relevant engagements in relation to digitalisation.  

Further work will focus on enhancing supervisory resources, capabilities and oversight of technology and digitalisation. The Central Bank is actively engaged with Insurtech firms, through its Innovation Hub, and plays an active role in EIOPA‘s work in relation to Fintech and Digitalisation.

Operational Resilience & DORA

The shift to a digital economy brings with it an increased dependence on technology to support critical business processes, and an increased vulnerability to cyber threats. The digitalisation survey revealed that 84% of respondents have a material dependence upon a ‘big tech’ provider. The majority also rely upon the wider group to support their digital transformation. It is critical that vulnerabilities to critical business services are identified, in line with the Central Bank’s Cross Industry Guidance on Operational Resilience which comes into effect in December 2023. Firms should now be in the process of developing their Operational Resilience Frameworks, identifying their critical or important business services and determining the impact tolerances for those services. 

At a European level, DORA entered into force in January of this year, and will apply in full from January 2025, aiming to harmonise digital resilience in the European Union. 

DORA is a cross-sector regulation, harmonising existing sectoral regulations and applying to all regulated financial firms. It aims to mitigate technology and cyber risk by enhancing firms’ technology and cyber risk management and resilience. It creates a regulatory framework whereby all firms in the financial sector need to make sure they can withstand, respond to and recover from Information and Communication Technology (ICT)-related disruptions and threats, including of course cyber attacks. And it will bring within a new “oversight” framework critical third party providers of ICT-related services – such as cloud services - to financial firms.[3]

Under Solvency II, the Central Bank is the Competent Authority for supervision of DORA for the (Re)insurance sector.

The regulation specifies that (re)insurance firms:

• shall have in place an internal governance and control framework that ensures an effective and prudent management of ICT risk;
• shall define, establish and implement an ICT-related incident management process to detect, manage and notify ICT-related incidents;
• shall establish, maintain and review a sound and comprehensive digital operational resilience testing programme as an integral part of the ICT risk-management framework; and

shall manage ICT third-party risk as an integral component of ICT risk within their ICT risk management framework.

Firms should recognise similarities between a number of key DORA requirements and existing Central Bank guidance in relation to Outsourcing[4], Operational Resilience[5] and IT & Cybersecurity Risks[6].

EIOPA are working with the EBA and ESMA jointly on the construction of the related Regulatory and Implementing technical standards – further specifying the detail of the ICT Risk Management Framework, ICT Outsourcing requirements, Advanced Threat Led Penetration Testing[7] (for a subset of firms), Incident Reporting, the setup of the new oversight framework and a number of reports, calls for advice and a feasibility study on a centralised EU hub for ICT incidents.

This work is being carried out by a cross committee of the European Supervisory Authorities (EBA, EIOPA and ESMA) known as the Joint Committee Sub-Committee on Digital Operational Resilience, which is chaired by Gerry Cross. I draw your attention to his recent speech on the topic [8] and to the anticipated timeline of the ESAs’ public consultations on the content of these measures in two packages, one over the summer and one later in the year.

Many of the DORA requirements will already feature within robust risk management frameworks. With that said, other requirements, for example around identification and reporting of major ICT incidents, will be new.

Whilst 2025 might seem some time away, the Central Bank would urge firms to pay close attention to the Regulation[9] and Directive[10], and to the more detailed Regulatory Technical Standards, as these become available.  

Financial Sanctions

We all remain acutely aware of the suffering that war is visiting upon the people of Ukraine. The Central Bank would remind firms of the importance of compliance with the various financial sanctions now in place [11]. Continued vigilance and monitoring is essential.

Conclusion

Let me conclude there. I hope my remarks today have given you a sense of what the recent turmoil we’ve seen in the banking sector may mean for (re)insurers.  Also, from an Insurance Supervision perspective, it has been a welcome opportunity to highlight some of our supervisory priorities going forward.

I am looking forward to discussing these and other topics with my fellow panellists along with answering your questions.

Thank you.

Acknowledgments

 I would like to thank Brian Balmforth, Anne-Marie Butler, Emily Duffy, Alan Shaw, Declan Costello, Darren Connolly, Chris Joyce, Ann Muldoon, Miriam Brosnan and Odran Fanning for their assistance with this speech.

[1] Dear CEO Letter - Central Bank's key regulation and supervision priorities for 2023

[2] https://www.centralbank.ie/docs/default-source/publications/consultation-papers/cp153/annex-2-to-the-consultation-paper-153-draft-guidance-on-the-individual-accountability-framework.pdf?sfvrsn=a32b991d_4

[3] https://www.centralbank.ie/news/article/implementing-dora-gerry-cross-28-march-2023

[4] https://www.centralbank.ie/docs/default-source/publications/consultation-papers/cp138/cross-industry-guidance-on-outsourcing.pdf

[5]https://www.centralbank.ie/docs/default-source/publications/consultation-papers/cp140/cross-industry-guidance-on-operational-resilience.pdf

[6]https://www.centralbank.ie/docs/default-source/news-and-media/speeches/cross-industry-guidance-information-technology-cybersecurity-risks.pdf?sfvrsn=f3e7da1d_2

[7] Applicable only to more systemically important firms (selection criteria to be defined in the RTS)

[8] https://www.centralbank.ie/news/article/implementing-dora-gerry-cross-28-march-2023

[9] Regulation EU 2022/2554

[10] Directive EU 2022/2556 (DORA Amending Directive)

[11] https://www.centralbank.ie/regulation/how-we-regulate/international-financial-sanctions/changes-to-the-russia-ukraine-regulations