2022 - IAIS - Insurance Sector Operational Resilience

  • 2023 0104 - NAIC - International Insurance Relations (G) Committee, Public Webex Meeting
    • Topic: Call to review and approve submission of NAIC comments on the International Association of Insurance Supervisors’ (IAIS) public consultation on the Issues Paper on Insurance Sector Operational Resilience. 
  • absence of a common taxonomy
  • Red Team

  •  Critical Operations - Definition-?
  • (p5) - 9. UK - This approach acknowledges that blind spots can act as a substantial step towards shocks and disruptions becoming reality.
    • [BonkNote]
  • (p5) - 10. In 2020, in the United States (US) the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, and the Federal Deposit Insurance Corporation (“the agencies”) defined operational resilience in guidance as “the ability to deliver operations, including critical operations and core business lines, through a disruption from any hazard.”
    • The agencies explain that operational resilience is the outcome of effective operational risk management, combined with sufficient financial and operational resources to prepare, adapt, withstand, and recover from disruptions.7
  • (p5-6) - 11. Drawing from these definitions, operational resilience can be considered as an outcome that emerges from a wide array of practices and disciplines currently used by insurers.
    • An operationally resilient insurer is one that can encounter, withstand, mitigate, recover and learn from the impact of a broad range of events that have the potential to disrupt the normal course of business by impacting critical operations or systems.
      • Operational resilience rests upon the assumption that disruptions will occur and that insurers should consider their tolerance for such disruptions and take this into account when devising their operational framework.
  • (p6) - 13. Sections 3.1 and 3.2 outline overarching issues, focusing in particular on the importance of sound governance to effective operational risk management, and the benefits of information sharing including public/private collaboration.
    • [BonkNote] - 
        •  E. J. Moorhead:  The first step the industry has to take is to recognize the things that we have debated.
          • These are all controversial questions and we cannot deal with them as if we are sheep without a bellwether.
          • There is bound to be a controversial element in anything that enlightens the public to these differences and gives them a more intelligent basis for choice than they have at the present time.
          • As long as we are committed institutionally to unity, we are unlikely to be able to take the first necessary step.
        • 1977 - SOA - Debate: "Resolved... The Life Insurance Business, As Transacted Today, Is In Its Terminal Stages, Society of Actuaries - 14p
  • (p6) - 15. Section 3.4 outlines challenges associated with assessing concentration risk as a critical issue, given the increased complexity of the financial sector and the reliance on Information Technology (IT) third-party outsourcing.
  • (p6) - 16. Section 3.5 sets out the challenges associated with the need for BCM approaches to evolve to meet the realities of today’s environment, including in response to the pandemic.
  • (p6) - 17. Section 4 outlines a number of aspects of the risks related to cyber resilience, IT third-party outsourcing and BCM – based on observations discussed in preceding sections – that may benefit from future consideration or further analysis by insurance supervisors.
  • (p7) - 18. ---  The ICPs thus serve as a natural starting point to identify foundational elements to ensuring an insurer’s operational resilience.
  • 2 Applicability of ICPs to operational resilience
    • 19. In general, the ICPs are drafted in such a way that they address a variety of risks, including operational risk; however the ICPs do not expand on the scope of the term operational resilience.
      • For example, the ICPs reference the use of IT systems and outsourcing but do not specifically address how these contribute to an insurer’s operational (including cyber) risks more widely.
      • Likewise, although the ICPs reference the identification and management of cyber risk they do not expand on the links between cyber risk management and an entity’s IT systems and processes.
    • 23. A key supervisory development in recent years has been a move to consider operational resilience as an outcome, which is the ability of an entity to deliver critical operations through disruption.
      • Building on the principles-based nature of the ICPs, it could be useful to explore the umbrella concept of operational resilience as an outcome and to discuss and/or set out the links between this outcome-based approach to cyber resilience, IT third-party outsourcing and BCM.
  • (p8) - 3  - Key issues and supervisory approaches
    • 25. This section sets out a range of overarching issues for insurance supervisors, relating to significant and increasing areas of operational risk and spanning across the sub-topics of cyber resilience, IT third-party outsourcing and BCM.
  • (p8-10) -  3.1 - Governance and Board accountability
    • (p8) - 30. The ICPs emphasise the importance of robust governance structures that enable insurers to identify and respond to emerging risks and adapt to changing environments.
    • (p9) - 32. Recognising that operational disruptions can have widespread impacts across an organisation, the provision of appropriate training across relevant groups within an organisation could facilitate the sound implementation of an operational resilience framework. 
    • (p10) - Functional groups within an entity share a coherent understanding and articulation of the entity’s approach to operational resilience, including understanding their roles and responsibilities and how their work or actions interact and impact one another;
  • (p10) - 3.2 Information collection and sharing among supervisors, public/private collaboration
    • 39. To gather this information, some supervisors proactively engage with an entity’s Board and Senior Management to understand the effectiveness of an entity’s operational resilience framework.
      • Maintaining an open and constructive communication channel can also aid both supervisors’ and insurers’ understanding of emerging issues of potential concern related to operational resilience.
      • [BonkNote] -
        • 1871 - Albert W. Paine - Maine Superintendent of Insurance
          • 1871-1, NAIC Proceedings (National Insurance Convention)
            • (p13 / 44) - We are here as a grand jury of inquest on the insurance body—not for indictment, but to find the best system for practice, and I feel that we want the utmost information that we can get, let it come from whence it will.
            • I will thank any man in the United States, let him be who he will, to come forward and give any light when these subjects are under discussion...
  • (p10) - 3.2.2 Supervisory approaches
    • 42. In some jurisdictions, regular forums for timely and constant exchanges of information on operational resilience have been put in place.
      • These forums allow discussions on the current landscape, sources of risks or threats, mitigating strategies and measures, incidents that have occurred and lessons learnt.
      • Various approaches are taken depending on whether participation is limited to supervisory authorities and/or inclusive of the insurance sector.
      • Such information sharing forums in some cases also provide a platform for exploring solutions to skills gaps/training needs, as well as on how technology could be used in detection and information dissemination to better facilitate communication and coordination, in particular during crisis situations.
        • [BonkNote]
    • (p11) - Examples of forums that have been created to encourage information sharing on operational resilience:
    • (p12) - 45. Though the benefits of information sharing on operational resilience among insurance supervisory authorities, within the sector, and among authorities and insurers are well known, such initiatives nevertheless appear to be limited at present.
      • In this regard, supervisory colleges could provide a framework for supervisory cooperation and information sharing.
      • Examples of potential barriers identified by the IAIS to effective information sharing include:
        • The absence of a common taxonomy, which can make it difficult for supervisors to communicate effectively across jurisdictions, and can also make it difficult to gain a consolidated view on operational resilience trends, gaps and opportunities;
          • [BonkNote] - 
              • I then said, "No, read the agreement. We're not going to ask for that kind of thing."
              • I was prepared to say, although I couldn't commit us to this, that anything that was used up we never would ask them to pay for.
              • Later we had a terrific argument over the difference between "used up" and "used."
              • They translated the agreement into Russian using the word that we would have called "used," that is, not new.
              • So, when we got into negotiations with them and said that they must return some things which were not "used up," they thought we were using the word "used."
              • Therefore, they said, "Well, these have been used."
        • Concerns on data protection and privacy laws that limit or prevent the sharing of information beyond an entity or jurisdiction;
        • The complexity and cost of organising and implementing formal cross border information sharing exercises; and
        • The inability of supervisory authorities to obtain/share relevant information due to their legal mandate.
          •  
    • (p12) - 3.3.2 - Supervisory approaches
    • (p17) - 61. - Red Team Tests – involve entities challenging their internal and external dependencies through the use of red teams to introduce an adversary’s perspective in a controlled setting.
      • Red teams serve to test possible vulnerabilities and the effectiveness of the entity’s mitigating controls.
      • A red team may consist of an insurer’s own employees and/or outside experts, who are in either case independent of the function being tested.
        • [BonkNote] -
          • Alexander C.  Humphreys, President of Stevens Institute of Technology
            • I have been present at such meetings more than once when the  whole course of a debate on some important question was changed by the halting remarks of some man who was reluctantly moved by a compelling sense of responsibility to combat theories and statements which had been glibly presented and generally accepted and which he knew to be erroneous, wholly or in part.
            • 1920 - Proceedings of the Association of Life Insurance Presidents - Annual Meeting, Life Insurance Association of America: Volume 14
  • (p19) - 3.5  - Business continuity management
    • (p19) - 78. The insurance sector is composed of a multitude of interconnections and interdependencies between various systems, participants, and service providers. An operational disruption, slowdown or interruption in the activities of an insurer or any of its service providers could jeopardise its ability to meet its commitments to its insureds and other partners.
      • Given these interconnections and interdependencies as well as the complex functioning of the sector, it is imperative that insurers adopt sound and prudent management practices to ensure business continuity in the event of an operational incident.
    • (p19-20) - 81. A sound BCM framework helps the insurer ensure that it has the capability to operate during disruptions.
      • It allows the insurer to contribute to the achievement of its strategic objectives and protects and strengthens its credibility and reputation.
      • It improves the ability to remain effective during disruptions and helps to reduce the direct and indirect costs of disruptions while taking into consideration the expectations of interested parties, building their confidence in its ability to succeed.
        • [BonkNote] -
        • 1991 0717 and 0724 - GOV (House) - Life Insurance Solvency Issues,
          • (p70) - Cardiss COLLINS (D-IL) . Just a couple of quick questions.
            • Mr. Weiss, what do you think the significance of liquidity is with respect to the solvency of life insurance companies?
          • Martin Weiss (Weiss Research). Liquidity has always been an important factor behind the scenes and now it's becoming a very important factor right here and now.
          • Cardiss COLLINS (D-IL). Well, I am concerned because of the runs that we seem to be having both in other places and particularly in Chicago.
          • Martin Weiss (Weiss Research). The companies should have on hand sufficient liquidity to cover the potential demands that policyholders may make.
            • Either that or you need to disclose ahead of time to the consumer that his investment may not be liquid.
            • If you have no surprise, you will not have any panics.
    • (p20) - 82. Best practices for BCM have evolved in line with changing operating environments, as well as in response to the pandemic.
      • The following aspects of BCM are identified as challenges that could benefit from further analysis and/or cooperation amongst supervisory authorities:
    • (p20) - 3.5.1 - Lessons learnt from the pandemic
      • (p20) - 88. The following developments over the past few years have contributed to elevating the importance of insurers having in place a sound BCM framework:
        • (p21) - Shift from a short-term focus on temporary disruptions to the consideration of business resilience over various time frames (eg immediate, short, medium and long term);
        • (p21) - Growing customer expectations in relation to the time to recovery and level of recovery, and in terms of effective communication from insurers – ie when a disruption occurs, progress in recovering, and mitigation measures to ensure they can still get serviced and notification of when services are restored;
      • 89. Based on directed consultations with external experts, while these developments coincided with the timing of the pandemic, these themes also existed pre-pandemic.
        • Nevertheless, it was generally acknowledged that many of these developments grew in importance more rapidly due to the pandemic experience.
    • (p21) - 3.5.2 - Supervisory approaches
      • (p21) - The importance of support from the Board and Senior Management to set the tone at the top, set the strategic direction with regards to BCM and its implications for operational resilience, and establish risk tolerance statements.
        • Integration of the BCM system requirements across business functions to identify business continuity risks associated with interconnected functions and to minimise silos;
        • Increasing the breadth and frequency of vulnerabilities assessments to help ensure a thorough knowledge of critical business services and the relevant interconnections between strategic investment decisions and everyday operations;
        • Robust periodic testing of BCPs, including data backup, using severe but plausible scenarios, disaster recovery frameworks and incorporating lessons learnt from test results;
        • Appropriate communications and crisis management capabilities;
        • Extension of expectations for BCM to outsourcing solutions at insurance companies;
        • Regular review of the entire BCM process, to ensure that it is a dynamic risk management tool; and Regular touchpoints with entities to discuss ongoing developments/risks relating to BCM.
      • (p22) - 4 - Summary of observations and potential future areas of IAIS focus
        • (p22) - Information sharing
          • (p22) - 93. To facilitate information sharing among insurers, supervisors and throughout the insurance sector more widely, it could be helpful to explore how definitions and terminologies relevant to operational resilience could be better aligned.
          • This could help minimise the unintentional use of the same terms to refer to different concepts or the use of different terms.
          • [BonkNote] - Arthur Fliegelman (Vice President of the Bond Portfolio Analysis Group for Salomon Brothers in New York, NY.

          • THE TOWER OF BABEL REVISITED

            • The individuals involved in drafting the investment law come from a variety of professional backgrounds, with attorneys predominating among industry representatives.

            • In contrast, few regulators have a legal background. Some of the issues have been bitterly disputed.

            • The differences seem to lie mostly in semantics.

            • These linguistic differences compounded the already difficult development process.

            • 1995 - SOA - NAIC Model Investment Law - Society of Actuaries - 20p

            •  
            •  discussing and understanding relevant issues.

          •  

        • (p23) - Business continuity management
          • (p23-24) - 98. There may also be value in exchanging information on best practices and methodologies used by supervisors, including:
            • (p24) - The scope of BCM, which could be extended to a wider range of incidents and business operations than have been contemplated in the past.
            • Expanded sets of scenarios and stakeholders could also be considered within the scope of robust and regular business continuity exercises and testing, to demonstrate the ability of an entity to withstand severe but plausible disruptions; and
      • (p24) - In addition, the IAIS is seeking feedback on some targeted questions, that will be used to inform potential future work on this topic.
        • Are there additional observations for potential future IAIS focus that you view as important to address with respect to insurance sector operational resilience, and which have not been identified in this Issues Paper? 
        • Do you find value in the IAIS facilitating cross-border information sharing to collect information to facilitate a dialogue on operational resilience exposures and best practices?
          • Would you be willing to participate?
        • [BonkNote] - 
    • (p25) - Annex 1: Main insights from stocktake of SSB publications
      • (p26) - 11. Business continuity exercises should be conducted under a range of severe plausible scenarios and support staff’s operational resilience awareness.
      • 12. Forums that facilitate the sharing of information on best practices would be beneficial in respect of systemic operational risks.
        • This is in particular relevant to how an entity can assess and mitigate its vulnerabilities to threats to a critical IT third-party service providers’ business continuity and disaster recovery mechanisms.