For insurers, brokers and their clients the topic of operational resilience has taken on greater urgency in recent weeks. For those in the insurance industry the threat is both internal and external, with firms having to ensure their own resilience whilst working with clients to mitigate that of their policyholders.

While regulators have been increasing the pressure around resilience in the face of the challenges presented by COVID-19, events in the past two weeks have highlighted that an organisation’s resilience can be tested in other ways than how it has navigated the economic impact of the pandemic.

The cyber-attack on the Colonial Pipeline in the United States which impacted the delivery of fuel, and with it energy across much of the US East Coast is a case in point on the potential scale of the disruption that can be caused when a firm’s resilience is found wanting. For insurers they now face significant claims around Colonial’s cyber cover and business interruption for the businesses, which were impacted because of the disruption to fuel supplies.

But the operational resilience tests have also been closer to home. The pandemic and the enforced lockdown in the UK left BIBA with little choice but to move their annual conference from an event which attracts thousands of delegates to Manchester to a virtual event. Despite rigorous tests with 1,000 trial users the day before the event when the official opening began, the system crashed leaving delegates with little or no access to the events or the online meetings they had arranged for much of the first day of the two day event.

This was followed by a cyber-attack on the Asian operations of French insurance giant AXA. The ransomware attack affected the IT network and operations of AXA Assistance in Thailand, Malaysia, Hong Kong, and the Philippines. The attackers claimed to have stolen three terabytes of data, including customers’ personally identifiable information and medical records, of which a few were disclosed. AXA says that there is no evidence that data was accessed beyond that of Inter Partners Asia, a partner assistance company, in Thailand.

Where the insurance industry had an additional burden is the determination of regulators to ensure that they are resilient enough to meet the claims of their clients. Earlier this month Lyndon Nelson, Deputy CEO of the Prudential Regulation Authority, explained the UK’s financial services regulators would be taking a united approach on the issue of operational resilience whatever the shape the regulatory environment post Brexit. Mr. Nelson warned the UK’s future operational resilience regulation will take an ‘outcome-based’ rather than a ‘safe harbour’ approach, saying that the latter’s “rigid and overly prescribed regimes are just what we need to avoid for a risk that is constantly evolving”, and where key parts of it (such as cyber-risk) actually has a conscious opponent seeking to do harm.

“The word in the policy documents that is doing a lot of work here is ‘sophistication’”, said Mr. Nelson. “Yes, we are asking and expecting firms to have done quite a bit by 31 March 2022, but is it ultimately going to be everything that we expect firms to do? No. We understand and expect that tasks such as mapping and testing will evolve and will grow in sophistication over time. So by 31 March 2022, I would expect that you will be able to set out a compelling gap analysis. You will know where your major shortcomings are and therefore which areas need more work.” He added that UK regulation will make a clear distinction between operational risk and operational resilience, treating operational resilience as an outcome. Regulators added that it will use regular scenario testing to ensure resilience.

The issue for the insurance industry remains that it needs to address operational resilience on two fronts. Ensure that it does not fall victim to the operational resilience risks its clients also face, whilst ensuring they have the resilience to support those clients when claims are made. It adds up to a compelling argument for firms to devote additional resources to enhancing resilience as the issue continues to be pushed higher up the corporate agenda.

For more information on operational resillience, please contact Chris Butcher, CEO of Intermediary Services on chris.butcher@davies-group.com.