Digital Risk Management in Insurance Sector 16.10.PDF
Document Details
Uploaded by ThinnerRetinalite3057
POLIMI Graduate School of Management
Valerio Scacco
Tags
Related
- Cyber Risk and Cyber Liability Insurance PDF (University of the Witwatersrand)
- Digital Control Notes (PDF)
- BSc (Hons) Cyber Security Lecture 2 PDF
- Module 1 IAS - IntroductionToInformationAssuranceAndSecurity (20240814113543).pdf
- Contemporary Banking, Payment and Insurance PDF
- Unit 11: Green and Sustainable FinTech PDF
Summary
This document covers digital risk management in the insurance sector, including underwriting, pricing factors, and silent cyber risks. It also examines the role of risk management in insurance, governance, and the ORSA process. The document also explores non-financial risks in insurance, focusing on operational risks and methodologies for measuring operational risk, including digital risk, and the insurer's stance on non-financial risk including cyber risk,.
Full Transcript
MILAN 15/10/2024 VALERIO SCACCO PARTNER, PWC iMiFRIM - International master in financial risk management Speaker Valerio Scacco Partner – Actuarial Services Tel: +39 392 9593783...
MILAN 15/10/2024 VALERIO SCACCO PARTNER, PWC iMiFRIM - International master in financial risk management Speaker Valerio Scacco Partner – Actuarial Services Tel: +39 392 9593783 Email: [email protected] Actuary, PhD, with multiple years of experience in Risk Management in the insurance sector. Further expertise in modelling of solvency capital requirement within the Solvency II Framework and participation in various implementation and validation projects in the area of operational risk. Digital Risk Management in Insurance Sector Underwriting in insurance sector Cyber risk Role of Risk Management in Insurance Pricing factors Governance in the regulatory context Silent cyber risks Pillar I: general principles and standard formula Pillar II: overview and the ORSA process CASE STUDY / INTERACTIVE DEMO Non-financial risk in insurance (approaches and the role of risk management) Non-financial risks with the focus on operational risk Methodologies for measurement of operational risk (incl. digital risk) – Scenario-Based Approach (SBA) SBA Process: identification, selection, analysis, modelling and aggregation The Insurer’s stance on non-financial risk, including digital risk: cyber risk Definition What, whom and how it impacts Overview of the market: supply and demand considerations Role of Risk Management in Insurance Draft Role of Risk Management in Insurance Example of Governance Structure in an Insurance Firm Board of Directors Internal Audit Function is in charge of monitoring and assessing the effectiveness and operational efficiency of the Internal Audit system of internal control, risk management and compliance. THIS IS A THIRD LINE FUNCTION Chief Executive Officer Actuarial Function, Risk Actuarial Management and Compliance Compliance Risk Manager Function are SECOND LINE FUNCTIONS HR & Chief Financial Organization Officer FIRST LINE ASSURANCE Corporate Finance Chief Insurance FUNCTONS exist within each operational unit to ensure that Officer internal processes and Chief Investment procedures have been subject to Strategic Planning verification and review before Officer being presented to Senior Management and the Board of Chief Marketing Directors Officer Role of Risk Management in Insurance Stages and Objectives of Risk Management Exploring the role of the risk management function in an insurance company, let’s first look into the definition provided by the Regulation 20/2008 (modified and integrated by IVASS Directive of 15 April 2021, number 17) Art. 21 Regulation 20/2008 (modified and integrated by IVASS Directive of 15 April 2021, number 17) The company establishes a risk management function which is proportionate to the nature, extent and complexity of the risks inherent in its activities and that: a) contributes to the definition of the risk management policy, defines the criteria and the associated methodologies for risk measurement and defines the outcome of the assessments submitted to the Administrative Body. The latter, after having discussed and approved these, communicates them to Senior Management and other relevant stakeholders (approval of the current and prospective risk assessment policy); b) contributes to the definition of the operational limits defined for business units and defines the procedures for the timely verification of these limits; c) validates the information flows necessary to ensure timely control of risk exposures and the immediate reporting of detected breaches; d) carries out assessments, from a current and future perspective, of the risk profile of the company and reports the most significant actual and potential risks to the Administrative Body (i.e. the risks the impact of which may undermine the solvency of the Company or seriously impede the achievement of corporate objectives); e) prepares reports to the Administrative Body, Senior Management and the Heads of business units in relation to the evolution of risks and the breaches of the agreed operational limits; f) verifies the consistency of risk measurement models with the business operations and contributes to the performance of quantitative analyses in line with the nature, extent and complexity of the risks inherent in the business activity; and g) monitors the implementation of the risk management policy and the general risk profile of the company. Role of Risk Management in Insurance Risk Management under Solvency I and Solvency II Solvency I Solvency II Had some limitations in relation to Risk Management: Defines a new solvency regime based on principles instead of rules, harmonizing supervisory practices at the European level: - The capital requirements were determined on the basis of technical elements (Reserves, Insured Capital, Premiums, - Places greater emphasis on the quality of risk management Claims) and soundness of internal controls (risk-based approach) - It did not consider the risks exposures of the company in - Defines capital requirement as a result of a forward-looking relation to assets and liabilities valuation - It did not take into account the specific risks of a company - Takes into account financial, technical, counterparty and operational risks - It did not take into account the capital absorption linked to financial, counterparty and operational risks - Introduces a joint risk management approach for assets and liabilities - It did not take into account the quality of the Risk Management and Internal Control functions - Framework consisting of three pillars: Pillar I (SCR), Pillar II (ORSA), Pillar III (QRTs). The Risk Management activity is part of Pillar II in particular Role of Risk Management in Insurance Regulatory Context First level measures Primary Italian Legislation – adoption of the Solvency II Directive Solvency II Directive Omnibus II Directive New Private Insurance Code (CAP) The new regulations, introduced Second level measures over the recent years, have led the banking and insurance industries to look deeper into the subject of risk management. This Delegated Acts 2015/35 No integration into national legislation resulted in an improvement of Amendments to Delegated Acts internal risk management First set of ITS in the process of approval of practices within insurance second set of ITS companies and greater stakeholder protection. IVASS Regulation – adoption of the third-level Third level measures measures Review of regulations First set of guidelines Letters to the market Second set of guidelines Role of Risk Management in Insurance Overview of Three Pillars of Solvency II 1 o Asset valuation o Liability valuation Pillar 1 o Solvency Capital Requirement Solvency II o Tiering of own funds o Corporate Governance 2 o Internal control o Risk Management Pillar 2 ORSA Pillar 1 Pillar 2 Pillar 3 Risk Appetite Framework (RAF) Risk Policy Capital and Governance and Disclosure Capital Management Solvency Control o Supervisory procedures and powers 3 o Regulatory reporting requirements QRT & RSR (Regular Supervisory Report) Pillar 3 o Market disclosure requirements (public disclosure) SFCR (Solvency and Financial Conditions Report) Role of Risk Management in Insurance SII – Pillar I: General Principles (1/2) Art. 75 Solvency II Directive – Valuation of assets and liabilities Member States shall ensure that, unless otherwise stated, insurance and reinsurance undertakings value assets and liabilities as follows: a) assets shall be valued at the amount for which they could be exchanged between knowledgeable willing parties in an arm’s length transaction (fair value); b) liabilities shall be valued at the amount for which they could be transferred, or settled, between knowledgeable willing parties in an arm’s length transaction (fair value). When valuing liabilities under point (b), no adjustment to take account of the own credit standing of the insurance or reinsurance undertaking shall be made. The basic approach to valuation under Solvency II is the Mark to Market approach (based on available market prices, referring to ordinary transactions, and provided by independent sources). If it is impossible to apply the Mark to Market approach, Mark to Model techniques must be used. Methodologies consistent with "pricing" techniques should be used and utilisation of observable inputs should be maximised. Provisions in relation to technical reserves Available Market Value 1 The value of technical reserves corresponds to the current Mark to Fair Pillar 1 Market Value amount insurance and reinsurance companies would have to pay if they were to immediately transfer their insurance Assets and reinsurance obligations to another insurance or Liabilities reinsurance company. Mark to Fair Model Value Non-available Market Value Role of Risk Management in Insurance SII – Pillar I: General Principles (2/2) Art. 101 Solvency II Directive – Calculation of Solvency II Capital Requirement The Solvency Capital Requirement (SCR) shall be calculated on the presumption that the undertaking will pursue its business as a going concern. The Solvency Capital Requirement shall be calibrated so as to ensure that all quantifiable risks to which an insurance or reinsurance undertaking is exposed are taken into account. It shall cover existing business, as well as the new business expected to be written over the following 12 months. With respect to existing business, it shall cover only unexpected losses. Solvency Capital Requirement shall correspond to the Value-at-Risk of the basic own funds of an insurance or reinsurance undertaking subject to a confidence level of 99.5% over a one-year period. Distribuzione di Probabilità del Net Asset Value Lordo e Netto Riassicurazione 7% f(x) NAV Lordo SCR Netto E[NAV Lordo] Percentile 0,5% NAV Lordo 6% f(x) NAV Netto SCR Lordo The Solvency Capital Requirement shall cover at least the following E[NAV Netto] Percentile 0,5% NAV Netto risks: 5% a) Non-life underwriting risk; 4% b) Life underwriting risk; c) Health underwriting risk; 3% d) Market risk; e) Credit risk; 2% f) Operational risk. Operational risk as referred to in point (f) of the first sub-paragraph 1% shall include legal risks, and exclude risks arising from strategic Milioni 0% decisions, as well as reputational risks. 5 10 15 20 25 30 35 Role of Risk Management in Insurance SII – Pillar I: Standard Formula – Definitions Solvency II offers companies a possibility to calculate their solvency capital requirement (SCR) using a standard formula or a proprietary internal model. ✓ The SCR in the Standard Formula (SF) is calculated using a modular approach for individual risks. For each sub-module, the SCR is determined through a Scenario Testing Approach or through a Factor Based Formula. ✓ The SCR relating to Modules and Sub-modules is aggregated through specific Correlation Matrices, in order to obtain the Company’s basic solvency capital requirement (BSCR). ✓ The BSCR is corrected by applying adjustments to the loss-absorbing capacity of technical provisions and deferred taxes. Regulatory references – Delegated Acts Underwriting Non-Life – Artt. 114 - 135 Modules Underwriting Life – Artt. 136 - 143 Underwriting Health – Artt. 144 - 165 Market Risk - Artt.164 - 188 Counterparty default Risk Sub-modules Artt.189 - 202 Operational Risk – Artt. 203 – 204 Adjustments to BSCR – artt. 205 - 207 Role of Risk Management in Insurance SII – Pillar I: Standard Formula Risk arising from underwriting of insurance contracts and the associated insured events, pricing and selection of risks and Underwriting and reserving unfavourable loss developments in comparison to loss estimates. The risks (Life, non-life, health) definition also includes the risks associated with the insufficiency of reserves to cover insurance commitments. The key role of the Risk Management System is Risk of losses due to changes in interest rates, equity prices, exchange identification and Market risk rates and property prices. measurement (Risk Assessment) of the risks to which a Company is exposed. The following list of main Risks related to contractual breaches by the issuers of financial risks is based on the Credit risk instruments, reinsurers and other counterparties. classification provided by the Regulator: Risk of losses arising from inadequate of failed internal processes, people and systems, including distance selling, as well as from external Operational risk events, such as fraud or activities of third-party service providers. Role of Risk Management in Insurance SII – Pillar I: Standard Formula– Scenario vs Factor ✓ The SCR in the Standard Formula is calculated using a modular approach on individual risks. For each Sub-module, the SCR is determined either with a Scenario Testing Approach or with a Factor Based Formula. The capital requirement for each single Sub-module is expressed in terms of the impact on Basic Own Funds (BOF) caused by a stress on the source of risk, i.e. as the difference between the value of the BOF estimated Scenario Approach considering the Central Hypothesis (CI) scenario and the BOF estimated considering the stressed scenario (99.5-th (SA) percentile of the probability distribution of the assessed risk). MV Asset = balance sheet assets valued in line with BOF Solvency II principles (market BOF value consistent) MV Liabs = balance sheet BOF BOF=SCR liabilities valued according to BOF Solvency II principles (market value consistent) Base Case Stress BC Stress BOF = net Solvency II capital (BC) Factor-based The capital requirement is calculated as a function of factors applied to represent the risk exposure of a company. Formula (FBA) 𝑆𝐶𝑅 = 𝑓(𝐺1 , 𝐺2 , … , 𝐺𝑛 ) Role of Risk Management in Insurance SII – Pillar II: Overview (Art.49) Outsourcing (Art.41) General Governance Requirements Pillar II - Objectives (Art.42-43) (Art.48) Actuarial Function Fit & Proper Defines a governance and control framework as well as process and reporting requirements, including: 2 A correct approach to management and control of risks that the company is exposed to, by way of introduction of a system for management and control of risks (RMS) integrated in all business Pillar 2 (Art.44) (Art.47) processes and involving all key organisational functions, including the Board of Directors. Internal Audit Risk Management Risk-based approach: governance, risk management and assessment of capital adequacy (current and forward-looking) support both the strategic corporate planning, as well as the business decision- (Art.46) (Art.45) making processes. Internal control ORSA Pillar II – Main elements ✓ Review of the corporate governance structure, allocating the ultimate responsibility for the completeness, operation and effectiveness of Risk Governance (organisation structure and internal control) to the Board of Directors. ✓ Review of the risk management systems, processes and tools (analysis, measurement, monitoring and mitigation). ✓ Establishment of the Actuarial Function, an important control function for the reserving process. It expresses its opinion on pricing and reinsurance. ✓ Implementation of the Own Risk and Solvency Assessment (ORSA) – an instrument for risk management, an important component of the RMS and regulatory reporting. The purpose of the ORSA is to verify the capital adequacy of the company for all risks that the business is exposed to currently and in future over the business planning period. The coverage of risks should not only be limited to the risks captured in the Standard Formula. ✓ Formalisation of a wide set of written policies in relation to risk management and the system of internal control, approved by the Administrative Body and reviewed once a year. Role of Risk Management in Insurance SII – Pillar II: ORSA Process and Policy Key elements of the ORSA process The ORSA documentation includes at least: ✓ Policy for assessment of current and future risks and solvency ORSA ✓ Evidence that allows reconstructing each assessment, ensuring the traceability of judgements and supporting information. Policy ORSA ✓ Internal reporting, the level of detail of which is defined by the company. Evidence ORSA ✓ ORSA report for the regulator referred to in Article 306 of the Report Delegated Acts (Supervisory Authority). ORSA Policy The risk and solvency assessment policy must include at least: ✓ description of the processes and procedures for performing the ORSA, including the methods that the company uses to define a "significant risk“ ✓ illustration of the link between the risk profile of the company, the approved risk tolerance levels and the total solvency requirement, including in the medium-long term (Risk Appetite Framework) ✓ description of the methods used, including information on: The method and the frequency of the quantitative analyses performed (which include stress tests, sensitivity analyses, reverse stress tests and other relevant analyses) data quality standards the adequacy of the ORSA frequency, taking into account the risk profile of the company and the volatility of its overall solvency needs with respect to its capital situation the timing for the completion of the ORSA, taking into account the regulatory reporting obligations and the circumstances that trigger a new ORSA Role of Risk Management in Insurance SII – Pillar II: Example of the ORSA Policy structure The Risk Management Policy is a part of the policy referred to by the Reg. IVASS n. 38/2018 Objectives of the document, regulatory references, standards for review/ approval of the policy and links with the other company Policy ORSA policies Roles and responsibilities of corporate functions towards risk 1 Introduction management, process ownership allocation 2 Risk Governance Frequency of the ORSA and the associated processes and procedures 3 Risk Management System Mapping of the risks considered, the risk assessment methods (Pillar 4 Current and forward-looking assessment I and non-Pillar I), Data Quality controls (link to the Data Quality Policy) 5 Stress Test and Scenario Analysis Phases of the Stress Testing process, calibrated to the risk profile, including definition of stresses and analysis of results 6 ORSA and Capital Allocation Company guidelines for the relationship between the ORSA process and the capital allocation policies 7 ORSA Report Reporting standards for the ORSA report, the analysis process and reporting of results Role of Risk Management in Insurance SII – Pillar II: ORSA Report ORSA Supervisory Report – Minimum Contents– Annex 3 to Reg. IVASS n. 32/2016 1. Company risk profile and strategy: ✓ Risk appetite, objectives, strategies and associated levels of risk tolerance defined by the company. Explanation, data, 2. Explanation of the current and forward-looking assessments: assumptions, methodologies, ✓ Methodological assumptions and hypotheses used for current and forward-looking assessments results ✓ Projection time horizon of at least 3 years ✓ Type and quality of data used in the assessment ✓ Assessment results 3. Detailed illustration of the conclusions drawn from the assessment, with indications of the actions taken or planned. 4. Connections between the results of the assessments performed and the capital management strategies (e.g. increases / dividends), business planning, product development plan. Connection between the ORSA, RAF and 5. Additional elements, including: the company's ✓ Any challenge of the assessments made in Pillar I (e.g. adequacy of the Standard Formula) business and capital management ✓ Stress Test, Contingency Plan and any management actions undertaken strategies Role of Risk Management in Insurance SII – Pillar I vs Pillar II In order to calculate capital requirement, the Standard Formula: Standard ✓ Defines the risk Modules and Sub-modules within the risk assessment Formula ✓ Defines probability level of the VaR (99.5% confidence interval, which is equivalent to 1 in (Pillar I 200 frequency of loss within a Sub-module exceeding the SCR) requirements) ✓ Defines stress parameters to apply to risk sources for the SCR calculation ✓ One-year approach In the ORSA, the company: Implementation of the ORSA requires a lot of effort from ORSA ✓ Assesses all risks that it could be exposed to (according to the quantitative and qualitative companies. Assessment of capital requirement should be based on assessments), including an assessment of risks not considered in Pillar I (see next slide) internal model or a model (Pillar II ✓ Can analyse own solvency capital requirement for different probability levels, in accordance calibrated to the risk profile of the requirements) with the own risk policies company. ✓ Defines assumptions calibrated for the own risk profile ✓ Assessments follow time horizons over one year Role of Risk Management in Insurance SII – Pillar II: Risks Not Included in Pillar I Management may assess the following risks not included in Pillar I: Risk of not being able to fulfil obligations towards policyholders and other creditors because Liquidity risk of difficulties in transforming investments into liquidity without incurring losses. “Contagion” risk, understood as the risk that, due to interdependencies between the Group Group risk company and its entities, conflicts of interest and issues experienced by one Group entity may spill-over to other entities within the Group, leading to negative implications on solvency. Risk of damage to the corporate image and increased conflict with policyholders caused by Reputational risk the poor quality of services offered, mis-selling of policies or conduct issues within the sales network. Risk arising from trends or events caused by climate change. This is an emerging risk that the Climate risk major insurance companies are becoming increasingly aware of. Non-financial risks in insurance (approaches and the role of risk management) Draft Non-financial risks in insurance (approach and role of risk management) Non-financial risks – Digital and Operational Risks An insurance Company is exposed to many non-financial risks (such as underwriting risks discussed previously). Therefore, we will focus the next part of the lesson on Operational risks and introduce the topic of digital risks. Digital risks and Operational Risks Digital risks are (in best practice) usually associated with operational risks. Insurance industry, at least for the purpose of capital requirements, has to cover these risks. This operational risk module is typical not only for insurance companies, but other industries are also exposed to this risk. We will see how it is possible to measure it in the insurance sector, because the insurance industry provides us with some methods that can be borrowed to/from other industries. Non-financial risks in insurance (approach and role of risk management) Operational Risk - definition and measurement SII Operational Risks 1 Operational Risks arise from inadequacy or failure of internal processes, human resources, systems or from external events. Capital requirement for operational risk shall reflect operational risks that are not already covered in risk modules referred to in Article 104 (Non-Life, Life, Health, Market, Default); Operational risks include legal risks but do not include reputational and other risks originating from strategic decisions 2. Standard Formula Approach Capital requirement for operational risks module is equal to: 𝑆𝐶𝑅𝑂𝑝𝑒𝑟𝑎𝑡𝑖𝑜𝑛𝑎𝑙 = 𝑚𝑖𝑛 0,3 ∗ 𝐵𝑆𝐶𝑅; 𝑂𝑝 + 0,25 ∗ 𝐸𝑥𝑝𝑢𝑙 In particular: BSCR is Basic Solvency Capital Requirement; Op is the measure representing the base capital requirement for operational risk; Expul is equal to the amount of costs incurred during the 12 previous months for life insurance contracts where the investment risk is carried by the policyholders. The Base Capital Requirement for operational risk (Op) is calculated as a function of insurance premium and technical reserves. 1Art. 107, paragraph 1-2-3, directive SII 2Art. 101, paragraph 4, directive SII Non-financial risks in insurance (approach and role of risk management) Operational Risk – Calibration and limitations of SF Calibration1 Problems of standard formula Calibration of operational risk factor is challenging because Lack of data for calibration; of lack of available information; assumption of full correlation with BSCR; CEIOPS used as benchmark and reference point the Lack of sensitivity to differences in efficiency of control and information coming from internal model of operational risks, prevention measures implemented by companies; that have VaR at 99,5% (with no diversification) in order to Lack of sensitivity to mitigation techniques that can be calibrate the parameters inside of the operational risk implemented (e.g. insurance cover) formula. Transition to an internal model Overcomes the shortcomings of standard formula by becoming risk sensitive; in fact, the internal model reflects in a more cosnsistennt way the Company's specific operational risk profile; optimises capital to be set aside for operational risk on a basis of a more sensitive and business-oriented analysis; ensures that a framework is arranged to identify, measure, mitigate, systematically report and monitor the most significant operational risks, including digital risks. Non-financial risks in insurance (approach and role of risk management) Internal model - LDA vs. SBA Methodologies following a Loss Data Approach (LDA) aim to simulate the development of future random events focusing on probabilistic models, based on historical data, by assuming that past is a credible representation of future events. In area of operational risks, in particular digital risks, LDA is considered limiting and unsuitable by market best practice. A Scenario Based Approach (SBA) aims to measure evolution of random events relying on hypothetical but realistic scenarios, assessed by integrating Expert Judgment with internal and external data. That is the best methodology in insurance industry. If implemented in a granular and complete way, using a process of Expert Judgment, the Scenario Based Approach ensures identification and understanding of all potential risks and contributes to the accuracy of criteria used to define frequency and severity of scenarios. Loss Data Approach Scenario Based Approach Granularity of assessments Promotes exchanges between different functions Data-driven approach Forward-looking approach Advantages Non judgemental Easy to understand Contributes to risk culture and awareness Allows to use historical data for information Backward looking approach Issues Subjectivity due to expert judgement It depends on data availability Non-financial risks in insurance (approach and role of risk management) SBA – Typical phases of assessment Selection Modelling Identify and Classify Get estimates of Define correlation the library of frequencies and costs of matrix and different kind of scenarios (with EJ, combine losses exposure internal and external from different Select scenarios data) Calibrate loss scenarios deemed necessary distributions and for quantification quantify value-at-risk Identification Analysis Aggregation The Expert Judgment influences different areas of process. Experts involved must have: recognised competence/expertise in different phases of operational risk assessment; awareness of reliability and limitations of considered assumptions It is also essential that experts (who are usually owners of the processes subject to risk assessment) are guided by the risk management e modelling specialists that can effectively conduct a process of “elicitation" of expert judgement, following appropriate prevention and mitigation techniques of distortion that usually impacts the opinion of risk owners. Non-financial risks in insurance (approach and role of risk management) Identification of risks and library All scenarios of risk are collected in a «taxonomy» where all operational risks of the Company are identified and classified. The taxonomy is divided into 3 levels, first of which is common to banking and insurance practice and is composed from following seven types of risks Internal fraud Losses due to fraud, misappropriation or violations of laws, regulations or company guidelines External fraud Loss due to fraud, misappropriation or violations of laws, by a third party Employment practice and Losses resulting from acts that do not comply with the law or to employment agreements, health and safety on work, and compensation for injuries workspace safety Clients and products Losses arising from unintentional or negligent breaches of professional obligations to clients Damage to physical assets Losses due to loss or damage to tangible assets resulting from natural disasters or other events Business disruption and Loss due to business interruption or disfunction of information systems system failure Execution and management Losses due to shortcomings in the handling of operations or in the management of processes of processes Second level of library presents common aspects between different insurance market operators, while third level (if it exists) is different for each Company in how it represents specific risks of a firm. There is a balance between granularity and simplicity to allow analysis of risks with clearer responsibility of main risk-owners and to represent the risk profile of each legal entity. Non-financial risks in insurance (approach and role of risk management) Preliminary assessment and risks selection Identified by Basel II Typical of insurance market Company-specific 1° Level 2° Level 3° Level Theft/external fraud Internal fraud Data leakage / corruption External fraud System security (external) IT attack on a specific infrastructure Employment practice and workspace safety Risk Assessment and Scenario Selection For identified risks, we proceed with a preliminary assessment (that for example could be based on a Clients and products qualitative estimate of impact/frequency) that allows to make a classification in a heatmap, i.e. a matrix that allows to observe the risks in terms of their «materiality» to the company. Damage to physical assets Once classified, the risks deemed Highly frequent to be material (e.g. starting from Frequency Common Business disruption and system «yellow») are selected for further failure Infrequent analysis and quantification. Remote Execution and management of Immaterial Minor Medium Serious Extreme processes Impact Non-financial risks in insurance (approach and role of risk management) Analysis and modelling: general approach For the quantification of Operational Risk, models pertaining to the so-called Advanced Measurement Approach (AMA) are often used. These models are typically based on a Frequency X Severity approach, which consists of the decomposition of aggregate loss into its two components, (i) number of events generating a loss in a given period and (ii) their magnitude. ෩ 𝑁 𝑎𝑔𝑔𝑟𝑒𝑔𝑎𝑡𝑒 𝑙𝑜𝑠𝑠 = 𝑋෩𝑖 𝑖=1 where: 𝑋෨𝑖 represents the loss of a single event (Severity); ෩ is the number of events (Frequency). 𝑁 Furthermore, it is assumed that claims are independent and identically distributed and there is independence between the number of claims and magnitude. In order to combine frequency and severity, a Monte Carlo approach is generally used where over 100,000 simulations are carried out for each risk, thus obtaining the probability distributions of losses. For each event, distributions are aggregated through appropriate dependency structures in order to obtain overall probability distribution at Company and/or Group level. Following Solvency II principles, risk-capital is calculated by aggregating distribution of losses using a Value-at-Risk approach at 99,5% → 𝑆𝐶𝑅𝑜𝑝 = 𝑉𝑎𝑅99,5% (𝑎𝑔𝑔𝑟𝑒𝑔𝑎𝑡𝑒 𝑙𝑜𝑠𝑠 𝐶𝑜𝑚𝑝𝑎𝑛𝑦/𝐺𝑟𝑜𝑢𝑝 ) Non-financial risks in insurance (approach and role of risk management) Analysis and modelling: frequency To apply the methodology described so far, we need to quantify distribution of frequency, which provides information about the number of loss events in a given period (it is common to use one-year view). In order to make a model for frequency distribution, it is usually necessary to strike a balance between the quality and quantity of reference data, which is often used (linked with qualitive analysis of context of risk under observation) as basis for expert judgement. Particularly, not all data available to the company is always used, sometimes restriction are imposed on the quantity of data (for example, only data referring to a small number of years are used), because the criteria of data quality and especially of risk representativeness are applied. Distribution mostly used to model frequency is Poisson. This selection is based on: Simplicity of calibration: Poisson requires calibration of just one parameter; Other distributions for Sensitivity of VaR: modelling frequency are: Even when more complex distributions are used, analyses show that VaR is not particularly sensitive to changes in frequency Bernoulli, Binomial, distribution function; Negative Binomial or Poisson fits data in a good way: constant frequency. If available analyses show that no clear fitting benefits are obtained by using more complex distributions. Referring to Poisson, parameter λ is equal to both mean and variance. The calibration requires only an average estimate of events per year. Non-financial risks in insurance (approach and role of risk management) Analysis and modelling: distribution for severity In practice continuous distributions are used for modelling severity. Choice of distribution for severity is critical in field of operational risk because VaR is strongly impacted by behaviour of tails. Operational risk scenarios are usually Heavy-Tailed, and choice of distribution to be used to model these scenarios should reflect this characteristic The most widely used distribution in the market to model severity of each selected scenario is Lognormal because it satisfies the following properties: prudentiality: Lognormal belongs to family of sub-exponential distributions, characterised by heavy tails; efficiency: amount of information required for calibration is minimized, cause Lognormal has only 2 parameters; transparency: parameters of Lognormal are more understandable than other distributions; compliance with banking regulations: use of sub-exponential distributions is indicated in banking regulations; practicality: no constraints on choice of parameters; benchmark: Lognormal is most used distribution in practice intermediate tail behaviour: compared to other sub-exponential distributions. Non-financial risks in insurance (approach and role of risk management) Analysis and modelling: calibration of severity (1/3) Assuming that chosen distribution is Lognormal, let us see below the main approaches adopted in practice to calculate its parameters in order to complete the calibration of the frequency/severity model. Calibration of parameters – Approach 1 µ e σ in a Lognormal distribution, are obtained by solving the The first approach is to estimate parameters of Lognormal distribution following system: on basis of three points of distribution which are respectively: typical impact, i.e. the amount that occurs more frequently, which To solve an equation with two can be identified with the mode of the distribution; 𝑋1 = exp µ−𝜎 2 unknowns only two equations would serious impact, which is associated with the 80th percentile of be needed, however a system of distribution (1 out of 5 events); 𝐿𝑛 𝑋2 − 𝜇 weights between extreme and serious = 0.84 impact is used in order to be able to 𝜎 extreme impact, representing loss associated with the 95th consider both. percentile (1 out of 20 events). 𝐿𝑛 𝑋3 − 𝜇 = 1.65 𝜎 where: 𝑋1 represents typical impact; TI 𝑋2 represents serious impact; 𝑋3 represents extreme impact; µ is scale parameter of distribution; SI Using this approach, σ is shape parameter of distribution; percentiles associated with SI Second and third equations of the system are linked to EI and EI are identical for all 80th and 95th percentiles respectively of the Standard scenarios. Normal distribution. Non-financial risks in insurance (approach and role of risk management) Analysis and modelling: calibration of severity (2/3) Calibration of parameters – Approach 2 Another approach which is used in market practice is to calibrate the parameters of the Lognormal distribution based on two points: typical impact, identified with the trimmed mean; Worst case, i.e. the economic loss resulting from an extreme but realistic scenario, identifiable as the amount of distribution at a given percentile. In this approach, the percentile is not identical for all scenarios, but depends on frequency and return period (in years) associated with the worst case. Using this approach, worst case has to meet two characteristics: must be a tail event in order to be considered an extreme event; it should not occur too often, otherwise it would not be representative of a particularly stressful situation. To satisfy both conditions, worst case percentile is calculated as follows: 1 𝑝𝑊𝐶 = 𝑚𝑎𝑥 0,99 ; 1 − 𝑓∗𝑟 Typical In particular: Case 𝑝𝑤𝑐 is the percentile of the worst case event; Worst Case 𝑓 is the average frequency of any event of the scenario under assessment (all severities); 𝑟 is the minimum return period of worst case event. The formula shows that assuming a return period of 20 years, in all cases where frequency is less than or equal to 5, the worst case percentile is the 99th. In this approach, however, the risk owner has also the option to explicitly indicate the percentile with which, in their opinion, the worst-case event can be associated. Non-financial risks in insurance (approach and role of risk management) Analysis and modelling: calibration of severity (3/3) Calibration of parameters – Approach 3 In this approach, a team of experts sets the shape of the lognormal distribution, fixing the parameter σ. It then remains to determine the scale of the distribution, i.e. the parameter µ. For this purpose, it is sufficient to determine a single point of the distribution: worst case, defined as loss that occurs once every 20 years, and which is associated with a percentile, calculated as: 1 𝑝𝑤𝑐 = 1 − dove: 20 ∗ 𝑓 𝑝𝑊𝐶 is the percentile of the worst case event; 𝑓 is the average frequency of any event of the scenario under assessment (all severities). Parameter µ of distribution is obtained by solving following equation: ln 𝑦0 −µ 𝑝𝑊𝐶 = ϕ ⟹ µ=ln(𝑦0 )-σϕ−1 (𝑝𝑊𝐶 ) σ where: 𝑝𝑊𝐶 is the percentile of the worst case event; σ is shape parameter chosen by an expert team; 𝑦0 represents the amount of the worst case event; ϕ() represents the cumulative function of a standard Gaussian. WC Non-financial risks in insurance (approach and role of risk management) Monte Carlo simulation and loss distribution Frequency Severity Number of simulation Monte Carlo simulation Distribution di Perdita Aggregate A focus on the cyber risk scenario analysis and monte carlo simulation Draft The model architecture Cyber Risk THE BIG PROBLEM Quantification Simulation of possible threat outcomes, returning expected and unexpected potential loss at different probability levels 38 The model architecture Cyber Risk THE BIG PROBLEM Quantification Simulation of possible threat outcomes, returning Let’s break it down in smaller problems! expected and unexpected potential loss at different probability levels 39 The model architecture Cyber Risk THE BIG PROBLEM Quantification Simulation of possible threat outcomes, returning Let’s break it down in smaller problems! expected and unexpected potential loss at different probability levels FAIR: Factor Analysis of Information Risk 40 The model architecture Threat Scenarios Scenario-based approaches are the best practice for quantifying cyber risk, because they simulate real-world situations, allowing organizations to assess vulnerabilities, potential threats, and their financial impact comprehensively, especially given the insufficiency of historical loss data and the continuously evolving nature of cyber risks. 41 The model architecture Threat Scenarios threat actor who is attacking 42 The model architecture Threat Scenarios threat actor who is attacking Threat Actor Cyber Criminals 3° Parties Cyber Criminals Employees Hacktivists Nation State Terrorists 43 The model architecture capabilities Threat Scenarios of the attacker threat actor who is attacking Threat Actor Cyber Criminals Capability MIN: 2 MAX: 8 Threat Actor Capability or Capability MIN: 2 Cyber Criminals Capability MAX: 8 44 The model architecture capabilities Threat Scenarios of the attacker threat actor who is attacking Threat Actor Outcome desired outcome Disruption of asset use their objective Cyber Criminals Destruction/loss of asset 3° Parties Direct theft/fraud Cyber Criminals Disclosure (exploitation) Employees Disclosure Hacktivists (publication) Nation State Disruption of asset use Terrorists Modification of asset 45 The model architecture capabilities Threat Scenarios of the attacker threat actor motivation who is attacking of the attacker Threat Actor Cyber Criminals desired outcome their objective Capability MIN: 2 MAX: 8 Outcome Disruption of asset use Motivation 0.8 46 The model architecture capabilities Threat Scenarios of the attacker Threat Intensity threat actor motivation who is attacking of the attacker Threat Actor Cyber Criminals desired outcome their objective Country Italy Capability MIN: 2 MAX: 8 Outcome Disruption of asset use Motivation 0.8 Threat Intensity (Linear) 6.8 Threat Intensity (Log-Normal) 83.91% 47 The model architecture capabilities Threat Scenarios of the attacker Threat Intensity threat actor motivation who is attacking of the attacker attack vector Attack Chain desired outcome AV4 – Move laterally their objective AV1 - AV2 – Initial AV3 – Establish foothold or or maintain AV5 – Gather data AV6 – Complete Reconnaissance compromise escalate privilege mission presence Credential Malware download to host Data lock (A) attack chain Compromise (A) Credential compromise (I) (A) individual steps Credential compromise (A) Application Application Credential misuse (A) Critical Third Party failure (A) Critical Third Party failure (A) Data collection (A) Data collection (I) Data exfiltration over web/cloud (A) … 48 The model architecture capabilities Threat Scenarios of the attacker Threat Intensity threat actor motivation who is attacking of the attacker Vulnerability desired outcome success rate & their objective complexity Success Weighted Effective Vulnerability Phase Attack Vector Rate Complexity Score (WES) Score Control attack chain 1 to 5 AV1 framework individual steps scores by AV2 Credential Compromise (A) High Low 3.10 37.08% maturity & AV3 Malware download to host (A) High Medium 3.10 32.00% importance AV4 AV5 AV6 Data Lock (A) High Medium 2.61 37.97% Scenario Overall Vulnerability 4.51% 49 The model architecture capabilities Threat Scenarios of the attacker Threat Intensity threat actor motivation Likelihood (%) who is attacking of the attacker frequency distribution Vulnerability desired outcome success rate & their objective complexity Control Scenario Likelihood Result attack chain framework individual steps Scenario Vulnerability Threat Intensity Score Likelihood scores by Score maturity & importance 4.51% 83.91% 3.78% 50 The model architecture capabilities Threat Scenarios of the attacker Threat Intensity threat actor motivation Likelihood (%) who is attacking of the attacker frequency distribution Vulnerability desired outcome success rate & their objective complexity Control attack chain framework individual steps scores by maturity & importance 51 The model architecture capabilities Threat Scenarios of the attacker Threat Intensity threat actor motivation Likelihood (%) who is attacking of the attacker frequency M A distribution I N Vulnerability desired outcome success rate & I N their objective complexity G R E D Control I N attack chain framework T S individual steps scores by maturity & importance asset group under attack 52 The model architecture capabilities Threat Scenarios of the attacker Threat Intensity threat actor motivation Likelihood (%) who is attacking of the attacker frequency distribution Vulnerability desired outcome success rate & Loss Component their objective complexity Direct Financial Loss Compensation Control Loss Customer Churn (Indirect) attack chain framework components Customer Churn and Lost Business individual steps scores by relevant to Fines & Regulatory Penalties maturity & attacked Investigation & Remediation importance assets Legal Action asset group Marketing & PR under attack Operational cost of managing additional regulatory scrutiny Operations Downtime 53 The model architecture capabilities Threat Scenarios of the attacker Threat Intensity threat actor motivation Likelihood (%) who is attacking of the attacker frequency distribution Vulnerability desired outcome success rate & their objective complexity Impact (€) severity Control Loss distributions attack chain framework components individual steps scores by relevant to maturity & attacked importance assets asset group under attack 54 The model architecture capabilities Threat Scenarios of the attacker Cyber Risk Threat Intensity Quantification threat actor motivation Likelihood (%) frequency Monte Carlo who is attacking of the attacker distribution Simulation of possible Vulnerability outcomes, desired outcome success rate & complexity returning their objective Impact (€) expected and severity unexpected Control Loss distributions potential loss attack chain framework components individual steps at different scores by relevant to probability maturity & attacked levels importance assets asset group under attack 55 Model output A comprehensive info set on cyber risk exposure ✓ For each scenario it is possible to obtain output tables and graphic reports. Each calculated metric is saved and all the modules’ input and output can be visualized with risk intelligence tools, in order to properly identify the vulnerabilities that are driving the exposure Scenario The needReport for quantification ✓ The model provides the loss probability distribution for each scenario and for the aggregate exposure, taking into account risk dependencies Aggregation ✓ The overall risk exposure can be allocated on the libraries defined (i.e. the various model blocks), working as a risk source intelligence tool. Risk Allocation 56 Model output Samples of model diagnostic Which types of threat actor lead to the most material risk exposure? Which controls are Asset Group most effective Threat Actor Group 2 Group 3 Group 4 Group 5 Total and how 3rd parties 9.9 19.5 29.5 would we Cyber criminals 17.2 30.9 36.5 1.2 85.9 benefit from a higher Employees 11.7 7.5 6.5 25.7 maturity? Hacktivists 0.2 2.4 6.4 9.0 Nation state 3.1 12.3 15.4 Terrorists 0.8 0.8 Total 32.3 55.6 69.9 8.5 166.2 To which steps in the To which types of “initial compromise” are we most vulnerable? attack chain are we most Asset Group vulnerable? AV2 – Initial compromise Group 2 Group 3 Group 4 Group 5 Total No Initial compromise 24.1 24.9 41.1 6.5 96.5 Exploit Web App. Vulnerability 5.9 12.1 18.0 Phishing 8.2 2.4 0.8 11.4 How much Pretexting (social engineering) 10.0 1.2 11.2 are we Supply Chain Compromise 2.7 2.7 financially exposed? Vendor Compromise 9.7 16.8 26.5 Total 32.3 55.6 69.9 8.5 166.2 57 The Insurer’s stance on non-financial risk, including digital risk: cyber risk Draft The Insurer’s stance on non-financial risk, including digital risk: cyber risk Cyber risk - Definition First of all let's start with the definition of Cyber risk, taken from the International Association of Insurance Supervisors (IAIS): Cyber risk could be defined as any type of risk that emanates from the use of electronic data and its transmission, including technology tools such as the internet and telecommunications networks. It also encompasses physical damage that can be caused by cybersecurity incidents, fraud committed by misuse of data, any liability arising from storage of data and the availability, integrity and confidentiality of electronic information - in connection with individuals, companies or governments. Cyber risk is therefore considered within the Event Type 02 – External fraud, defined by Basel II, because the risks for IT system (loss or damage) arise from inadequate or failed internal processes, employee conduct, technology or external events. The Insurer’s stance on non-financial risk, including digital risk: cyber risk Cyber risk – what does it relate to? IoT Industrial IoT ICS/SCADA Enterprise IoT Cloud Container Cloud Web App Mobile Computers Virtual Machines Servers Desktop IT Network infrastructure The Insurer’s stance on non-financial risk, including digital risk: cyber risk Cyber risk – whom does it relate to and how? – some examples Breach of data integrity Cyber Business attack availability System Failure Electronic Data incident Health & Pharma Public Sector Network Interruption Defamatory Breach of data content confidentiality The Insurer’s stance on non-financial risk, including digital risk: cyber risk Cyber risk – Key Findings of a survey PwC These conversations gave rise to key focus points that served as a basis for various studies in this field: Understand Specialisation There is a clear need for a deeper understanding Lack of specialised underwriters, data and of digital risk, both on the demand and the quantitative calculation tools are major obstacles Understand Specialization supply side, in order to further develop European to the development of cyber insurance industry cyber insurance industry. This does not only refer and to provision of suitable insurance cover for to measuring and treating risks, but also to economy. understanding real needs of customers. Coverage Services Services and Products A gradual growth in demand within the cyber Coverage Key and Currently, insurance coverage is primarily focused on Commercial business. insurance industry is expected, mainly driven by Findings Products In practice, interest in providing insurance cover new regulations, increasing awareness and frequency of events. Relevance and importance for individuals is increasing due to spread of of cyber insurance coverage is expected to grow digital tools and increase in breaches within significantly within the functioning of global digital services. economy. Regulations Regulations Models Models New regulations or regulatory innovations could, Qualitative models are more widely used than even if moderately, be accepted by the insurance quantitative models to estimate pricing, risk industry in order to help to face some of exposures and risk manifestations. Lack of data can challenges identified, despite the complexity of be a limitation for most of these models. This regulatory compliance limitation may not allow an adequate risk estimation and assessment. The Insurer’s stance on non-financial risk, including digital risk: cyber risk Cyber risk – Products and Services Offered In general, specific products are offered to large companies and underwritten individually with higher limits and wider cover than standard products in the market. Large companies generally invest more in their information technology (IT) and internal security management, while small companies often outsource IT. The insufficient understanding of risks faced by customers is one of the key challenges for cyber insurance market. Reputation of potential client company plays a key role in underwriting, particularly if quantitative data is not available. Small and Medium