Insurance brokers and carriers must treat operational resilience as an integral part of business strategy rather than simply a compliance issue. That was the clear message from the panel at our recently concluded webinar on operational risk and resilience in association with the London & International Insurance Brokers Association.
The discussion explored the issues brokers, carriers, and companies face — with threats ranging from significant claims losses, to ransomware and outdated IT. Intersys Director, Enterprise Risk Management Catherine Geyman and Managing Director Matthew Geyman led the discussion and James Livett, Associate Director of Liiba, hosted the session. This was the second webinar in our ongoing series which aims to explain the five basic principles of cyber security.
What is Operational Resilience?
Catherine Geyman said that while the concept has a broad definition in the market, operational resilience ultimately comes down to allowing businesses to continue to function when unexpected events arise.
“(Operational resilience) means very different things to different people. It’s a very broad church, but the bottom line is it’s not just about compliance. It’s about being able to keep your business running regardless of what the world throws at you,” Geyman said.
“A beautifully complicated and operationally resilient broker or insurer is one that can encounter, stand, mitigate, recover and learn from the impact of a broad range of events that have the potential to disrupt the normal course of business.”
She added that ensuring staff are well-equipped to deal with adverse scenarios was one of the most important factors which could determine whether an event can have a serious and detrimental impact.
“Quite simply, it’s about protecting your business – the longevity, the long-term profitability and health of your business. But it’s also about protecting your staff,” she said.
“If your team isn’t trained and prepared to deal with the worst scenarios, then this can make very impactful scenarios even more stressful when they happen. So act as if something’s going to happen. Plan for something to happen. That’s the advice given by the Financial Conduct Authority.”
IT Failures & Cyber Attacks are a Top Concern
The possibility of cyberattacks and the threats these pose to operational continuity also continue to rank high among the concerns highlighted by brokers and insurers, Intersys Managing Director Matthew Geyman said.
While a survey found that larger firms feel they are more prepared for incidents such as ransomware attacks, medium-sized and small firms ranked system failures and cyberattacks as among their top concerns.
Geyman highlighted that a significant proportion of the market uses out-of-date IT systems which could be potentially exploited, while the insurance sector as a whole remains a top target for ransomware.
“GCHQ’s 2021 survey says 8% of the insurance sector uses out of date computers that are vulnerable,” he said.
“A Black Kite survey said 18% of the top 99 insurance carriers have a high rate of vulnerability to ransomware.”
The move to remote working during the pandemic also increased the risks that companies face, with management having poor visibility over exactly who accesses what systems and when.
“Carriers and brokers were top targets during the pandemic. A lot of companies opened up their systems to make them more accessible from home, which is great for agile working, but in a lot of cases that decreases the visibility of the IT estate on who’s accessing what,” he said.
“So that’s another good reason to do data audits, data mapping to understand what sensitive information is where.”
Preparation is Key
Overall, the key message for companies remains about ‘planning and preparation’ Catherine Geyman said, with a well-defined structure throughout the organisation to support operational resilience.
“It’s all about planning and preparation. At the top of the tree, we have an overarching framework of operational resilience, and at the next stage down business continuity management is about management of the crisis, of how the management team manages the crisis,” she said.
“And then beneath that we’ve got a DR team that are the technical response team that are going to sort the problem out.”
“All those elements need to be in place. For a sound operational resilience program.”
The webinar was a great opportunity for us to share our knowledge with the insurance sector and we were thrilled to have such good participation from Liiba members. We would also like to thank our partners Oric International for providing some brand new data around real risk events form their membership which added some very relevant insights for our audience.
We look forward to hosting our next session in our series due next year.
If your organisation needs help with its operational resilience, get in touch with us.