Paul Schiavone, Global Industry Solutions Director for Financial Services at Allianz Global Corporate & Specialty
Financial services companies are facing multiple risk management challenges in the current climate. Economic and political uncertainty prevails, while the risk of asset bubbles and inflation is rising in different parts of the world. However, it is a number of “non-financial” risks that are most concerning firms in the sector, according to the Allianz Risk Barometer 2022 .
The annual survey highlights some of the most significant risk trends for the year ahead, as identified by banks, asset managers, private equity funds, insurers and other players in the financial services sector. Cyber incidents (51% of respondents), the closely interlinked peril of business interruption (BI) and supply chain disruption (30%), and the impact of changes in legislation and regulation (26%) rank as the top three sector risks for 2022, based on the opinions of almost 900 respondents (872) who participated in AGCS’ latest research, which was conducted at the end of 2021.
FINANCIAL SERVICES COMPANIES MOST TARGETED BY CYBERCRIMINALS
Cyber incidents maintains its position as the top risk for financial services companies, with over half of respondents – the highest ever total – naming it as the greatest concern for their business.
Despite investing in significant levels of cyber security spending every year, sector respondents view the financial services industry as still being highly exposed to cyber threats, given information and communications technology (ICT) plays an indispensable role in the operation of the daily functions of financial institutions. Digitalization covers not only payments but also lending, securities clearing and settlement, trading, insurance underwriting, claims management and back office operations and the Covid-19 pandemic has heightened opportunities for attackers, with new vulnerabilities being exploited by new tools. The financial services industry was the sector most targeted by cybercriminals during the third quarter of 2021, with the number of publicly-reported incidents jumping by over 20%, according to a report by Trellix, a cyber company formed out of what was McAfee Enterprise and FireEye. Financial services companies were the target of around 40% of advanced persistent threat (APT) observations and also led all industries in terms of detected ransomware samples.
This is mirrored by an AGCS analysis of more than 7,500 insurance claims for the financial services segment over the past five years – with a total value in excess of $1bn. The analysis shows that cyber incidents, including crime, is the top cause of loss for companies, producing the most expensive insurance claims.
In addition, a heightened cyber risk environment is anticipated for many industry sectors in the future, in the wake of Western nations slapping a raft of sanctions against Russia for invading Ukraine. In recent years, the NotPetya cyber-attack began as an attack on the Ukrainian government and the country’s businesses and quickly spread to the rest of the world, impacting companies including shipping company Maersk, US pharma group Merck and food group Mondelez. The attack was later blamed on the Russian military by the UK and the US.
BUSINESS INTERRUPTION AND THIRD-PARTY DISRUPTION
Finance has not only become largely digital, but digitalization has also deepened interconnections and dependencies within the sector and with third-party infrastructure and service providers. Recent high-profile cyber-attacks have shown a worrying trend for incidents where hackers target technology or software supply chains or digital single points of failure. In December 2021, it was reported that hackers had launched well over a million attacks on companies globally around the world in just four days, through a previously unnoticed vulnerability in a widely-used piece of open-source software called Log4J. This followed cybercriminals inserting ransomware into a software update issued by Kaseya, in itself an attack that had echoes of the SolarWinds incident which targeted bank and regulatory agencies, demonstrating the potential vulnerabilities of the sector to outages via their reliance on third-party service providers. It is unsurprising then that disruption to digital supply chains and cloud platforms ranks fourth in the cyber risks of concern in this year’s Allianz Risk Barometer (33% of respondents). IT outages, service disruptions or cyber-attacks can result in significant BI costs and greater operating expenses from a variety of causes, such as customer redress, consultancy costs, loss of income and regulatory fines. Last, but not least, brand reputation and, ultimately, a company’s stock price can also be negatively impacted, while management can also be held responsible for the level of preparedness. Insurers already see a rising number of losses from outages or privacy breaches.
For companies, and their senior management, this ultimately requires them to maintain an active role in steering the ICT risk management framework, encompassing the assignment of clear roles and responsibilities for all ICT-related functions, a continuous engagement in the control of the monitoring of the ICT risk management, as well as an appropriate allocating of ICT investments and training.
LEGISLATIVE AND COMPLIANCE CHALLENGES MOUNT
Compliance and the impact of increasing regulatory activity is one of the biggest drivers of insurance claims for financial institutions, and this is reflected in the fact that changes in legislation and regulation ranks as the third top risk for the sector.
The compliance burden for financial institutions has increased significantly over the past decade. Regulatory enforcement has intensified as banks and senior management are more readily held to account by lawmakers and prosecutors, as well as shareholders. At the same time, they are subject to a growing body of rules and regulations in a diverse range of areas, including sanctions, whistle-blowing and, of course, data protection and cyber security laws.
The consequences of data breaches are far-reaching with more aggressive enforcement, higher fines and regulatory costs and growing third party liability, followed by the prospect of litigation. Regulators are increasingly focusing on business continuity, operational resilience and the management of third party risk following the number of major outages at banks and payment processing companies. Companies need to operationalize their response to regulation and privacy rights and not just look at cyber security.
Then there are a number of other environmental, social, and governance (ESG) issues and requirements to handle in addition. Companies are challenged by the growing raft of regulation and guidance in many territories, leading to tougher disclosure and reporting rules, particularly around sustainability, the most recent of which is the EU taxonomy for sustainable activities regulation, which provides a common dictionary for sustainability criteria and thus aims to enable comparability of sustainability performance.
Ultimately, these changes will influence how, and in which sectors, companies and funds invest, as they consider whether a particular asset fits within the taxonomy or ESG strategy, how they will report about it and what stakeholders and shareholders will think. The financial services sector may be ahead of other sectors when it comes to addressing ESG topics but regulations and guidance will still be a driver of risk going forwards.
At the same time, activist shareholders or stakeholders are increasingly focusing on ESG issues. Recent years have seen a surge in climate change-related litigation cases in particular. The cumulative number has more than doubled since 2015, according to a recent Oxford University/ Climate Neutrality Forum report presented at the COP26 summit. Just over 800 cases were filed between 1986 and 2014, while over 1,000 cases have been brought in the last six years and there are a growing number of cases involving financial institutions. Such cases ultimately seek to influence emissions trends by increasing the cost of capital for high emissions activities. Early examples of this type of litigation focused primarily on the ****disclosure of climate change-related risks and their relevance to investment decisions, often drawing on guidance produced by the Task Force for Climate-related Financial Disclosures (TCFD). However, recent cases appear to mark a move beyond being focused just on **disclosure to focusing on due diligence. In November 2020, a case was settled involving a $57bn superannuation fund in Australia, Rest. The claimant alleged Rest’s failure to disclose and address climate risk breached legislation. The fund committed to a raft of new disclosure and climate change-related initiatives in response.
Besides climate change, broader social responsibilities are coming under scrutiny, with board remuneration and diversity being hot topics and regulatory issues.
AGCS regularly engages in open dialogues with the banking, insurance and asset management segments to discuss risk trends and challenges. We are investing heavily in our network and expertise, both on the underwriting, claims and operations side, so we can best respond to customers’ needs and contribute to better management of risks in a complex environment that constantly evolves.
Further information on the results of the Allianz Risk Barometer 2022 can be found here