Three of the themes that EIOPA sees as its priorities were covered at its annual conference on 20 November. All of the topics were the subject of frank and spirited debate, with a range of different views being represented in the panel discussions.
EIOPA should be commended for encouraging views that were contrary to its own to be expressed, an approach which made for a worthwhile and balanced discussion of the topics.
The task of converging the approaches of the various national regulators was always going to be one of EIOPA’s most significant tasks. The different approaches come from a range of sources that are often not easily addressed, such as differing legal systems, cultural differences and varying degrees of available resources.
The difficulty of this task was underlined by some of the findings in the European Court of Auditors’ (“ECA“) report on EIOPA. In particular, the challenges raised by the supervision of cross-border business, and the connected findings in the ECA’s report, were the focus of a panel discussion. The following were some of the main points that arose:
- EIOPA powers: EIOPA and the ECA seemed quite strongly of the view that EIOPA needed greater legislative powers in order for it to converge supervisory practices successfully. There was certainly no enthusiasm for pretending that convergence had been achieved, or that it was even achievable in the near term. EIOPA sees convergence as a long-term aim, and feels that it needs to be able to take a more interventionist approach in order to achieve convergence successfully and to address some of the “systemic weaknesses” identified in the ECA’s report.
- Information sharing: there seemed to be considerable consensus that information sharing between national regulators needs to be improved. A lack of transparency between regulators was noted as potentially engendering distrust, with this distrust being exacerbated by some of the cross-border failures that have occurred. The underlying message seemed to be that home and host state regulators will need to do more, and work together more transparently and effectively, before the EEA-wide regulatory system can function in the way that Solvency II envisages.
- Intermediaries: intermediaries will be interested to know that their role within the insurance sector was referenced by a number of panellists. There seemed to be something approaching a consensus that more attention needs to be given to the role of intermediaries, and particularly to how they communicate information both to policyholders and insurers.
Introducing the topic of sustainable investing, Dr Emily Shuckburgh gave what could be described as an urgent plea for those outside the scientific community to look at the data. She called upon governments to introduce policies that are proportionate to the scale of the issues. While it is hard to pick one stand-out piece from the range of distressing data she provided, it was perhaps the warning that we need to get back to 1980s levels of emissions by 2030 (which would involve a 50% reduction) that showed the scale of the challenge and what Ms Schuckburgh meant when she said “proportionate”.
Again, a range of views were expressed and many good points were made. One of the key topics discussed was whether it is right for insurers to invest in sustainable projects, or whether the sole focus of the regulatory system should be on policyholder security. Policyholder protection, as well as some of the scars from the financial crisis in 2008, means that the regulatory system currently favours liquid investments. Sustainable investing, however, almost by definition requires investors to take a long-term view. Some participants made the point that insurers already take a much longer-term view than other investors. Others noted that a broader view of policyholder protection was needed, and that failing to address the challenges Ms Shuckburgh had raised would have potentially disastrous effects for policyholders and wider society. But the key point was probably that financial institutions are responsible, whether as custodians or for their own account, for such a significant amount of assets that any attempt to address the climate policy that does not involve them would at best be highly inefficient. At worst, it would be destined to fail.
As with supervisory convergence, transparency was a focus in the climate discussion. Requiring companies, not just in financial services but in all sectors, to set out what they are doing was noted as an important catalyst for change, and one which was already being done.
The discussion on sustainable investing went to the heart of the regulatory system, and particularly what the priority of financial regulation should be. Should financial regulation limit its primary objective to ensuring financial institutions are as financially secure (including its current focus on liquidity) as possible, or should there be scope for that regulatory system to take a broader view of society’s needs? EIOPA’s conference contributed to discussion of an area that may well move closer to centre stage in the years ahead.
While technology has, in different forms, featured in a number of previous EIOPA conferences, the focus this time around was two-fold. Firstly, what can insurers and regulators do to protect themselves from cyber-attacks? Secondly, can insurers safely underwrite insurance policies covering cyber-risk?
On the first question, experts on the panel made the point that vulnerability to cyber-attacks is not the fait accompli that it is sometimes presented as. The approaches of some companies, including some high-profile technology companies, were highlighted. One approach that received particular attention was the offering of “bug bounties”, where professional hackers are given access to a company’s systems and paid for each bug that they find. While it was acknowledged that some may have privacy concerns about this, it was noted that organisations like the US military have run this type of programme and so the concerns can be managed. Some representatives from governmental bodies said that they run partnerships with other organisations, including “insurtech” companies, which can help them to identify failings in their systems.
The challenge of attracting and retaining those with the necessary IT skills was also discussed. While hackathons are a good idea, they are unlikely to be enough in and of themselves. On this, the IT experts seemed to agree “ethical hackers” and other IT professionals tended to be driven by a desire to solve difficult problems, that being the attraction to that line of work in the first place. They therefore felt that companies should think about what they were asking their IT teams to do, and consider how they could present the issues they faced as interesting problems that IT professionals needed to solve. This, they felt, would likely lead to better retention of IT staff.
On the question of underwriting products, cyber-risk was seen as being distinct from other risks in that it was a truly global risk that evolved exceptionally quickly. Both of these were challenges for insurers, but a few important aspects to underwriting cyber-risk were identified:
- A policyholder needs to first take steps to protect itself against cyber-risk. If a company has not done this, it may be difficult to provide an insurance policy that properly addresses that company’s exposure to cyber-threats.
- Data needs to be made available to allow an insurer to underwrite. On this, insurers’ ability to share data (both between insurers themselves and between policyholders and insurers) was considered important.
- Having received the data, thorough testing to allow sensible pricing and scoping of the risks faced was needed. Some of the insurers said that this testing had taken years, rather than months. Having done this testing, underwriters will need to be trained so that they understand the pricing and the risks, which also takes time to do properly.