Responsible Underwriting and DORA
Data Analytics and Underwriting: Precision and Efficiency
Responsible underwriting in insurance involves accurately assessing risks to ensure that premiums are sufficient to cover potential claims while maintaining profitability and fairness. This process is crucial for the financial health of insurance companies and their ability to meet obligations to policyholders.
James Harrison, Global Head of Insurance at Dun & Bradstreet, emphasises the impact of insurtech innovations on underwriting practices. He says: "Insurtech innovations have transformed underwriting practices in recent years. Some particularly valuable innovations include artificial intelligence and machine learning, which have played a critical role in enabling real-time risk assessment and the automation of decision-making processes. Behavioural analytics are also supremely useful, enabling insurers to collect real-time data on organisational behaviour. For instance, they can analyse cyber risk exposure for banks or companies that hold a lot of sensitive data, monitor shipping data for cargo insurance underwriting, or assess financial risk analysis. By understanding these behaviours, insurers can offer more precise risk assessments, leading to tailored coverage options and potentially lower premiums for businesses demonstrating safer practices."
Insurtech solutions provide robust data management systems that ensure data is collected, stored, and processed in accordance with regulatory requirements, such as GDPR and the Data Protection Act. Harrison adds that the use of data and technology during customer and third-party onboarding, coupled with ongoing automated compliance monitoring, is on the rise. This enables insurers to remain compliant with the evolving regulatory landscape and changes in company ownership efficiently, without constant manual oversight. Audit trails are particularly useful in ensuring accountability and visibility, allowing insurers to demonstrate compliance with regulatory standards. However, with AI comes an added layer of compliance. Businesses may be fined for using AI unlawfully or failing to provide transparency around AI use, so the importance of staying up to date on regulation cannot be overstated.
“Insurtech solutions provide robust data management systems that ensure that data is collected, stored and processed in accordance with regulatory requirements, such as GDPR and the Data Protection Act,” says Harrison.
“In addition to this, the use of data and technology during customer and third-party onboarding, coupled with ongoing automated compliance monitoring is on the rise. Doing so enables insurers to remain compliant with the evolving regulatory landscape and changes in company ownership for example, in a fast, accurate and efficient way, without the need for constant manual oversight.”
Audit trails are also particularly useful in ensuring accountability and visibility, allowing for insurers to demonstrate that their processes and transactions comply with regulatory standards.
However, the adoption of artificial intelligence (AI) introduces additional compliance challenges. Businesses may face penalties for unlawful AI use or lack of transparency, underscoring the critical need to stay informed about regulatory developments. Harrison emphasises, "The importance of staying up to date on regulation cannot be overstated."
“The future of the insurtech sector promises a significant transformation in underwriting practices, largely driven by advancements in technology. AI and machine learning will play a big role, powered by data and analytics.
"By extracting actionable insights from datasets, insurers will be able to make more strategic underwriting decisions, allowing for optimisation of the entire value chain. However, they must ensure that they have well-managed, structured data as a foundation for AI, making smart data analytics central to this transformation,” he continues
“IoT devices and social media will play a pivotal role in the development of underwriting, as insurers will be able to obtain insights into customer behaviour and risk profiles, thus paving the way for personalised insurance products tailored to meet individual needs and preferences.”
“Insurers that embrace new technologies and leverage the power of data will indeed see themselves move ahead of those who stick to more traditional solutions, setting a precedent for a customer-centric era.”
Richard Breavington, Partner at RPC adds: “DORA represents a big step towards the enhancement of insurers' and InsurTech's digital operational resilience systems and policies, heading towards the implementation of a robust cybersecurity risk management framework.
“The regulations have served to bring cybersecurity and digital resilience to the forefront of the corporate governance agenda across insurance organisations.”
He adds: “Insurers and other market players within scope of the regulations have had to pay serious consideration to their broader responsibilities in respect of their ICT third party service providers. Insurance companies are expected to ensure that their ICT third party service providers uphold a robust digital operational resilience system too whilst being ready to provide unconditional assistance to insurers in the event of a cyber incident.”
“Enhanced testing procedures and a detailed process for detection, classification, reporting and registration of major cyber incidents and significant cyber threats are all required to ensure compliance with DORA.”
Legal Perspective: Navigating Compliance and Resilience
What specific strategies have you implemented to comply with DORA regulations?
“Typically, the first step that insurance organisations and InsurTech carriers have taken is to implement a gap analysis to identify what work is needed to reach compliance with DORA's requirements,” says Breavington.
“Having identified their needs, insurers should also be taking a proactive approach to obtaining expert advice on the implementation the new mandatory policies and procedures.”
These can include:
-
technical analysis of their risk management framework;
-
implementation of an effective incident response management system;
-
threat-led penetration testing mechanisms;
-
a full review of their contractual terms with their ICT third party service providers; and
-
effective information sharing mechanisms, to allow insurers and market players to collaborate with other carriers and cooperate with the authorities in the successful containment of cyber incidents.
“Along with obtaining expert advice, another key consideration is employee training on digital resilience,” he adds.
Training sessions such as pre-breach workshops, technical skills development and quality and safety training are key to:
-
evaluate the effectiveness of new systems;
-
reduce the risk of incidents within the organisation; and
-
ensure a successful management of the incident response process set in place by the organisations.
Challenges and Benefits of DORA Compliance
“There are a few challenges ahead for insurers in securing compliance with DORA. As a starting point, logistical and financial implications inevitably arise throughout the implementation of new policies, rules and processes. Incident management system, mandatory threat led testing, monitoring of their ICT service providers' own compliance with DORA's standards and employee training are just some examples of the new responsibilities imposed upon insurance organisations, the cost of which is likely to be material,” says Breavington.
“All entities within scope now have less than four months to become fully compliant with the regulations before January 17, 2025.”
On the flip side, one of the key benefits that DORA has brought to insurance carriers and market participants in scope of the legislation, is the harmonisation of previously uneven national regulatory and/or supervisory rules. Prior to DORA, the insurance industry was subject to a multitude of regulations concerning (directly or indirectly) their digital operational resilience. DORA is likely to render structural and logistical benefits as well as cost savings for insurance organisations, as they now have a single, standardised digital resilience framework system to comply with when providing services in the EU.
In addition to harmonisation, the intelligence sharing mechanism established by the regulations provides a platform for collective knowledge and expertise. Real time threat intelligence sharing should hopefully enable the exchange of critical information such as emerging threats and indicators of compromise, thereby facilitating faster detection, stronger response and a consistent approach to cybersecurity. Access to shared intelligence enhances situational awareness, allowing insurance organisations to make informed decisions and to prioritise risk management.
The DORA regulation sets out specific requirements in four main areas:
1. ICT risk management and governance. Organisations must have comprehensive ICT risk management frameworks that identify and classify critical assets. They must also conduct periodic risk assessments.
2. Incident reporting. Systems need to be in place for “monitoring, managing, logging, classifying, and reporting” ICT-related incidents.
3. Operational resilience testing and threat sharing. ICT systems must be tested regularly to evaluate their performance, identify vulnerabilities, and repair them in a timely manner. In addition, financial institutions must establish agreements to share information and intelligence about threats and vulnerabilities.
4. Third-party risk management. It’s a requirement for companies in the sector to take an active role in managing ICT third-party risk. Service providers must also comply with the requirements of the DORA regulation.
Enhancing Operational Resilience with InsurTech
InsurTech solutions play a crucial role in enhancing operational resilience as required by DORA. Traditional carriers and InsurTech companies are increasingly collaborating to deliver common aims such as cost-effective systems, streamlined procedures, and advanced data analytics mechanisms. "This trend should continue and expand," Breavington asserts, ensuring compliance with DORA and other regulations in a secure environment.
“The importance of InsurTech to all aspects of the insurance ecosystem is demonstrated by the prevalence of business units centred around developing technology focused solutions for their respective business such as the Llyod's lab and Lloyd's Blueprint (1 and 2), Aviva's Digital Garage and Munich Re Digital partners to name but a few.
“There is an increasingly common trend for traditional carriers and InsurTech companies to work together to deliver common aims including cost effective systems, streamlined procedures and advanced data analytics mechanisms. This trend should continue and expand so that InsurTech solutions provide reliable ways of ensuring compliance with DORA and other regulators in a secure environment.”
To read the full story in the magazine click HERE
**************
Make sure you check out the latest industry news and insights at InsurTech and also sign up to our global conference series - Tech & AI LIVE 2024
**************
InsurTech is a BizClik brand