Risk convergence: how insurers can seize the initiative on privacy, cyber risk and operational resilience

The Covid-19 pandemic has dramatically reshaped the operational risk landscape. New ways of working have brought fresh challenges, ranging from the practical to the privacy-related. Meanwhile, widespread volatility has shone a spotlight on risk—revealing vulnerabilities and redefining the very notion of operational resilience. EXL and Insurance Post recently joined risk and privacy leaders from the insurance industry to review the effects of a tumultuous few months and to discuss the lessons and opportunities they have identified along the way. From this, we share five critical learnings that insurers must apply, if they are to seize the initiative on privacy, cyber risk and operational resilience.

Most businesses will have experienced transitioning operations from the office environment to remote working, almost overnight. IT teams in every industry have worked to implement—and even build from scratch, in some cases—a remote working model on a scale that has never before been imagined, nor tested. Most have succeeded, but with this new normal comes a level of business complexity that is testing the operational resilience of every organisation. What does remote access mean for privacy? What about risk and compliance? How will they align with third-party vendors and wider supply chains? Are existing policies even fit for purpose, in a post-Covid world?

Learning point: Flexibility and responsiveness are key to successfully adapting the operating model.

"You can’t address these new risks in a silo. Instead, it’s a case of the privacy team working with the cybersecurity team, working with the operations team and so on."

Brad Bryant, Chief Privacy Officer, AON

Our panel agreed that even previously successful operating models are unlikely to be effective, for a post- Covid world. Continuous learning from workforce and customer feedback, simplifying and scaling up automated processes and taking a holistic, joined up view across the business have been vital factors in successfully reshaping the operating model, on the fly.

Learning point: Managing an evolving risk profile demands a fresh look at culture, controls and frameworks.

"We’ve got to get our people to be the ones to protect us from external threats, because more likely than not, a mistake made from the inside is what opens the door to a cyber-attack from the outside. But that demands heavy investment in training and a culture that makes people feel safe to report mistakes, too."

Andrea Santolalla, Chief Operating Officer, Special Risks, Hiscox

Cyber risk now looks markedly different, as large swathes of the workforce operate remotely in the new normal. At the same time, the regulatory landscape is shifting. Resilient insurance firms are able to be agile in scaling their operating model and adjusting their risk framework accordingly. Phishing and ransomware attacks are just two threats that have increased during Covid-19; building an organisation-wide culture of rigorous risk-related training and introducing work-from-home controls (such as time-limited log-in access) bolster resilience in this area. Our panellists agreed with EXL that one size does not fit all—context is key. Risk management strategies will look different for life insurers, for instance, compared to brokers or commercial insurers. As such, risk and regulatory programmes will benefit more than ever from deep domain expertise.

Learning point: Policies must be fit for purpose in the Covid-era (and if you haven’t adapted them yet, they probably aren’t).

"Every organisation should be asking itself, are our operational policies now fit for purpose? After all, did we ever truly imagine disruption on this scale?"

Prakhar Agrawal, Practice Director, Risk & Compliance, EXL

The ubiquity of remote working has been a paradigm shift in terms of privacy and risk. Aside from cyber risks, there is the issue of accessing and handling data and personal information in non-standard working environments. Our panellists endorse thorough privacy impact assessments to facilitate the necessary policies and controls. Complex supply chains and vendor ecosystems also demand scrutiny at a policy and risk management level; as one insurer put it, “you might be responding one way to Covid, while your suppliers might be responding differently.” Indeed, as we look to a future that will almost certainly be dominated by hybrid office-remote ways of working for both workforces and third parties, policies for aspects such as remote access must evolve in line with the operating model and changing risk environment.

Learning point: Balancing health and safety and productivity with privacy is an emerging priority.

"Privacy rights are as important as ever, but I worry about them being weakened in this hyper-vigilant Covid-19 environment and not being taken back to where they need to be."

Robert Duncan, Chief Information Security Officer, Direct Line Group

Responding to Covid-19 has been, at its most basic and acute level, about saving lives. Technologies like contact tracing apps have assisted the effort, but at the same time they have raised questions about privacy. The challenge now for privacy, risk and compliance and business leaders is to balance fundamental rights to privacy with essential health and safety measures, embedding fundamental privacy and data protection principles in dayto- day operations and critically, actively demonstrating accountability.

Learning point: Now is the time to double down on the opportunities and priorities that have emerged.

“The pandemic has shown us what we’re capable of in terms of acting with speed and agility. And it’s taught us that perhaps we were shooting too low before—we can do more than we ever thought possible.”

Andrea Santolalla, Chief Operating Officer, Special Risks, Hiscox

Covid-19 has tested every insurance business, from the foundations up. But almost universally, we see insurers achieving rapid change, overcoming challenges and emerging with new insights, capabilities and priorities. Now, the challenge is to build on this show of resilience to strengthen the organisation for the future. Pandemic-driven advances in digital adoption should now be explored further. Modular, repeatable processes that have proven themselves during this period can now be scaled. Experiments in diversifying the workforce with AI-powered agents are now ripe for review and consolidation. Risk factors that have revealed themselves as new priorities must be re-addressed in light of what we now know. There is no time to lose; as EXL’s Prakhar Agrawal reflected,

“As we emerge from crisis, it is clear that when it comes to building resilience, insurers can never do too much”.

With thanks to our panel chair, Stephanie Denton, editor of Insurance Post.

To learn more about how your firm can seize the initiative on privacy, cyber risk and operational resilience to become future-ready, please reach out to our Practice Director, Risk & Compliance Prakhar Agrawal (Prakhar.Agrawal@exlservice.com).