“Some of these innovations have occurred at a faster rate than changes to the regulatory framework and faster than contracts are written and renewed.”
To help keep pace with digital change, OSFI is proposing to create “a new division…that will focus on all things digital, including topics like open insurance, open data and crypto across the insurance and broader financial sector,” said Routledge.
He added the regulator’s digital focus will be on ‘resilience’ rather than ‘resistance’ to digital innovation.
“There is little doubt when looking to the future that its holds more digital disruption rather then less,” said Routledge. “It is simple to confront this future with resistance, but that is likely to result in being left behind rather than becoming more resilient.”
For insurers, digital change comes with increased operational, compliance, reputational and financial risks. OSFI is already holding public consultations with the industry to help come up with new guidance around risks associated with third-party suppliers and the increased chance of cyber attacks.
Consultation with the industry around elevated use of third-party providers is still open. OSFI noted this consultation broadens the scope of the regulator’s review beyond the company’s outsourcing agreements.
“Draft Guideline B-10 applies to a significantly wider variety of third-party arrangements,” said OSFI’s briefing notes. “It proposes to govern not only risks posed by traditional outsourcing arrangements, but also risks posed by external entities that a [P&C insurer] engages with on a commercial or strategic basis, including material subcontractors.”
The Draft B-10 Guideline also ‘widens the lens’ on risks associated with contracting work out to third parties. “The revised definition encompasses a series of related risks at third parties, such as technology, cyber, data security, financial, operational, business continuity management, subcontracting/supply chain risks, and concentration risks,” OSFI stated.
The regulator is also wrapping up consultations with the industry on cyber risk management [Draft Guideline B-13]. Final guidelines have not yet been drafted but OSFI did respond to some of the industry’s comments in advance.
For example, one common theme in the industry response is that emerging technology and data risks are already covered under other regulatory guidance issued by OSFI – i.e., guidance on operational risk management, or OSFI tools for the industry such as the Cyber Self-Assessment tool and Incident Reporting Advisory.
But in each instance, OSFI felt the digital aspect of the risk needed to be addressed specifically.
For example, “while OSFI’s recently updated Cyber Self-Assessment tool and Incident Reporting Advisory are critical, OSFI does not view them as sufficient or complete in responding to existing and emerging risks,” an OSFI online post observed. “Draft Guideline B‑13 [based on the cyber risk management consultation] aims to address this gap with broad coverage of both cyber and other technology risks.”
Additionally, OSFI said its Draft Guideline B-13 articulates the crucial link between its guidance on operational risk (as integrated into a company’s enterprise risk management system) and its cyber risk management guidelines.