Financial services insights
Expert insights surrounding the financial services sector.
These items are based on a range of factors, including the issues/themes that we have identified throughout our work during 2024.
Whilst insurance is generally considered to have a lower inherent risk than other areas within the financial services sector, insurance companies are nonetheless subject to regulations that require them to have adequate systems and controls in place to combat financial crime. We have found, based on the work we have performed with firms, that insurers are frequently unaware of their specific obligations and may be unable to effectively evidence how they have addressed these obligations. It is expected that (whilst a proportionate approach is likely to be appropriate) firms would have integrated consideration of financial crime within their governance and have performed an enterprise-wide financial crime risk assessment to ensure a thorough understanding of financial crime exposures.
Although almost universally recognised as being a crucial part of firms’ control framework, and being a common factor in most instances of regulatory intervention or other issues, culture is an area which is less frequently seen within internal audit plans, but which cuts across a range of different risk areas, including:
Given the level of associated risk, the majority of IA functions will have already undertaken some form of activity in relation to cyber security. Typical approaches have included performing an assessment of cyber security maturity against industry benchmarks and/or a review of the cyber strategy / roadmap.
When conducting a risk assessment, we recommend that insurance firms also consider the extent of assurance activity which their firm has undertaken in relation to the operation of the cyber security control framework through penetration tests or other exercises, as the scope of these can vary greatly between providers. In particular, we recommended that you assess the following aspects of previous testing, and consider whether this has been proportionate to your exposure, or whether further work is required in the third line:
The secondary deadline (March 2025) for firms to comply with the Operational Resilience regulation is fast approaching. If it has not already been considered within plans (or within second-line activity), insurance firms should consider conducting either a pre- or (at the very least) post-implementation assessment to confirm that adequate steps have been taken to implement the rules and embed related operational processes.
Whilst we have found that the majority of insurance firms have appropriately identified their important business services (IBS), impact tolerances (IToLs) and have mapped their resources, we are finding that they have not always adequately documented the rationale for the IBS or IToLs selected, or undertaken sufficient testing to meet the expectation set out in the regulation of undertaking testing to simulate ‘severe but plausible’ scenarios, or that the scenarios have an ‘appropriate range of adverse circumstances of varying nature, severity and duration’. Whilst most have undertaken some desk-based exercises, insurance firms will need to be able to evidence they have tested the resources underpinning their IBS sufficiently, and that their arrangements will enable them to recover within their IToLs. We have found that many firms are yet to go beyond basic testing.
The outsourcing regulations should be well established and embedded in most organisations; however, we have found that although insurance firms address the majority of aspects, they frequently do not have contingency arrangements in place, or have not tested these, to ensure they can maintain service continuity in the event of the loss or outage of a third party.
This risk was thrown into stark relief by the recent CrowdStrike outage and the disruption caused to firms. IA functions may wish to consider revisiting aspects of the outsourcing regulations, and their wider third-party risk management frameworks and consider the impact of the loss or outage of a third party which, while potentially not ‘material’ under the regulatory definition, may nevertheless cause significant disruption.
Over the last few years, we have seen a trend towards insurance IA functions reporting on (e.g.) cultural matters within each of their reports and, more commonly, in their annual reporting to audit committees. What we expect to see now is an increasing prevalence of the same approach being taken to the recent wide-ranging regulations: Operational Resilience and the Consumer Duty being foremost among them. This will require a good deal of forethought when planning and scoping audits to identify the relevant touchpoints, so that these are (a) called out and (b) reported on in a concise and user-friendly way.
To speak to one of our Insurance Risk Consulting experts, get in touch today.
This website uses cookies.
Some of these cookies are necessary, while others help us analyse our traffic, serve advertising and deliver customised experiences for you.
For more information on the cookies we use, please refer to our Privacy Policy.
This website cannot function properly without these cookies.
Analytical cookies help us enhance our website by collecting information on its usage.
We use marketing cookies to increase the relevancy of our advertising campaigns.