The Office of the Superintendent of Financial Institutions (“OSFI”) published two updates this week relating to its review of technology risks and cyber insurance underwriting risks.
Technology Risks Discussion Paper
On May 10, 2021, OSFI provided an update in respect of the consultation process regarding technology and related risks initiated on September 15, 2020 with the publication of a discussion paper entitled Developing financial sector resilience in a digital world (the “Discussion Paper”). The update included a summary of the responses OSFI has received from various respondents, including Federally Regulated Financial Institutions (“FRFIs”), industry associations, technology companies and consulting firms in response to the questions and topics in the Discussion Paper. The three main topics in the Technology Discussion Paper are: cyber-security; advanced analytics; and the third party ecosystem.
Among other comments, there seems to be a general agreement among the respondents that OSFI should not create separate guidance to address technology risk, risks associated with cloud-based services or data risk and that such risks could be sufficiently addressed by revising existing guidance. For instance, OSFI has previously indicated that it intends to review and update OSFI Guideline B-10: Outsourcing of Business Activities, Functions and Processes (“Guideline B-10”). Guideline B-10 addresses OSFI’s expectations for FRFIs in respect of activities outsourced to service providers.
Some respondents felt that data risks are adequately addressed by existing legislation and standards. Respondents also indicated that new model risk guidance should remain risk- and principles-based and that OSFI should apply a technology agnostic approach. OSFI has indicated that there will be additional opportunities for respondents to provide feedback on specific proposals prior to the issuance of any final guidance.
OSFI also provided a proposed schedule setting out the planned release dates for draft guidance. Despite the feedback OSFI has received to date, a new technology and cyber risk guideline is intended to be released for review in Q4 2021. Draft revisions to Guideline B-10 relating to third party risk will follow in Q1 2022. Operational risk and resilience will be addressed commencing in Q3 2021 followed by draft revisions to OSFI Guideline E-21: Operational Risk Management in 2022-23. Lastly, model risk (advanced analytics) will be reviewed commencing in Q1 2022 with revised guidance to follow in 2022-23. Although these dates are subject to change, the schedule reveals OSFI’s intentions for the overall structure of the framework to assess technology risk.
Cyber Insurance Underwriting Risks
On May 11, 2021, OSFI released a letter addressed to federally regulated property & casualty insurers regarding the underwriting of cyber risks (the “Letter”). In the Letter, OSFI defines cyber insurance underwriting risks as prudential risks emanating from underwriting insurance contracts that are exposed to cyber-related losses resulting from malicious and non-malicious acts involving both tangible and intangible assets. Such risks may be affirmative or non-affirmative: affirmative risks are those covered by insurance policies that explicitly include coverage for cyber risk, while non-affirmative risks are the unknown or unquantified exposures that originate from perils that could trigger a claim under property or liability insurance policies (including those without express cyber coverage) or policies with vaguely worded cyber exclusions. Non-affirmative risks are of growing concern in light of the global and Canadian cyber landscape. As the number of cyber incidents increases, insurers continue to have difficultly measuring the exposure of cyber risk when underwriting insurance.
OSFI is interested in understanding how insurers adequately assess and manage cyber risk, particularly in respect of non-affirmative cyber coverage. To that end, OSFI intends to issue a questionnaire in 2021-22 to determine how FRFIs identify, measure and manage cyber insurance underwriting risk. Based on the Letter, OSFI is considering whether additional supervisory actions need to be taken relating to the underwriting of cyber risk. OSFI also highlighted that FRFIs should consider any changes in their cyber risk exposure and revise any relevant risk management objectives and practices.
While the Discussion Paper is still in process, the current landscape (increased cyber security incidents, remote work environment) could prompt OSFI to require FRFIs to bolster their risk management practices in several areas, including cyber security. In addition, OSFI may determine that the existing incident reporting requirements are insufficient to address technology and related risks.
Insurers with direct or indirect cyber underwriting exposure could be subject to greater regulatory scrutiny and should be prepared to demonstrate how the management of cyber risk has been integrated into the insurer’s overall risk management system. As OSFI points out in its Letter, loss ratios in cyber insurance have increased significantly in Canada. As a result, there is a lack of capacity in the Canadian market and many organizations are likely underinsured. Any additional regulatory requirements imposed by OSFI on insurers underwriting cyber risks should be applied in a balanced way, taking into consideration the risks to insurers and their insureds as well as the potential impact that such requirements may have on a line of business that is already encountering challenges.
We encourage FRFIs to review and assess their systems and to seek legal advice where necessary to ensure that they are continuing to comply with evolving regulatory, privacy, security and record-keeping requirements.