The Australian Prudential Regulation Authority (APRA) has published the findings of its review into the strength of the general insurance industry’s risk management frameworks, in response to business interruption (BI) insurance coverage issues that arose from lockdowns and other COVID-19 restrictions.

APRA required 10 insurers to conduct a self-assessment against the robustness of their risk frameworks in the context of BI and extend this assessment to other product lines that could also be vulnerable, including cyber risk. In all cases, the insurers found weaknesses that required remediation and have implemented work programs to address them.

APRA’s findings include examples of better practice observed by APRA from a range of insurers.

While the individual insurer self-assessments are not being published, APRA has consolidated and published the key insights. APRA expects all insurers to consider their own operations and practices in light of these findings.

Key insights

• Most insurers assessed the main reason for the BI issues was their failure to update policy wordings for the change in legislation. APRA says the focus on policy wording should be broader than legislative updates and should also be extended to all classes of business.
• Some insurers also acknowledged that, while they became aware of the problem once COVID-19 impacted Australia, the issue of business interruption insurance coverage was given lower priority than other matters. APRA says the risk of writing unintended pandemic cover should have raised concern across all three lines of defence, had visibility at Board level, and led to appropriate risk mitigation in response.
• It was observed by APRA that the most common exposure in the Australian market to unintended BI losses was in policies written in the small-to-medium enterprise (SME) segment. APRA says given the lack of comparable action for larger clients, insurers should consider what the drivers were for such different outcomes for policies written for SME compared to larger clients, such as business type/size or distribution channel and subsequent controls around bespoke wordings.
• APRA recommends insurers challenge their concern with “first-mover” disadvantages to ensure that risks underwritten are appropriately aligned with their risk appetite.
• Some insurers reported a mismatch between their policy wordings and the reinsurance contracts covering the risk. All these insurers acknowledged this was a breakdown in insurance risk management.
• Many insurers acknowledged that the multiplicity and complexity of similar policy wordings contributed to their risk management weaknesses and that consolidation, simplification and improved controls over wordings were the key remediation actions. The additional risks inherent in utilising third party underwriting arrangements were identified as an area for insurers to strengthen their controls.
• In their responses to the assessment of their risk management of silent and affirmative cyber insurance, APRA says some insurers still had work to do, particularly in the silent cyber area, to ensure they fully understood their potential aggregate exposures. “Silent” cyber refers to potential cyber exposures contained within traditional property and liability insurance policies which may not implicitly include or exclude cyber risk.
• The integration of insurance risk management into their broader risk management framework was acknowledged by some insurers to be underdeveloped. The conclusion by these insurers was that insurance risk management in fact required distinct oversight by all three lines of defence as was the case for other risk categories within their overall risk management framework.
• For all participants, APRA says the results showed the importance of monitoring and testing the effectiveness of insurance risk controls with appropriate frequency and intensity, to cater for changes to the internal or external environment, including emerging and evolving risks.

If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.