Banks buying insurance for cover against cyber attacks, rogue staffPosted On: Aug. 30, 2017 11:07 AM CST
(Reuters) — Banks are increasingly turning to insurance to protect their capital from "operational risks" like cyber attacks and rogue traders, and insurers say they can help safeguard lenders by providing an extra layer of expertise.
After a spate of expensive court cases and IT outages, banks including Credit Suisse, Deutsche Bank and Lloyds are looking for ways to mitigate the costs of such episodes by taking out insurance.
Most such insurance contracts are arranged privately and the details never publicized. But the practice gained new attention last year, when Credit Suisse sold a 220 million Swiss franc ($230.2 million) bond tied to its operational risk.
Buyers were given generous coupons of more than 4%, but could lose their investment if the bank is hit with charges from employee malfeasance, cyber attack or other issues.
The bond was linked to coverage provided by Zurich Insurance Group A.G., which said it was seeing growing interest in operational risk policies, due to the rising frequency and severity of such risks.
Banks were "interested in de-risking their balance sheets by transferring a portion of their operational losses and so mitigating the impact on equity capital," a Zurich spokesman said by email.
As with all insurance, there can be a risk of "moral hazard," with banks that offload some of their risk becoming laxer about their own controls, said Domenico del Re, director at consultants PricewaterhouseCoopers L.L.P. Smaller financial firms in particular might prefer to buy insurance than spend much greater sums on risk management, he added.
But he said insurers can also help cut those risks by scrutinizing firm's controls closely.
"Insurers are getting more and more sophisticated as risk management partners," he said. "If you think of the parallel with fire risk, by helping companies getting advice on where sprinklers should be located, the same is happening with cyber: where insurers are linking up with IT and cyber specialists."
Insurers are employing risk specialists with experience at major banks to help assess the practices of the financial institutions they cover, said Angelos Deftereos, senior underwriter for operational risk at XL Group Ltd., which does business as XL Catlin.
He cited his own background as an example: "Before joining XL Catlin, I was responsible for implementing the operational risk framework at the asset management division of Morgan Stanley. So I have an insight into these risks as well as how they are managed/controlled.”
'Back to fundamentals'
The Basel Committee on Banking Supervision defines operational risk as "the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events".
It can include cyber attacks, general IT outages, rogue traders and financial fraud, and is one of the risk areas against which banks need to set aside regulatory capital, along with market and credit risk.
Regulators permit the largest banks to use insurance to reduce their capital buffers for operational risk by up to 20%, although this might change: The Basel Committee that sets global rules has yet to release the results of a consultation on the issue last year.
Banks first started to look at operational risk insurance before the financial crisis struck a decade ago. Their interest has renewed in the past year, insurers say.
"The crisis is over, banks are getting back to fundamentals and now it's back in focus," said Mark Fellows, financial institutions manager at American International Group Inc.
Major cyber attacks "WannaCry" and "NotPetya" earlier this year have driven more interest. There has been rising demand for operational risk insurance from banks in Britain, continental Europe, Australia and other parts of the developed world, brokers and insurers say.
Banks can buy insurance against different aspects of operational risk, such as property, cyber or professional indemnity, but an umbrella policy fits more closely with their needs, they add.
Paul Search, financial institutions practice leader at Willis Towers Watson P.L.C., said the insurance "can cover the whole spectrum of operational losses incurred by a bank," in contrast to traditional insurance, "which remains siloed, risk type by risk type".
Siobhan O'Brien, managing director, financial and professional practice at broker Marsh UK, said banks could typically buy operational risk insurance to cover three different aspects of operational risk for a total cover of up to $1 billion, from a range of insurers.
Deutsche and Lloyds are among major banks that have said in company statements that they use operational risk insurance. Both declined to comment.
Policies still usually require that the bank itself bears a big chunk of any losses, to ensure they do not loosen their controls.
"That's the tool the insurance industry uses to protect itself from the moral hazard," said Daniel Butler, managing director, operational risk solutions at broker Aon Benfield.
There are additional risks for the insurers themselves. For example, offering insurance to banks classed by regulators as having global systemic importance — such as Barclays, Credit Suisse or JP Morgan — could potentially leave insurers themselves facing a similar burden.
"If you provide operational risk insurance to an institution of systemic importance, you become systemically important yourself," said one senior insurer in the Lloyd's of London market, whose firm did not provide operational risk insurance. Because of this, only the largest insurers tended to offer such insurance, he added.
A second Lloyd's market source said many insurers were reluctant to offer cover against operational risk because of the huge bills firms can run up as a result of rogue trading.
Societe Generale rogue trader Jerome Kerviel triggered €4.9 billion ($5.78 billion) in losses in 2008. Kweku Adoboli caused £1.4 billion ($1.80 billion) in losses at his employer UBS in 2011.
Those who have offered operational risk insurance have found the insurance profitable, however, as there have been few claims, insurance specialists say.
Providers of operational risk insurance include U.S. firms AIG and XL Catlin and Switzerland's Zurich Insurance.
Operational risk insurance can also be of use to other financial firms, such as asset managers, to cover risks such as dealer error or being accused by investors of violating their mandates, said XL Catlin's Mr. Deftereos.
Policies can take months or even years to develop because they are custom tailored to meet the institution's needs and may also need to be signed off by regulators, brokers say.
“There is no single price for operational risk insurance as there are too many variables to consider and each financial institution is different," Mr. Deftereos said.