The International Association of Insurance Supervisors (IAIS) has issued a paper outlining third-party IT service outsourcing as one of three significant risks to operational resilience in the insurance sector.
“While the concept of operational resilience is not new to insurers, there is an increasing recognition of the importance of adapting supervisort regimes to account for the growing resilience of insurers on digital systems, new technologies, and third party providers,” said John Dixon, IAIS secretary general.
With members in 200 different jurisdictions, the IAIS was set up in 1994 to help create a consistent global regulatory framework for the insurance industry.
Discussing third-party risks, the IAIS paper points out that while existing frameworks already include requirements to manage risk associated with outsourcing business functions, they do not properly consider the concentration risks associated with critical IT services. It also remarks on how such risks can occur at different levels, either at an individual institution, or across larger groups, with multiple entities dependent on the same few service providers.
As an example, the paper describes the use of Cloud-based services: “May present concentration risks at the individual entity, sector and global level,” because a disruption at a single provider could result in broad disruption across the industry.
The benefits offered by third party services such as scalability and improved resilience must be weighed against the risks presented not just to users, but to the stability of the wider market, the paper says.
The increased use of non-regulated third-parties and the emergence of subcontracting to ‘fourth parties’ as software supply chains grow in complexity are also noted as areas that require increased regulatory interest.
Because there is the potential for systemic risk among multinational service providers, the IAIS recommends a coordinated approach between the insurers, third-party providers, and supervisors from multiple countries.
The paper, which is open to feedback until January 6th, 2023, also discusses cyber resilience and business continuity management as areas of interest for operational resilience.