Banks are increasingly turning to insurance to protect their capital from “operational risks” like cyber attacks and rogue traders, and insurers say they can help safeguard lenders by providing an extra layer of expertise.
After a spate of expensive court cases and IT outages, banks including Credit Suisse, Deutsche Bank and Lloyds are looking for ways to mitigate the costs of such episodes by taking out insurance.
Most such insurance contracts are arranged privately and the details never publicized. But the practice gained new attention last year, when Credit Suisse sold a 220 million Swiss franc bond tied to its operational risk.
Buyers were given generous coupons of more than 4 percent, but could lose their investment if the bank is hit with charges from employee malfeasance, cyber attack or other issues.
The bond was linked to coverage provided by Zurich Insurance, which said it was seeing growing interest in operational risk policies, due to the rising frequency and severity of such risks.
Banks were “interested in de-risking their balance sheets by transferring a portion of their operational losses and so mitigating the impact on equity capital,” a Zurich spokesman said by email.
As with all insurance, there can be a risk of “moral hazard”, with banks that offload some of their risk becoming laxer about their own controls, said Domenico del Re, director at consultants PwC. Smaller financial firms in particular might prefer to buy insurance than spend much greater sums on risk management, he added.
But he said insurers can also help cut those risks by scrutinizing firm's controls closely.
“Insurers are getting more and more sophisticated as risk management partners,” he said. “If you think of the parallel with fire risk, by helping companies getting advice on where sprinklers should located, the same is happening with cyber: where insurers are linking up with IT and cyber specialists.”
Insurers are employing risk specialists with experience at major banks to help assess the practices of the financial institutions they cover, said Angelos Deftereos, senior underwriter for operational risk at XL Catlin.
He cited his own background as an example: ”Before joining XL Catlin, I was responsible for implementing the operational risk framework at the asset management division of Morgan Stanley. So I have an insight into these risks as well as how they are managed/controlled.”
The Basel Committee on Banking Supervision defines operational risk as “the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events”.
It can include cyber attacks, general IT outages, rogue traders and financial fraud, and is one of the risk areas against which banks need to set aside regulatory capital, along with market and credit risk.
Regulators permit the largest banks to use insurance to reduce the their capital buffers for operational risk by up to 20 percent, although this might change: the Basel Committee that sets global rules has yet to release the results of a consultation on the issue last year.
Banks first started to look at operational risk insurance before the financial crisis struck a decade ago. Their interest has renewed in the past year, insurers say.
“The crisis is over, banks are getting back to fundamentals and now it's back in focus,” said Mark Fellows, financial institutions manager at US insurer AIG.
Major cyber attacks “WannaCry” and “NotPetya” earlier this year have driven more interest. There has been rising demand for operational risk insurance from banks in Britain, continental Europe, Australia and other parts of the developed world, brokers and insurers say.
Banks can buy insurance against different aspects of operational risk, such as property, cyber or professional indemnity, but an umbrella policy fits more closely with their needs, they add.
Paul Search, financial institutions practice leader at Willis Towers Watson, said the insurance “can cover the whole spectrum of operational losses incurred by a bank,” in contrast to traditional insurance, “which remains siloed, risk type by risk type”.
Siobhan O'Brien, managing director, financial and professional practice at broker Marsh UK, said banks could typically buy operational risk insurance to cover three different aspects of operational risk for a total cover of up to $1 billion, from a range of insurers.
Deutsche and Lloyds are among major banks that have said in company statements that they use operational risk insurance. Both declined to comment.