Latest News

Chief risk officers say cybersecurity most pressing risk

Written on Apr 19, 2024

In an inaugural EY/Institute of International Finance (IIF) global insurance risk management survey, cybersecurity was ranked as the highest concern for chief risk officers (CROs). 

CROs surveyed said the top five risk types or risk management types for the coming year were: 

  • 53% – Cybersecurity risk 

  • 35% – Insurance risk (e.g., underwriting risk, including lapses, catastrophic [CAT] and longevity risk) 

  • 32% – Business model change/transformation 

  • 26% – Credit risk (including country, sovereign and concentration risk) 

  • 24% – Tied between capital allocation, interest rate risk and technology risk (e.g., risk of inadequate management or maintenance of technology systems, networks, assets and applications) 

Human capital risks (22%) also ranked high for the one-year outlook, reflecting a tightening labor market. Overall, 64% of participating CROs said attracting talent will become increasingly difficult in the long term. Third-party risk reflects scarce talent and the industry’s increased connectivity; more insurers seek to access specific capabilities and technologies via ecosystems and alternative sourcing models. 

Concerns shift when the view is extended to emerging risks over the next three years, according to survey data from 68 insurance carriers across 15 countries. While cybersecurity risk still tops the list (68%) for all CROs surveyed, the top five concerns are rounded out with more global issues, including geopolitical risk (56%), environmental risk (50%), machine learning and artificial intelligence (43%), and skills shortage/re-skilling of the existing workforce (41%). 

Political uncertainty in this U.S. election year heightens the risks; most survey respondents called out geopolitical risks as one of the most pressing over the next three years. CROs see geopolitical risks mainly in terms of macroeconomic impact (79%), increased cyber warfare (67%) and regulatory changes (64%). 

American survey respondents were twice as likely than their European counterparts to expect a focus on GenAI in the next five years. Roughly a quarter of firms have implemented core components of the necessary frameworks to address AI-related risks. Despite a reliance on growing ecosystems and alliances to drive efficiencies (43%) and acquire new customers (59%), almost half (46%) viewed managing third-party cyber risk as a threat to their operational resilience. 

While confident managing emerging financial and regulatory risk, less than a quarter (22%) of respondents said they were implementing AI, Gen AI and machine learning. Those adopting AI are doing so pragmatically with guardrails in place – with 50% establishing controls to help ensure the responsible use of AI and ML in decision-making. Respondents cited heightened risk in modeling, including risk of hallucination and explainability, (61%), data privacy (49%) and consumer fairness and algorithmic bias (37%). 

More than two-thirds (69%) of CROs surveyed are integrating ESG into their risk management framework, and 87% are incorporating ESG standards into investments. While many CROs feel confident in their organization’s ability to integrate ESG into their decision-making, only 3% of respondents have a complete understanding of their climate-change risk exposure, and just over a third (36%) stated that climate risk is being integrated into business strategy – although positive action is forthcoming. Over half (53%) cited ESG-related investments and rewarding positive ESG behavior (34%) as the leading products or features with the most growth potential. 

Still, 72% of CRO respondents are confident they have the capacity to manage change associated with increased risk, while 74% see budget as their most significant threat to accelerating critical digital transformation strategies. 

The events of 2023 increased the pace at which insurance carriers have sought to strengthen their front line with risk management practices, with 59% of respondents improving their liquidity management policies, procedures and practices and more than half (56%) updating their asset liability management (ALM) framework, in the last 12 months. 

Related Upcoming Events