Key challenges facing the financial services industry

• Cyber incidents is the sector’s most significant peril, according to over half of respondents – the highest ever total
• Business interruption and supply chain outages, and the increasing compliance burden and impact of regulation, complete the top three risks for the sector
• Regulators are increasingly focusing on business continuity, operational resilience and the management of third party risk following the number of major outages at banks and payment processing companies
• Companies are challenged by the growing raft of ESG regulation and guidance leading to tougher disclosure and reporting rules, particularly around sustainability

The  Allianz Risk Barometer annual survey highlights some of the most significant risk trends for the year ahead, as identified by banks, asset managers, private equity funds, insurers and other players in the financial services sector. Cyber incidents (51% of respondents), the closely interlinked peril of business interruption (BI) and supply chain disruption (30%), and the impact of changes in legislation and regulation (26%) rank as the top three sector risks for 2022, based on the opinions of almost 900 respondents (872) who participated in AGCS’s latest research, which was conducted at the end of 2021.

“Finance has not only become largely digital, but digitalization has also deepened interconnections and dependencies within the sector and with third-party infrastructure and service providers,” says Schiavone. “Recent high-profile cyber-attacks have shown a worrying trend for incidents where hackers target technology or software supply chains or digital single points of failure.” 

In December 2021, it was reported that hackers had launched well over a million attacks on companies globally around the world in just four days, through a previously unnoticed vulnerability in a widely-used piece of open-source software called Log4J [2]. This followed cyber criminals inserting ransomware into a software update issued by Kaseya [3], in itself an attack that had echoes of the SolarWinds [4] incident which targeted bank and regulatory agencies, demonstrating the potential vulnerabilities of the sector to outages via their reliance on third-party service providers. 

“It is unsurprising then that disruption to digital supply chains and cloud platforms ranks fourth in the cyber risks of concern in this year’s  Allianz Risk Barometer  (33% of respondents),” Schiavone adds. IT outages, service disruptions or cyber-attacks can result in significant BI costs and greater operating expenses from a variety of causes, such as customer redress, consultancy costs, loss of income and regulatory fines. Last, but not least, brand reputation and, ultimately, a company’s stock price can also be negatively impacted, while management can also be held responsible for the level of preparedness. Insurers already see a rising number of losses from outages or privacy breaches. 

“For companies, and their senior management, this ultimately requires them to maintain an active role in steering the ICT risk management framework, encompassing the assignment of clear roles and responsibilities for all ICT-related functions, a continuous engagement in the control of the monitoring of the ICT risk management, as well as an appropriate allocating of ICT investments and trainings,” says David Van den Berghe, Global Head of Financial Institutions, AGCS. 

Compliance and the impact of increasing regulatory activity is one of the biggest drivers of insurance claims for financial institutions, and this is reflected in the fact that changes in legislation and regulation ranks as the third top risk for the sector. 

The compliance burden for financial institutions has increased significantly over the past decade. Regulatory enforcement has intensified as banks and senior management are more readily held to account by lawmakers and prosecutors, as well as shareholders. At the same time, they are subject to a growing body of rules and regulations in a diverse range of areas, including sanctions, whistle-blowing and, of course, data protection and cyber security laws.  

The consequences of data breaches are far-reaching with more aggressive enforcement, higher fines and regulatory costs, and growing third party liability, followed by the prospect of litigation. Regulators are increasingly focusing on business continuity, operational resilience and the management of third party risk following the number of major outages at banks and payment processing companies. Companies need to operationalize their response to regulation and privacy rights and not just look at cyber security. 

Then there are a number of other environmental, social, and governance (ESG) issues and requirements to handle in addition. “Companies are challenged by the growing raft of regulation and guidance in many territories, leading to tougher disclosure and reporting rules, particularly around sustainability. The most recent of these is the EU taxonomy for sustainable activities regulation, which provides a common dictionary for sustainability criteria and thus aims to enable comparability of sustainability performance,” says Michael Bruch, Global Head of Risk Consulting Liability/ESG at AGCS. 

Ultimately, these changes will influence how, and in which sectors, companies and funds invest, as they consider whether a particular asset fits within the taxonomy or ESG strategy, how they will report about it and what stakeholders and shareholders will think. “The financial services sector may be ahead of other sectors when it comes to addressing ESG topics but regulations and guidance will still be a driver of risk going forwards,” says Bruch. 

At the same time, activist shareholders or stakeholders are increasingly focusing on ESG issues. Recent years have seen a surge in climate change-related litigation cases in particular. The cumulative number has more than doubled since 2015, according to a recent Oxford University/Climate Neutrality Forum report presented at the COP26 summit. Just over 800 [5] cases were filed between 1986 and 2014, while over 1,000 cases have been brought in the last six years and there are a growing number of cases involving financial institutions. 

 Such cases ultimately seek to influence emissions trends by increasing the cost of capital for high-emissions activities. Early examples of this type of litigation focused primarily on the disclosure of climate change-related risks and their relevance to investment decisions, often drawing on guidance produced by the Task Force for Climate-related Financial Disclosures (TCFD). However, recent cases appear to mark a move beyond being focused just on disclosure to focusing on due diligence. In November 2020, a case was settled involving a $57bn superannuation fund in Australia, Rest [6]. The claimant alleged Rest’s failure to disclose and address climate risk breached legislation. The fund committed to a raft of new disclosure and climate change-related initiatives in response. 

Besides climate change, broader social responsibilities are coming under scrutiny, with board remuneration and diversity being hot topics and regulatory issues. “AGCS regularly engages in open dialogues with the banking, insurance and asset management segments to discuss risk trends and challenges,” concludes Schiavone. “We are investing heavily in our network and expertise, in underwriting, claims and operations, so we can best respond to customers’ needs and contribute to a better management of risks in a complex environment that constantly evolves.”