APRA Insight - Issue 3 2016
Insights from APRA’s 2016 Cyber Security Survey
Background
Cyber attacks1 are increasing in frequency, sophistication and impact, with perpetrators continuously refining their efforts to compromise systems, networks and information worldwide. The financial sector is one of the more prominent targets for such attacks, and recent incidents involving financial institutions in Bangladesh, Vietnam, South Africa, Japan and Ecuador demonstrate the absence of geographic constraints in cyberspace.
Financial institutions are investing considerable effort and expense to protect their IT assets2. However, in parallel, many APRA-regulated entities are also adopting strategies that will see more data stored and/or processed outside the perimeters of the regulated entity itself. In addition, entities are increasingly granting service providers access to their environments to perform business and technology processes.
Inherently, these trends expand the attack surface3 for cyber adversaries to exploit, suggesting that the frequency and potential impact of cyber security4 incidents will continue to increase.
As part of its activities to understand and assess industry preparedness for and resilience to cyber attacks, APRA undertook a survey between October 2015 and March 2016 to gather information on cyber security incidents and their management within APRA-regulated sectors.
The survey
Respondents to the survey included 37 regulated entities and four significant service pr oviders, covering all APRA-regulated industries with the exception of private health insurance. The results of the survey, which are being released in more detail today in an Information Paper, will guide APRA’s supervisory activities in this area and inform updates to relevant prudential requirements and guidance. Regulated entities will also be able to compare the survey results with their own experiences and assess their level of cyber security preparedness.
The survey results (in conjunction with other supervisory information) confirm that all APRA-regulated entities, and not only the largest of these entities, need to operate on the assumption that cyber attacks will occur, and that such attacks will remain a constant challenge.
Furthermore, it would be prudent for these entities to operate on the assumption that cyber attacks will become both more frequent and more sophisticated over time.
While this article provides an overview of the main results from the survey, the Information Paper5 released today contains more detailed survey results by industry and entity size.
Incidents
Surveyed entities experienced a range of cyber security incidents during the 12 months prior to the APRA survey that varied in nature, sophistication and impact. The cyber threats that had the potential to cause a material impact appear to have been well managed through a combination of effective monitoring and response activities, often supplemented by the use of external expertise.
Just over half of all survey respondents (20 regulated entities and one service provider) experienced at least one cyber security incident in the 12 months leading up to the survey that was sufficiently material to warrant executive management involvement.
The incidents reported highlight the evolving range of threats and the importance of diligence in maintaining defences commensurate with the threat landscape. Incidents reported by survey respondents included:
- potentially high impact incidents such as advanced persistent threats (APTs)6, distributed denial of service (DDoS)7 attacks and compromises of highly privileged access were experienced by a number of respondents within the survey period (21 per cent). These incidents reinforce the value of preparedness (detection and response controls) in the face of sophisticated attacks which cannot always be prevented;
- ransomware8 attacks, which represent an increasing threat. The reported incidence of these attacks (14 per cent) reinforces the importance of frequent system and data back-ups as a last resort mitigation;
- potentially reputation damaging incidents such as website defacement and social media account misuse were experienced by approximately one in eight entities (12 per cent). Whilst these incidents have had a low impact and frequency to date, the potential reputational impact necessitates continued vigilance with respect to the management of public-facing channels and services; and
- other incidents with low impact such as compromise of client accounts, internet banking fraud, phishing9 and malware10 attacks were experienced by almost one in four respondents (24 per cent).
Opportunities for improvement
While the incidents experienced by respondents appear to have been managed effectively, areas for improvement were also identified. In particular, the survey results, and recent supervisory activities, were useful for identifying a set of practices that would benefit all regulated entities. These practices have been summarised in Figure 1 below and should be considered by all regulated entities in their strategic and tactical planning to improve cyber security risk management.
Figure 1: Practices for sound cyber security risk management
Governance | Ensure boards and executive management are well informed regarding cyber security risks and their organisation’s preparedness to prevent, detect and respond. |
Preparedness | Regularly test response plans for common cyber security incident types, including verified recovery capability for plausible worst-case scenarios. |
Scope | Cover the extended enterprise, including service providers, joint ventures and offshore locations when scoping cyber security risk management activities. |
Strategy and funding | Maintain a rolling strategy to address the evolving forms of cyber security risk, supported by ongoing investment. |
Capabilities and resourcing | Maintain sufficient access to specialist cyber security resources (either internally and/or via establishing partnerships). |
Situational awareness | Establish threat intelligence and other information sources on the latest attack vectors and countermeasures which are used to inform security practices, including monitoring and subsequent response. |
Incident response | Adopt an ‘assumed breach’ mentality and invest in capability to detect and respond to cyber security incidents in a timely manner. |
Assurance | Maintain ongoing assurance over effectiveness of prevention, detection and response capabilities. |
Collaboration | Share threat and response information with Government, industry and customers to improve prevention, detection and response capabilities. |
Conclusion
As a result of the expanding sophistication, frequency and impact of cyber attacks, APRA regulated entities should expect to experience significant cyber security incidents and be prepared for an evolving range of threats.
Regulated entities therefore need to continue to enhance their prevention, detection and response capabilities, test their preparedness and work collaboratively with peers, researchers and government to improve their level of cyber resilience. There is no ‘finish line’ for cyber security risk management: it is a necessary discipline with no room for complacency, and will require on-going vigilance, improvement, investment and oversight.
1 Cyber-attack refers to the use of computer-based technology to compromise the confidentiality, integrity or availability of IT assets (i.e. software, hardware and data/information). This can be intended to achieve a range of possible objectives (e.g. financial gain; political/social change; intelligence gathering; or warfare).
2 IT assets refer to software, hardware and data/information (both soft and hard copy)
3 Attack surface is a measure of the number of points or avenues where an attacker can attempt to compromise security
4 Cyber security refers to measures aimed at protecting systems and data from cyber-attacks
5 Information Paper 2015/16 Cyber Security Survey Results: https://www.apra.gov.au/information-papers-released-apra
6 Advanced persistent threats (APTs) are a set of sophisticated, covert and continuous computer hacking processes coordinated by an individual, group and/or nation-state targeting a specific entity.
7 A denial of service (DoS) attack is a technique used whereby digital services are overwhelmed with fake requests, preventing legitimate access by customers/business partners. A distributed denial of service (DDoS) attack is where the attack source is distributed over a large number of locations across the internet, making it more difficult to filter attack requests from legitimate requests.
8 A ransomware attack occurs when malicious software is used to encrypt data for the purpose of a ransom demand.
9 Phishing refers to impersonating a trusted entity in an electronic communication in order to obtain sensitive information such as usernames/passwords or credit card details.
10 Malware (malicious software) refers to a family of software that can be used to disrupt or gain access to systems, gather sensitive information or execute functions without proper authorisation
New financial sector statistics
As the central repository of statistical information on the Australian financial system, APRA collects and regularly publishes data from prudentially regulated and other financial institutions. Publication of industry-level statistics enhances understanding of the industries regulated by APRA, aids public discussion on policy issues, and supports well-informed decision-making by regulated institutions, policy-makers, market analysts and researchers. This article discusses some proposed enhancements to APRA’s statistical publications that are currently under consideration.
General insurance statistics
APRA’s data collections are periodically reviewed, and in June 2016 APRA released a discussion paper on proposed changes to its general insurance statistical publications. APRA intends to improve the relevance of the general insurance statistics, and address feedback received from stakeholder surveys and other formal and informal consultations. In particular, APRA proposed to:
- publish more industry-level statistics each quarter;
- modernise the segmentation of industry-level statistics;
- publish more institution-level statistics each quarter and annually; and
- publish new industry-level claims development statistics by class of business.
This package of changes includes proposals to publish each quarter new investment statistics, more detailed capital adequacy data, and new underwriting performance statistics. All the proposed changes to APRA’s general insurance statistical publications are based on data already reported to APRA by general insurers; as a result, the new publications can be implemented without increasing the reporting burden on insurers.
As part of its consultation process, APRA also released a selected feature, Claims development in CTP motor vehicle insurance, to highlight emerging trends in compulsory third party (CTP) insurance and demonstrate how some of the proposed new statistics can be used. These statistics showed, for example, that the estimated total cost of claims in CTP insurance has increased over the past five accident years and exceeded increases in premium revenue. This trend is shown in Figure 1 below.
Figure 1: Claims development as at 2015 financial year end
IBNR - Incurred but not reported
IBNER - Incurred but not enough reported
(Click image for larger version)
These statistics also highlighted that, over the past decade, actual claims costs have been lower than initial estimates, allowing provisions to be released from insurers’ CTP reserves. However, outcomes such as a recent increase in CTP claims frequency observed by insurers in New South Wales have the potential to result in further deterioration in observed claims experience. In the past five years, CTP reserve releases from prior accident years have been a significant component of industry profit.
Also as part of its consultation process, APRA has foreshadowed the release of a new online data dissemination tool that will allow statistics to be released in a more reliable and accessible manner than is currently possible. The online tool will help users to better explore and understand the data and provide enhanced access, manipulation and analysis of the data. Many other official statistics agencies around the world are now using similar dissemination systems.
Following consideration of issues raised during the consultation process, APRA expects to issue a response paper, and the first editions of the new statistics, in the first half of 2017. For further information about the proposals, and the CTP statistics, go to: https://www.apra.gov.au/publications.
Superannuation pension statistics
APRA is also proposing to publish new annual statistics on pension accounts, benefits and benefit payments in the Annual Superannuation Bulletin. To demonstrate how these new statistics may look, APRA released in August 2016 a selected feature entitled Pension membership profile that supplements the data published in the June 2015 edition of the Annual Superannuation Bulletin. APRA welcomes feedback on the usefulness of publishing these statistics on a regular basis.
This feature provides users with new pension statistics about account-based pensions, allocated pensions, annuities, other pension benefits and transition to retirement pensions. Figure 2 below from the feature shows that, as at 30 June 2015, the most common type of pension account were account based pensions, with approximately 538,000 member accounts, followed by allocated pensions with some 358,000 accounts. Similarly, account based pensions held most members’ benefits ($142.0 billion), followed by allocated pensions ($74.5 billion). In the period, $8.5 billion in pension benefit payments were made from account based pensions, followed by allocated pensions ($4.6 billion), transition to retirement pensions ($1.9 billion), other pensions ($635 million) and annuities ($359 million).
Figure 2: Pension accounts, members' benefits and payments (as at 30 June 2015)
The pension membership feature is available on APRA’s website at: https://www.apra.gov.au/publications/annual-superannuation-bulletin
Pricing of commercial property insurance
The commercial property insurance sector has been under intense competitive pressure for a number of years. As a result, with concerns on the potential for pricing and underwriting standards to deteriorate and subsequently impact insurers’ capital, APRA has heightened its supervisory focus on pricing for commercial property insurance.
Data collected by APRA shows the pressures in relation to commercial property insurance. In Figure 1 below, statistics for fire and industrial special risks (ISR) business, published in the General Insurance Performance Statistics for the year to end-March 2016, show both gross and net loss ratios increasing at the same time as average premium continues to decrease.
Figure 1: Fire and ISR average premium and loss ratio
Source: APRA General Insurance Performance Statistics March 2016
*Gross Loss Ratio net of non-reinsurance recoveries
** Average Premium on a written basis
With this environment in mind, in September 2015 APRA commenced a thematic review that examined the oversight and control of pricing decisions for commercial property insurance. Selected commercial property insurers and reinsurers were surveyed in relation to performance and reporting, strategy, governance (and its effectiveness), and product and pricing changes.
Performance and reporting
As part of APRA’s review, each insurer was asked to provide and comment on the nature of reporting to its senior management, and to its board, on the performance of the commercial property portfolio.
APRA found the quality of performance reporting in commercial property insurance varied greatly. The better quality reporting comprised a combination of commentary on performance, data and graphs for actual experience against targets and against prior years. Reporting of key performance indicators on profitability, price adequacy and pricing risk appetite for each of the commercial property segments allowed insurers to have a good understanding of the portfolio’s underlying performance; it also benefited the insurer by showing where cross-subsidisation was occurring.
On the whole, insurers are continuing to make profits in commercial insurance - with the exception of 2015 when there were a number of natural peril events - albeit at much lower levels than in previous periods. Several respondents described the commercial property business as being under stress. Many insurers are having difficulty in meeting targeted returns and are seeing average annual rate reductions of up to 15 per cent; some portion of profits appeared to be coming from cross-subsidisation from other commercial lines, along with overall efficiency gains.
As a result of these findings, APRA has highlighted the following better practices in performance and reporting on pricing for commercial property insurance:
- the board sets an appetite for pricing risk that is linked to the overall risk appetite of the insurer;
- the board receives regular reporting on pricing risk and the pricing risk appetite;
- the insurer understands where cross-subsidisation is occurring within its portfolios;
- there is regular reporting on price / rate strength; and
- there is regular reporting that provides a clear overview of actual experience for the commercial property sectors and identifies where under-performance is occurring.
Strategy
Insurers were asked to describe key strategies for their commercial property portfolios for the next three years. APRA requested comment on growth plans, financial targets, key markets, market positioning and analysis undertaken.
In developing their strategy, the majority of, if not all, insurers recognised and took into account the impact of the soft market on their business. Most described a focus on retaining profitable risks and removing poorly performing risks from their portfolios.
Whilst many insurers have a strategy for growth, greater importance appears to be placed on profitability over growth. This is because it is expected that premium rates will remain under pressure, and the competitive environment and excess capacity will continue in the foreseeable future.
As a result of these findings, APRA has highlighted the following better practices in strategy on pricing for commercial property insurance:
- market analysis by business segment is conducted in order to formulate the strategy, including the objectives, goals and actions;
- the strategy for commercial property business is clearly articulated;
- underwriters have a clear understanding of the strategy for commercial property; and
- the strategic plan includes financial projections and actual performance is monitored against those financial projections.
Governance
APRA asked insurers to describe the key features and effectiveness of their governance framework in respect of commercial property pricing. In particular, insurers were asked to explain how they satisfy themselves that the pricing governance processes are effective and operating as expected, and how they ensure that they remain within risk appetite, particularly in a highly competitive market.
Governance frameworks across the selected insurers varied widely based on their survey responses. Mostly, responses showed there was strong governance including appropriate oversight by the board and/or management and the existence of risk committees and technical pricing standards.
However, not all insurers were able to demonstrate that pricing was linked to the risk appetite statement. Similarly, pricing tolerance was not always clearly articulated in the pricing policy. Not all insurers have a product and pricing committee, and this could lead to poor pricing decisions if pricing risk is not monitored or controlled properly.
About 60 per cent of respondents stated that the pricing process is reviewed annually. The majority of surveyed insurers undertake reporting on rate movement, quarterly portfolio reviews, and comparisons of actual against technical and profitability studies.
Just over half of the entities reported actuarial involvement in the pricing process at a portfolio level. The input of actuarial teams in most cases is provided in the ‘rating’ model and reviewed on an annual basis against the historical claims experience. On occasion, an actuary is used to assist in the pricing of large corporate accounts.
As a result of these findings, APRA has highlighted the following better practices in governance on pricing for commercial property insurance:
- a pricing governance framework that links to insurers’ risk appetite and is reviewed annually
- the establishment of product and pricing committees that meet regularly (subject to size and complexity of insurer);
- the development of a product and pricing policy that clearly articulates an insurer’s strategy for managing pricing risk;
- technical pricing tools that align with considerations detailed in the commercial property business plan;
- technical pricing reviews undertaken at least annually;
- formal breach policies are implemented and reported on; and
- price discounts in excess of a pre-determined percentage (in line with risk appetite) are reported to senior management.
Product and pricing changes
Finally, insurers were asked to provide details of pricing and product changes over the last two years, specifically in relation to overall price movement, material price changes for individual risks, changes to terms and conditions and changes to reinsurance arrangements.
Most insurers have experienced declining average rates in recent years. The reduction is more severe in the global and large corporate segments than the mid-market segment.
Small to medium enterprise (SME) rates have been maintained in the last couple of years but are under pressure now.
The monitoring of rate changes by insurers was evident, but the method varies. Large and diversified insurers monitor the actual price against technical price, but smaller insurers tend to only monitor the variance of renewal premium.
In addition to price reductions there was evidence that terms and conditions have also softened. It was not clear what price monitoring was in place for this with some insurers not necessarily charging for the changes in terms and conditions, such as increasing coverage or reducing deductibles. No significant changes to reinsurance placements have been reported.
As a result of these findings, APRA has highlighted the following better practices in product and pricing changes for commercial property insurance:
- proper consideration of changes in terms and conditions in the pricing decision; and
- actual rates are monitored against technical rates.
Conclusion
APRA’s thematic review found that the oversight and control of pricing decisions for commercial property insurance have largely been operating effectively during this period of heightened competition. Nonetheless, the review identified that insurers have varying frameworks in place and identified a number of better practices which insurers should consider to strengthen their pricing frameworks.
APRA's Corporate Plan 2016-2020
The Australian Prudential Regulation Authority’s Corporate Plan 2016-2020 provides information on APRA’s strategy over the next four years. The publication of the Plan is an important component of the agency’s commitment to transparency and accountability.
The Corporate Plan sets out APRA’s core functions and capabilities, and four strategic initiatives designed to improve these: sharpening risk-based management, building recovery and resolution capabilities, honing governance and workplace effectiveness, and enhancing APRA’s leadership and culture. A summary of the Plan is depicted in Figure 1 below.
APRA’s strategy has been determined in the context of an Australian financial system that remains in a sound position, but is operating in an environment of significant global uncertainty. Acknowledging this, the four strategic initiatives set out within the Corporate Plan recognise the need for on-going strengthening of APRA’s core functions and capabilities to ensure the agency can respond to future risks and challenges as they emerge.
Figure 1
How APRA achieves its purpose
The Corporate Plan outlines APRA’s mission: to protect the financial safety of the banking, insurance and superannuation industries and, in doing so, promote financial system stability, for the benefit of the Australian community.
In performing this role, APRA is responsible for protecting depositors, insurance policyholders and superannuation fund members - referred to collectively as APRA’s beneficiaries - from the failure of these institutions. APRA does not pursue a ‘safety at all costs’ strategy, however, and is required to balance safety and stability with consideration of efficiency, competition, contestability and competitive neutrality within the financial system.
APRA’s core functions, listed in the table below, reflect its role as a prudential supervisor and resolution authority.
Function | Fulfils APRA's mission by |
---|---|
Supervision | Protecting beneficiary interests and promoting financial stability by identifying and responding to significant risks in a timely and effective manner. |
Policy | Protecting beneficiary interests by maintaining a robust prudential framework that minimises the risk of loss to beneficiaries and promotes financial stability. |
Resolution | Protecting beneficiary interests by minimising disruption to the financial system and losses in the event of a failure or crisis. |
APRA also has a number of ancillary functions — it acts as a national statistical agency for the Australian financial sector, plays a role in preserving the integrity of Australia’s retirement incomes policy, and administers the Financial Claims Schemes.
APRA’s core capabilities, listed below, encompass the operational management of the organisation and its supporting infrastructure that enable APRA to effectively carry out its core functions.
Capability | Supports APRA's function by |
---|---|
People and Culture | Having highly skilled and engaged people supported by strong leaders within a values-aligned culture. |
Organisational effectiveness | Having robust and efficient specialist and business support and transparent and accountable practices. |
Infrastructure | Having secure and reliable premises, information, technology and systems that support APRA’s core operations. |
Underpinning these core functions and capabilities are APRA’s organisational values of integrity, collaboration, professionalism, foresight and accountability. These values, evident in day-to-day work practices, underpin APRA’s commitment to the Australian community to promote financial system stability and financial safety.
APRA’s mission, core functions and capabilities, and organisational values are largely stable over time. APRA’s strategic initiatives, however, are influenced by the operating environment that could potentially prevail over the foreseeable future.
Current operating environment
In developing its Corporate Plan, APRA assesses the current and likely future operating conditions to identify risks and opportunities that may be relevant to the successful delivery of APRA’s mission. This assessment includes a range of factors, such as the outlook for the Australian financial system and the global economy, trends in technology, community expectations, and APRA’s ability to maintain the quality of its workforce and build new capabilities.
The Corporate Plan is founded on an environment in which the outlook for global growth remains subject to significant uncertainty. Global events, and rising geopolitical tensions, have led to recurring bouts of volatility in equity, bond and foreign exchange markets in recent years. In Australia, economic growth is expected to be a little below trend over the coming year. Although the general picture is one of a broadly healthy Australian financial system, there remain some areas of vulnerability. These include risks in the residential and commercial property markets, the funding profile of the banking system, poor experience in some segments of the insurance market, and the need to further strengthen governance and transparency in the superannuation industry.
APRA’s strategic priorities
The strategic initiatives outlined in APRA’s Corporate Plan are designed to strengthen APRA’s core functions and capabilities against the backdrop of the operating environment outlined above. These are:
- Sharpening risk-based management – to improve support for risk judgments, priority setting and resource management through new tools and more structured risk intelligence and benchmarks. This includes strengthening analytical capabilities, and improving risk and performance assessment and reporting capabilities.
- Building recovery and resolution capability – to build a clear and effective failure management framework, underpinned by improved internal and external readiness. This comprises a program of work to develop a materially stronger framework for managing failure, improve APRA’s internal readiness to resolve failures and near-failures, improve recovery planning and develop resolution planning.
- Honing governance and workplace effectiveness – to foster aligned, simplified and agile governance structures and workplaces. This strategic initiative comprises a program of work to simplify and align APRA’s governance arrangements, refresh and reinvigorate APRA’s workplaces and practices, and modernise APRA’s data and analytical capabilities.
- Enhancing leadership, culture and opportunities for our people – enhancements that support leaders in sustaining a progressive, high performing and inclusive culture. APRA operates in a highly competitive market with the private sector to attract and retain staff, and enhancing leadership and the culture within APRA is a strategic priority.
Measuring APRA’s performance
Supplementing the Corporate Plan will be improved reporting on APRA’s performance. At the end of each financial year, an Annual Performance Statement will be included in APRA’s Annual Report, providing an assessment of the extent to which the goals and objectives in the Corporate Plan have been met. The Annual Report also includes detailed information on APRA’s activities and draws on a range of indicators and qualitative information relevant to each of APRA’s core functions and capabilities.
In assessing APRA’s performance as an effective prudential supervisor, APRA is developing a range of performance indicators. At its core, however, is the extent to which the Australian community is exposed to loss through the failure of an APRA-regulated institution. APRA’s two key performance indicators in this regard are the Performing Entity Ratio (PER), which is an indicator of the incidence of failure amongst APRA-regulated institutions, and the Money Protection Ratio (MPR) which is an indicator of the incidence of loss in the financial sector. For both indicators, the higher the percentage the lower the incidence of failure or loss.
Since APRA’s formation in 1998, the annual PER has averaged 99.92 per cent, and the annual MPR has averaged 99.96 per cent.
The Corporate Plan is a core component of APRA’s transparency and accountability. The Plan is an integral part of APRA’s performance framework and establishes its plans to continue to build and strengthen its core functions and capabilities through its strategic initiatives, thereby positioning APRA to effectively respond to changes in its operating environment.