Insurers Admit to Limited Governance of Data Ethics
Insurers in Ireland are regulated by the Central Bank of Ireland (CBoI) and as part of their ‘Future Focussed' strategy, CBoI has published a survey on ‘Data Ethics within Insurance’.
In many ways, the opportunities and risks they identify in relation to the sector's digitalisation, along with the priorities of insurers, are pretty much as I would expect.
What stood out for me however was the section of ‘governance risks’. Their findings were pretty damning. Here’s how CBoI set it out...
some firms had established data governance committees, which were generally focussed on data quality, data protection, information security and use of external data.
a limited number of firms had an explicit focus on ethical considerations.
most firms did not have explicit definitions of data ethics or specific policies in relation to data ethics.
many firms looked to GDPR and information security in response to questions related to data ethics considerations.
in relation to models, most firms did not have an enterprise wide model inventory or enterprise-wide model risk procedures in place.
Expectations on Governance
The CBoI report is a masterpiece of diplomatic writing. The narrative tone is so measured, so rounded that insurers are in danger of being lulled into a false sense of security. That is what makes the section ‘observations on governance risks’ stand out...
“...the Central Bank... stresses the need for firms to explicitly consider ethics. It is important for firms to note the Central Bank’s expectation in this respect would extend far beyond compliance with existing requirements and controls e.g. GDPR.” (my underlining)
Put the findings alongside the observation and the conclusion that insurers should draw is that they are running a significant governance risk around data and ethics. The regulator has explicitly set expectations for governance standards at a level “far beyond” compliance.
Is ‘far beyond’ a proportionate statement? I think it is, for the survey findings point very strongly to data ethics being equated with data protection and little more. Insurers have been thinking that working within the GDPR satisfies expectations around data ethics, which is far from the case.
And for most firms, by their own admission, not to have a model inventory or model risk procedures is extraordinary. That points to all sorts of problems ahead with model alignment and development. It’s a bit like being in charge of a big ship and not caring how it moves forward.
Some Clear Steps
There are some clear steps that insurers in Ireland need to move forward on quickly.
First and foremost, they need to dramatically increase knowledge around data ethics at board and senior management level. An earlier survey by CBoI pointed to this being too low.
Then insurers need to widen their perspective on what they mean by data ethics and align it firmly with their corporate strategy. Leaders then need to be clear about their firm’s commitment to data ethics and what this means for its strategy.
And they need to do a proper risk management job around data, ethics and their associated management systems, and to then plug what comes out of that into their wider systems (not just compliance ones). The danger to avoid here though is that insurers do a big push on data ethics but then leave it to wither on the vine.
Similarities and Differences
Is this a situation peculiar to just Irish insurers? I think not. A similar survey of UK insurers would I believe reveal a pretty similar situation. This makes these two CBoI surveys worth reading over here.
Where the real difference lies of course is with Ireland having a regulator willing to spend time and money on data ethics, and the UK having a regulator that started by talking bold but who now does nothing.