Lloyd’s Plans for Post-Brexit Subsidiary

Just one day after the U.K. set in motion its process for withdrawal from the European Union by triggering Article 50, Lloyd’s announced it was establishing a subsidiary in Brussels, intending to be able to write EU business for the Jan. 1, 2019, renewal season.

The new company will write risks from all 27 European Union countries and three European Economic Area states once Brexit is completed. Because Britain remains a full member of the EU for at least two more years, there will be no immediate impact on existing policies, renewals or new policies, including multi-year policies written during this period of time, the insurer said. The Brussels subsidiary will have its own board of directors and, unlike some banks that have said they will move hundreds of employees to the EU, it will only employ dozens of staff in areas such as information technology and compliance.

Hank Watkins, president of Lloyd’s North America spoke to Risk Management about the company’s plans and the why it chose Belgium as its new location.

RM: How did the process of finding a new EU base begin?

Watkins: Within a week or two of [the Brexit vote] last June, Lloyd’s was on its way, looking across Europe for a new domicile, if you will, for our European business. We are not moving out of London—what we have done is set up an insurance company in Brussels, purely to allow us to passport around the European Union. Because we are not necessarily confident that the U.K. will be able to negotiate passporting rights with the other countries, we are assuming they are not. If they are ultimately successful, then we will just close up and go back home, but that probably will not be the case.

RM: How will the subsidiary work?

Watkins: If you are a policyholder with Lloyd’s, where you previously would have received a policy with all of the syndicates subscribed to it, and that would have been stamped by each of those syndicates, you will also receive an identical policy for the European exposures. It will have the Lloyd’s insurance company name on it and the syndicate stamp of that insurance company and the Lloyd’s syndicates. It is just a little more paperwork for us. The policy is the same—it does not change coverage and it does not change pricing—It is more of an administrative effort to align with what the regulator expects. And our ratings are not affected, we are still S&P-, AM Best- and Fitch-rated A or better and the central fund is still very strong.

RM: Why Belgium?

Watkins: We found a regulator there who is allowing us basically to cede 100% of the premium and the risk back to the syndicate in London. Every other country has some variation of wanting to maintain part of the risk in their country but that does not work for us. So Belgium is a very strong regulator centered in the heart of Europe and a great talent pool as we build out the platform—which won’t be that large, by the way, because we are not necessarily moving people there.

RM: How will insureds be impacted?

Watkins: Companies with no risks in the European Union will see no impact, and it will be seamless for international companies with risks in the EU. Also, it is probably not as well known, but because we are not just large, commercial risks, we do insure a lot of homeowners on the coastlines and a number of private yachts and aircraft, so this is a way to seamlessly include coverage for them in Europe as well.

More Insurers Opting to Form EU Subsidiaries

A growing list of insurers are choosing to form subsidiaries in the European Union to ensure continuous coverage for their European clients following the United Kingdom’s withdrawal from the EU in June 2016. They wish to protect themselves in case Brexit impacts their ability to sell insurance policies and products across the EU from bases in Britain.

FM Global recently announced it is opening an office in Luxembourg, noting that the license allows it to “continue to deliver seamless insurance coverage to its policyholders” throughout the European Economic Area (EEA), where it has operated for more than 50 years.

“We chose Luxembourg as our EEA hub because it’s a multinational business-friendly financial center with regulatory expertise that enables us to remain true to our mutual insurance company business model,” Chris Johnson, executive vice president who will serve as its managing director said in a statement. “Most notably, Luxembourg is a hub that permits EU passporting—which fits our business model perfectly.”

Lloyd’s said in March it will establish an EU base in Brussels that will allow its markets to continue to write risks from all 27 EU and three European Economic Area states post-Brexit. “It is important that we are able to provide the market and customers with an effective solution that means business can carry on without interruption when the U.K. leaves the EU,” Lloyd’s Chief Executive Inga Beale said in a statement. She added that Brussels met the critical elements of providing a robust regulatory framework in a central location.

Lloyd’s said its intention is to be ready to write business for the Jan. 1, 2019, renewal season.

U.S. insurer AIG also announced recently that it is moving its headquarters from London to Luxembourg; and Lloyd’s insurer Hiscox said in May that it has decided to establish a subsidiary in Luxembourg, after debating between Luxembourg and Malta.

Luxembourg has said that as well as insurers, it is in talks with firms including asset managers, banks and financial tech companies.

North Korea Now Suspected in Ransomware Attack

The massive cyberattack that has struck businesses, government agencies and citizens in more than 150 countries may be tied to hackers affiliated with North Korea. Called WannaCry, the ransomware encrypts the victim’s hard drive and demands a ransom of about $300 in the virtual currency bitcoin.

According to the Washington Post:

Several security researchers studying “WannaCry” on Monday found evidence of possible connections to, for instance, the crippling hack on Sony Pictures Entertainment in 2014 attributed by the U.S. government to North Korea. That hack occurred in the weeks before Sony released a satiric movie about a plot to kill North Korean leader Kim Jong Un.

The New York Times reported that the malicious software, based on a vulnerability included in the National Security Agency tools published by the Shadow Brokers hacker group, was distributed via email. The ransomware takes advantage of vulnerabilities in Microsoft Windows systems, generating the largest ransomware attack to date. Although the flaw was patched by the company months ago, the wide spread of the attack illustrates how many users fail to update their software. Institutions and government agencies affected included the Russian Interior Ministry, FedEx in the United States and Britain’s National Health Service.

Organizations are advised to save their data and take other measures to avoid being hacked. Kroll said that while the particular ransomware variation involved in hundreds of thousands of incidents has now been rendered largely harmless, its cyber security and investigations team “strongly recommends that organizations recognize that a small change in the malware code could reactivate it. So action should be taken in conjunction with your technology unit to reduce your risk and prepare for inevitable future similar attacks. If the malware has entered your network, it has the ability to spread—and spread rapidly.”

According to Kroll:

  • Obsolete versions of Microsoft Windows are particularly vulnerable. We understand that there may be very specific circumstances that require you to use versions that are no longer supported, but now is the time to revisit the topic. See if there is any way you could use a supported operating system running a virtual version of the operating system you need.
  • Microsoft has been working to roll out updates that can fix the underlying security weakness that this malware exploits. You should make sure that both your personal and business machines running Windows are updated. We know that many people don’t want to take the time to close out all their files and restart their computers to allow updates to occur, but this is an important defense against the WannaCry ransomware. As an indicator of how serious the threat is, note that Microsoft has even released a security patch for the old Windows XP system. Please take steps to assure that all relevant machines running the Windows operating system are updated.
  • Organizations that don’t have well-thought-out backup and recovery plans are also very vulnerable. Management should be asking if there is a plan to assure that all important files are backed up in a way that will prevent a ransomware infection from attacking both the primary files and the backups.

President Trump ordered homeland security adviser Thomas P. Bossert to coordinate a government response to the spread of malware and find out who was responsible. According to the Times:

“The source of the attack is a delicate issue for the United States because the vulnerability on which the malicious software is based was published by a group called the Shadow Brokers, which last summer began publishing cybertools developed by the National Security Agency.”

Government investigators, while not publicly acknowledging that the computer code was developed by American intelligence agencies, say they are still investigating how the code got out. There are many theories, but increasingly it looks as though the initial breach came from an insider, perhaps a government contractor.

In a report, How to Protect Your Networks from Ransomware, the U.S. government recommends that users and administrators take preventative measures, including:

  • Implement an awareness and training program. Because end users are targets, employees and individuals should be aware of the threat of ransomware and how it is delivered.
  • Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate inbound email using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent email spoofing.
  • Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users.
  • Configure firewalls to block access to known malicious IP addresses.
  • Patch operating systems, software, and firmware on devices. Consider using a centralized patch management system.
  • Set anti-virus and anti-malware programs to conduct regular scans automatically.
  • Manage the use of privileged accounts based on the principle of least privilege: no users should be assigned administrative access unless absolutely needed; and those with a need for administrator accounts should only use them when necessary.

In a Changing World, Questions For the CRO

Before the financial crisis in 2008-2009, many businesses didn’t think of risk as something to be proactively managed. After the crisis, however, that paradigm shifted. Companies began perceiving risk management as a way to protect both their reputations and their stakeholders.

Today, risk management is not just recommended, it is considered crucial to successful operations and is required by federal and state law. The SEC’s Proxy Disclosure Enhancements, enacted in 2010, mandate that organizations provide information regarding board leadership structure and the company’s risk management practices. Company leadership is required to have a direct role in risk oversight, and any risk management ineffectiveness must be disclosed.

The CRO’s role

Volatility in the current business environment—a confluence of factors including transfers of power, the world economy and individual markets—is nothing new. Political transitions have always been accompanied by new agendas and shifting regulations, economies have always experienced bull and bear markets, and the evolution of technology constantly changes our processes.

Even so, recent events like Brexit, the uncertainty of a new administration’s regulatory initiatives, and thousands of annual data breaches have contributed to an unprecedented atmosphere of fear and doubt. To navigate this environment, the chief risk officer needs to adopt a proactive risk management approach. Enterprise-wide risk assessments grant the visibility and insight needed to present an accurate picture of the company’s greatest risks. This visibility is what the board needs to safely recognize opportunity for innovation and expansion into new markets.

To grow a business safely—by innovating and adding to products/services and expanding into new markets—risk professionals should not focus on identifying risk by individual country. This approach naturally leads to a prioritization of “large-dollar” countries, which aren’t necessarily correlated with greater risk. Countries that contribute a small percentage of overall revenue can still cause major, systemic risk management failures and scandals.

A better approach is to look at risk across certain regions; how might expanding the business into Europe, for example, create new challenges for senior management? Are there sufficient controls in place to mitigate the risks that have been identified?

When regional risks are aggregated to create a holistic picture, it becomes possible for the board to make sure expansion efforts are aligned with strategic goals.

Three processes that require ERM

Risk management is an objective process, and best practices, such as pushing risk assessments down to front-line process owners who are closest to operational risk, should be adhered to regardless of the current state of the international business arena.

While today’s political climate has generated a significant amount of media strife, it’s important not to let emotion influence decision-making. By providing the host organization with a standardized framework and centralized data location, enterprise risk management enables managers to apply the same basic approach across departments and levels.

This is particularly important when an organization expands internationally, which involves compliance with new sets of regulations and staying competitive. Performing due diligence on an ad hoc basis is neither effective nor sustainable. Instead, the process should follow the same best-practice process as domestic risk management efforts:

  1. Identify and assess. Make risk assessments a standard part of every budget, project or initiative. This involves front-line risk assessments from subject matter experts, revealing key risks and processes/departments likely to be affected by those risks. For example, financial scrutiny is no longer a concern just for banks. Increased attempts to fight terrorism mean transactions of all kinds are becoming subject to more review. Anti-bribery and anti-corruption processes estimate and quantify both vulnerability and liability.
  2. Mitigate key risks. Connect mitigation activities to the resources they depend on and the processes they’re associated with. ERM creates transparency into this information, eliminating inefficiency associated with updating/tracking risks managed by another department. Control evaluation is the most expensive part of operations. Use risk management to prioritize this work and reduce expenses and liability.
  3. Monitor the effectiveness of controls with tests, metrics, and incident collection for risks and controls alike. This ensures performance standards are maintained as operations and the business environment evolve. Evidence of an effective control environment prevents penalties and lawsuits for negligence. The bar for negligence is getting lower; technology is pulling the curtain back not only internally but (through social media and news) to the public as well.

Lastly, the CRO role is increasingly accountable for failures in managing risk along with other senior leaders and boards—look no further than Wells Fargo.