Insurance Newsletter - June 2023

In this newsletter we discuss:

• The bulk annuity market
• The introduction of the Consumer Duty
• Cyber risk for insurers
• Ongoing COVID-19 business interruption cases

The bulk annuity market

Expansion of risk appetites

The PRA's latest intervention was in response to the acceleration in growth of the bulk annuities market, which could insure more than £500 billion of scheme liabilities over the coming decade. Market participants and advisers anticipate significant further expansion, with predictions that in excess of £50 billion of liabilities could be insured in respect of 2023 and significantly more in the following years. An increasing number of insurers are writing new business in the billions of pounds per year and “mega” deals covering billions of scheme liabilities in one transaction have returned. New entrants to the market have recently been announced, with more expected.

This trajectory is coupled with the increased appetite of insurers to cover liabilities relating to deferred members (i.e. those not yet retired), to accept or structure for illiquid assets of schemes, and to offer partial deferral of premiums. Together, these trends have led the regulator to remind insurers of the need to carefully consider the appropriateness of the risks assumed over the full term of the arrangement.

Reliance on third party capacity

Another area of focus is the reliance on reinsurers as a source of third party capital and asset origination capacity. These funded reinsurance arrangements, which often involve a single, upfront premium that is invested by the reinsurer, potentially expose insurers to more complex and concentrated risk (compared to reinsurance of longevity risks alone). There are clear signs that there may be more to come from the PRA on how it expects insurers and, in particular, senior managers, to reflect on and manage the counterparty risk and collateral exposures associated with this.

The regulator has also commented upon the long-term implications for the UK economy of insurers using offshore third party capital providers, in the context of UK reforms of Solvency II. The Government has indicated that capital released through reducing the risk margin could support investment in UK based long-term infrastructure and productive assets, albeit that insurers remain non-committal on whether this will materialise.

Greater interconnectivity with the wider financial system

The PRA has also emphasized that insurers should understand and assess their interconnectivity with the wider financial market. This covers the scope to deploy their assets in a way that supports the UK economy and to ensure that risks are fully understood and stress scenarios carefully modelled, to reduce scope for market instability. The regulator emphasised the important role that insurers’ investment strategies have in supporting the wider economy and society, in line with the Government’s objectives for Solvency II reform, as well as the opportunity for insurers to burn ESG credentials valued by trustees. The focus on this suggests that the PRA is likely to take a favourable view of insurers that make investments that support the UK economy, rather than relying on third party capital. This may increasingly become a factor for insurers as they discuss proposed buy-in and reinsurance transactions with the regulator.

As highlighted in the recently announced FCA consultation on reforms to the listing regime for equities in the UK, insurers were once a major investor in UK plc. British pension funds and insurance companies now only hold around 4 per cent of the shares in UK incorporated companies listed on the London Stock Exchange, down from around 40 per cent in the late 1990s. The impact of reforms introduced with the Solvency UK package, together with other actions of regulators, on the investment strategy and risk management of insurers is likely to become an increasing area of focus for industry participants.

Derisking in practice

We have observed the trends commented upon by the PRA in our recent work relating to large pension schemes, including with Intact and RSA and Tata Steel. Sponsors and trustees of the largest schemes, when making the move to full buy-in, are understandably seeking to maximise the value of scheme assets without unduly compromising deal certainty. Insurers are likely to be challenged to show flexibility on matters beyond pricing and more standard terms.

Differentiating factors will include bespoke structuring of deal terms to address existing assets and arrangements of a scheme, the ability to accept and value illiquid assets, and demonstrating a collaborative and solutions-focused approach to address new issues efficiently as they arise. Insurers have so far been rising to this challenge in impressive and innovative ways; they will have to continue to adapt their risk appetites in a way that sates them whilst remaining palatable to the regulator.

The Consumer Duty - latest

The new Consumer Duty comes into force on 31 July 2023 for in scope existing products and services. The final rules and guidance were set out in the FCA’s July 2022 policy statement (PS22/9) and are largely implemented in new PRIN 2A in the FCA Handbook. The FCA has also published guidance on the application of the duty.

Firms should already have arrangements in place to ensure compliance with the new requirements. When considering the application of the Consumer Duty, firms should also take into account broader and inter-relating FCA initiatives, as well as feedback from the regulator on firms’ implementation planning. In particular:

• in May the FCA published findings from its review into firms’ approaches to fair value assessments under the Consumer Duty, identifying both examples of good practice and areas where there remains room for improvement
• the FCA has consulted on expanding and formalising some of its guidance on supporting customers in financial difficulty within ICOBS and plans to bring these new rules into force at the same time as the Consumer Duty
• firms should also take into account the Dear CEO letters sent to general and life insurers in 2022 setting out the FCA’s expectations of insurers in the context of the cost of living crisis
• firms operating in the multi-occupancy buildings insurance market should also consider:
  • the FCA’s April consultation on changes to its Handbook, in particular to provide for improved information disclosure for leaseholders and changes in the way the rules require firms to consider leaseholders’ interests; and
  • the findings in its April report on broker remuneration in this market, including proposed regulatory actions where the FCA considers that brokers are not meeting their regulatory obligations.

Cyber risk and the insurance sector

Third party supply chain risk

The Capita cyber attack in March 2023 and possible resulting data breach has highlighted again the potential vulnerability of firms to cyber risk via their third party suppliers. The incident was particularly high profile given the scale of Capita’s operations, including supplying services to Government as well as firms operating in the financial services sector. Both the pensions regulator and the FCA wrote to firms who could have been affected by the incident, in the FCA’s case “to ensure they are fully engaged in understanding the extent of any data compromise”. This included a number of insurance sector firms.

Cyber attacks can, among other things, cause disruption to firm’s important business services. Regulated firms are subject to the PRA and FCA’s operational resilience requirements, which had to be implemented by 31 March 2022 and must be fully complied with by 31 March 2025. By now firms should have, among other things:

• identified their important business services which, if disrupted, could cause intolerable harm to consumers, cause a risk to market integrity, threaten the viability of firms, or cause instability in the financial system; and
• set impact tolerances for the maximum tolerable disruption to these services.

For outsourcing and third party arrangements, firms are expected to gain assurance that such arrangements would not create a vulnerability in meeting the firm’s impact tolerances. In its supervisory statement on outsourcing and third party risk management, the PRA outlines in detail the steps it expects authorised firms to take to reduce the risks arising from third party arrangements, including in relation to data security. These regulatory obligations overlay the responsibilities of all firms under UK GDPR, including notification obligations to the ICO in the event of a data breach.

Governmental initiatives

Although there is an onus on firms to put systems in place to protect themselves, Government and the regulators are also taking steps to address the risk to the financial system which could be posed by critical service providers. These initiatives include:

• the Financial Services and Markets Bill includes powers for HM Treasury to designate certain third parties to firms as “critical third parties” (CTPs) (in consultation with the regulators) and for the regulators to make rules for, and gather information from, designated CTPs in connection with the provision of services to regulated firms
• the FCA plans to consult on requirements in relation to CTPs in 2023, following its 2022 discussion paper produced jointly with the PRA and Bank of England. These requirements may include minimum resilience standards for CTPs as well as participation in a range of resilience tests and sector-wide exercises
• at EU level, the new Digital Operational Resilience Regulation will impose obligations from January 2025 on actors in the financial sector, including insurance and reinsurance companies, insurance and reinsurance intermediaries, ancillary insurance intermediaries and IT service providers employed by these entities.

There are also initiatives outside the financial sector which may be relevant. For example, the UK’s National Cyber Security Centre has recently published guidance on supply chain management and the Government is planning to amend the Network and Information Systems (NIS) Regulations 2018 to improve the UK’s cyber resilience by bringing “managed services” related to the provision of IT services (such as systems, infrastructure, networks and/or security) in scope.

Practical steps

Our Cyber Group regularly advises financial sector clients on a range of cyber issues including third party supply chains and ransomware attacks. Preparedness is key and it is vital that a firm’s cyber risk management framework and contingency planning enable them to act within their risk appetite and meet regulatory expectations. There are a number of steps which firms can take to minimise the threat of a cyber attack. These include:

• putting in place clear cyber incident response plans and regularly practicing and updating those plans – this should include planning for particular high-risk areas such as ransomware threats
• considering how those plans work across the group (e.g. does the group have the right level of oversight over businesses which are run “independently”), the firm’s supply chain (e.g. is supply chain risk being monitored and managed) and when new businesses are acquired
• identifying key digital assets, mapping the group’s data (e.g. what information is stored in which system) and understanding how back-ups would work in practice
• ensuring appropriate third party advisers (forensic IT, legal etc.) are onboarded and jointly trained with the firm
• identifying legal, regulatory and contractual notification obligations and ensuring that there is a joint up approach when liaising with different regulators, including the ICO, PRA and FCA.

Update on business interruption litigation - a legacy of COVID-19

Marsh Resilience wording

One of the most notable is the Stonegate case in respect of the “Marsh Resilience” wording . The High Court judgment in Stonegate, handed down in October last year, addressed a number of key outstanding points in respect of causation, the application of provisions on limits of liability and aggregation, the correct approach in respect of furlough and business rate relief, and claims for additional increased cost of working. At first instance, a majority of points were resolved in favour of insurers.

Stonegate was heard together with two other cases determining similar (though not identical) issues on the Marsh Resilience wording in respect of businesses in the hospitality and retail sectors, namely Various Eateries and Greggs. Appeals are being pursued to the Court of Appeal in respect of aspects of all three claims, for which a hearing has been set on 27 November 2023.

There are also other ongoing claims on Marsh Resilience and similar wordings. These are at a less advanced stage in the Courts, though may still be relevant to determine residual issues that do not arise in Stonegate. Together, the ongoing Marsh Resilience claims, though attracting less publicity than the FCA test case, will determine whether one or multiple limits of liability are available to policyholders in respect of the COVID-19 pandemic, potentially multiplying the exposure of insurers for some claims. This could have material consequences for insurers were matters to be resolved substantially in favour of policyholders (albeit that this looks unlikely on the basis of the first instance judgment in Stonegate).

Other key ongoing litigation

There are various other ongoing cases in the Courts aside from the Marsh Resilience cases covering matters including coverage on “denial of access” wordings not directly addressed within the FCA test case, the correct approach to policy wording requiring a case of disease “at the premises” of the insured business, and related matters such as the application of aggregation provisions and limits. In each case, these could potentially have material implications for the wider market.

The Court has indicated that it will seek to manage suitable sets of cases together. The treatment of the Pizza Express case (in which the High Court handed down a judgment on preliminary issues on 26 May 2023) is a good example of active case management in respect of COVID-19 business interruption cases.

• This case is being managed together with Gatwick Investment Limited & Ors v Liberty Mutual Insurance Europe SE in respect of coverage and other matters under “denial of access” wordings. A hearing is scheduled in October 2023. Some of these issues overlap with the previous judgment in the Corbin & King case handed down by the High Court in February 2022 and have the potential to chip away further at the un-appealed parts of the Divisional Court judgment in the FCA test case that favour insurers.
• It is also one of several cases being managed together that relate to causation in respect of “at the premises” cover. A core issue is whether the logic of the Supreme Court that established coverage under disease “in the vicinity” wordings should also extend to these types of claims. The lead case is London International Exhibition Centre PLC v Royal & Sun Alliance PLC. A hearing on preliminary issues took place in a number of these cases in April to early May 2023, on which judgment is anticipated in a few weeks’ time.

A separate hurdle for policyholders is to demonstrate a case of COVID-19 at the insured premises at the relevant time. The difficulty of doing so has been evident in some decisions of the Financial Ombudsman Service in this area.

The road ahead

It is clear from the above that, more than three years since the first lockdown in the UK, there is still a considerable way to go before the legal position becomes clear on all of these points. Short of reaching some kind of settlement in advance of this, insurers, policyholders, brokers and reinsurers will have to wait until 2024 and beyond before final legal determinations from the ongoing claims and appeals are available. We continue to work with our insurance clients to manage ongoing claims and to support them in analysing and implementing the legal positions as these emerge from the Courts.