enterprise risk management - cpa firms | accountant | financial …€¦ · ·...

Enterprise Risk ManagementTheron Robert Holladay Sr., CFAPresident & CEO, Parkway Advisors

ERM ProcessInvestment Risk Focus

ERM Process – Overview

Contents of Presentation• ERM Defined• Common Mistakes• Risk Components• ERM Process• Summary• Questions

• Enterprise risk management (ERM) is the process of planning, organizing, leading & controlling the activities of an organization in order to minimize the effects of risk on an organization’s capital & earnings

ERM Defined

• ERM program: everything an organization does to identify & mitigate risk

• ERM policy: a single company document that defines & organizes the overall ERM program of an organization. This document often refers to other documents (investment, operation & underwriting plans) in order to also define specific ERM risk policies

ERM Defined

• Indicating that you do not have an ERM program• The ERM program includes all policies around risk• Be honest while demonstrating risk controls

• Adopting a policy of another insurer• Your organization is unique & has specific risks• Anything within an official policy must be followed

Common Mistakes

ERM – Main Risk Areas

Underwriting Risk Operational RiskInvestment Risk

Asset/Liability Management Expenses Cyber RiskDiversification Persistency TaxesMarket/Reinvestment Risk New Business Regulatory ChangesCredit Risk Claims ReputationalInterest Rate Risk Mortality FraudLiquidity Risk Policyholder Behavior MismanagementSurplus Drift New Regulations Employee Turnover

• Buy-in at the top level• Lead by example• Encourage a risk focus• Reward

ERM Process – Encourage a Risk Focused Culture

• ERM committee• Responsibilities• Chief Risk Officer• Risk appetite statement

• Sub-committees• Investments/underwriting/operations• Diversity• Establish base for open dialogue

ERM Process – Committees

• Sub-committee initial risk identification• Dedicated, distraction-free initial meeting• Open “brainstorming”• Follow-up risk review meeting

• Sub-committee risk assessment – “heat map”• Probability of risk occurring• Magnitude of impact upon occurrence• Top risk recommendations to ERM committee

• ERM committee review

ERM Process – Identify Risks

ERM Process – Identify Risks

• Examples – persistency ratios, product line profitability, solvency ratio trends in a multiyear budget

ERM Process – Quantify Measurement Tools for Top Risks

• Mitigation strategies• Simple policies – ERM document• Comprehensive policies – separate documents

• Event occurrence strategies• Disaster recovery• Cyberbreach

• ERM reports • Defined within policies• Trigger limits

ERM Process – Policies

• ERM policy connects all company policies• ERM program runs throughout the entire

organization like tree branches & roots• Examples of external ERM investment policies

• ALM policy• Diversification policy• OTTI policy• Surplus volatility policy

ERM Process – Other Documents

• Is surplus & the asset valuation reserve properly considered in diversification (diversification policy)?

• Are the assets appropriate for the products that are sold to policyholders (for life companies)?

• Does the organization have an appropriate other than temporary impairment (OTTI) policy?

Investment Policy Examples

Diversification Is Often Applied Inappropriately to Insurance Portfolios

• Size of any investment as it relates to the capital or unassigned funds of the firm

• The amount of any AVR (for life insurance companies)

Diversification An Insurance Company Should Consider

Life Company Example

• Across all categories in assessing the risk of any investment portfolio

• By asset type, geographic location, industry, collateral type, coupon, maturity & placement into the market

Important To Consider Diversification

Relationship of Investments to Insurance Products

• Enhancements to net investment income• Positive impacts to capital/unassigned funds• Understanding statutory accounting• NAIC regulation

Performance for Insurance Companies Is Centered On

• The type of products offered by the insurer

What Is Main Factor that Determines Appropriate Portfolio Maturity & Cash Flows?

ERM – Policies (Report Example)

• Establish ERM meeting frequency in the ERM policy• Establish ERM reporting within the ERM policy

• Keep it simple• Keep it organized (timeline checklist)• Follow through with all reporting requirements

• Maintain good minutes

ERM Process – Documentation

• Minimum of annual policy review• Strategic planning process• Annual board approval

ERM Process – Review

• Begin the process• Understand ERM is already a part of the

organization• ERM is a “living & breathing process”• ERM regulations will change & adjust

Summary

• Unseen risk & historical observations

Final Observation

Theron Robert Holladay Sr., CFA | [email protected] | 800.692.5123

The information contained in these slides is presented by professionals for your information only & is not to be considered as legal advice. Applying specific information to your situation requires careful consideration of facts & circumstances. Consult your BKD advisor or legal counsel before acting on any matters covered

BKD, LLP is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: www.nasbaregistry.org.

http://www.nasbaregistry.org/

Cyber Risk: What Insurance Companies Need to KnowPresented by Jan Hertzberg, CIPT, CISA | Director

Your Presenter

Jan Hertzberg, Director

• Cybersecurity practice leader• More than 30 years of

experience providing IT audit, risk, cybersecurity & privacy compliance services

Objectives

Provide Governance Insights

Share Leading Industry Practices

Review Cyber Risk Landscape

Rapidly Evolving Cyberthreats –Motivational Shifts

ADDITIVE MOTIVATION PROGRESSION LINE

HACKTIVISTS NATION-STATESFRAUDSTERS

THEFT DISRUPTION DESTRUCTION

Data Breaches in the News

2017

2017

Credential theft led to unauthorized access to policyholder NPI

2017

2015

A State Farm third-party vendor’s employees were misappropriating customer funds & misusing payment cards

Exposure of electronic protected health information (HIV patient information)

143 million consumers’ personal data was stolen

Equifax Breach Timeline

IT department receives notice that Apache Struts needs a security patch. Patching policy states must be taken care of within 48 hours

First Warning

Patching policy isn’t followed. Vulnerability scans don’t detect any issues with Apache Struts

Patch Ignored

CEO learns that customer data has “likely been stolen”

Data Stolen?

EarlyMarch

Senior officials are aware of suspicious activity & notify CIO

Suspicious Activity

July 29

CEO informs the board that there has been a breach. This is a full month after it is initially detected

Informed Board

August 24 – 25

CIO informs CEO of breach. CEO is unaware of scope or that customer data has been stolen

CIO Informs CEO

July 31

CEO holds senior leadership meeting & finds out that large volumes of customer data has been stolen. He informs the board director

Yes, Data Stolen

August 22

Public breach announces 143 million customers’ information has been stolen

Public Notification

September 7

Board meets to discuss the scale of the breach & remediation efforts

Scale & Remediation

September 1Late

March

August 15

Cyber Risk & the Insurance Industry

• Carriers maintain significant amounts of customer PII/ePHI• Given the nature & quantity of the data, breach may cause

serious impact• Receiving increasing focus by regulators• Technology

• Common systems across the insurance industry increase vulnerability for all, e.g., Broker Office, Smart Office, United Systems & Software Incorporated

• Shared infrastructure across multiple lines of business may increase risk

• Lagging adoption of common protective technologies, e.g., two-factor authentication

Potential Breach Impacts

Negative publicity

Regulatorysanctions

Refusal to share personal

information

Damage to brand

Regulatorscrutiny

Legal liability

Fines

Damaged customer

relationships

Damaged employee

relationships

Deceptive orunfair tradecharges

Diversion of resources

Lost productivity

!

Interesting Statistics

• Timing• In 93% of breaches, it took attackers minutes or less to compromise systems (Adobe products

easiest to hack; Mozilla the most difficult) • In 83% of cases, it took weeks or more to discover an incident occurred• Attackers take easiest route (63% leveraged weak, default or stolen passwords)• 95% of breaches were made possible by nine patterns, including poor IT support processes,

employee error & insider/privilege misuse of access• Companies go back to basics once breached

• 53% training & awareness• 49% additional manual controls• 52% expand use of encryption• 19% security certification or audit

• Financial loss• In 2015, NYDFS surveyed insurers that reported data breaches within 12 months• 70% reported no loss, 23% reported a loss < $250,000, 2% report a loss between $250,000 &

$500,000 & 2% reported between $6 & $10 million

Source: Verizon Data Breach Report, 2016

What Drives Cost of Breaches?

$ $INCREASEDECREASE

Third-party involvement

Extensive cloud migration

Rush to notify

BCM involvement

Employee training

Extensive use of encryption

Incident response team

$20$15$14

$13$15$18$25

Source: Ponemon 2016 Cost of Data Breach Study

Regulatory Response Over Time

1934SEC Act

1996HIPAA

2000CFR17 Part 248 Brokers Consumer

Protection

2003California

Data Breach Law

2017Executive Order Strengthening the

Cybersecurity of Federal Networks & Critical

Infrastructure

2006Indiana Breach

Notification Law

1974Family

Educational Rights and Privacy Act

(FERPA)

1998Safe Harbor

European Union

2001Cybersecurity

Enhancement Act 2006PCI DSS

2009HITECH

2018General Data Protection

Regulation (GDPR)

2013HIPAA

(Omnibus)

2016NAIC Insurance Data Security Model Law

2017New York

Department of Financial Services Cyber Regulation

NAIC Guidance

• Requirements include• Access controls are placed on systems• Physical access is restricted• PII is encrypted in transit or storage• System modifications adhere to licensee’s information security

program• Multifactor authentication, segregation of duties & background

checks are used• Systems are monitored for breaches• Implement response programs when needed• Measures are implemented to protect data against destruction

&/or loss• Information is properly disposed when no longer neededSource: National Association of Insurance Commissioners, “Insurance Data Security Model Law,” 2016

NYDFS Guidance

• Requirements include• Cybersecurity events are detected• Detected events are responded to &

negative effects are mitigated• Normal operations & services are restored after attacks• Applicable regulatory reporting obligations are fulfilled• Each covered entity has a “Cybersecurity Program” protecting

confidentiality, integrity & availability of covered entity’s information systems

• Internal & external cybersecurity risks that threaten private consumer information on covered entity’s information systems are identified

• Defensive infrastructure & policy implementation to protect from unauthorized access are used

Source: NYDFS 23 NYCRR 500

Written statement to superintendent covering the prior

calendar year by February 15

Penetration testing & vulnerability assessments

Written cybersecurity policies approved by a

senior officer

Chief Information Security Officer is

required

Financial audit trail retained for five years & an audit trail designed to detect & respond to cybersecurity

events

Security program

Cyber risk assessment

Third-party risk assessments

Response planning

Multifactor authentication

Incident response plan

Individual assigned to coordinate

security program

Oversight by board of directors or appropriate committee of the board

Required investigation of cybersecurity event by licensee or outside service provider/vendor

Notification of cybersecurityevent to state commissioner no later than 72 hours from

determination the event occurred

Licensee is required to communicateto the consumer the information provided to commissioner based

on state’s law & if consumer data is compromised

If licensee is an insurer, they are required to communicate to affected

consumers within 72 hours

NAIC Model Law NYDFS Cyber Regulation

Transitional Periods

2 years1.5 years

1 year180 days

500.22Covered entities shall have 180 days from the effective date of this Part to comply with the requirements set forth in this Part, except as otherwise specified

500.04(b), 500.05, 500.09, 500.12, 500.14(b)Covered entities have one year from the effective date of this Part to comply with the requirements of Sections 500.04(b), 500.05, 500.09, 500.12 & 500.14(b) of this Part

500.06, 500.08, 500.13, 500.14 (a), 500.15 Covered entities have eighteen months from the effective date of this Part to comply with the requirements of Sections 500.06, 500.08, 500.13, 500.14 (a) & 500.15 of this Part

500.11Covered entities have two years from the effective date of this Part to comply with the requirements of Section 500.11 of this Part

Source: NYDFS 23 NYCRR 500

Health Insurance Portability & Accountability Act (HIPAA)

• Covers• Health care providers, payors & clearinghouses • Employers who administer their own health plans• Business associates• Hybrid entities

• Protected health information (PHI)• Entities may only use or disclose PHI as permitted

• Enforced by• Department of Health & Human Services• State attorneys general

• Introduced• HITECH (2009) & The Omnibus Rule (2013)

Ransomware – the Threat

• U.S. government interagency report: there have been 4,000 daily attacks since early 2016 (300% increase over 2015)

• Exploits human & technical weakness to gain access to infrastructure to deny organization its own data

• Malicious software (malware) infects systems & encrypts user data

• HIPAA Security Rule requires• Conducting risk analysis to identify threats & vulnerabilities; remediate

gaps• Implementing procedures to guard against & detect malware• Training users to detect & report malware• Implementing access controls to limit access to ePHI to only those

persons or software programs requiring access

Payment Card Industry Data Security Standard (PCI DSS)

• Covers• Businesses accepting credit & debit card payments• “Card Present” transactions (card swipes)• “Card Not Present” transactions (eCommerce)

• Cardholder data• Handling, processing & transmission by “merchants”

• Enforced by• Credit card brands• “Acquiring Bank” responsible for processing payment transactions

• Introduced• PCI Security Standards Council (PCI SSC), consisting of five credit card brands (Visa,

MasterCard, Discover, American Express & JCB), created the PCI DSS in 2006; updated on three-year cycle

Cyber Risk Oversight

What Do Boards Want to Know?

What do we consider our most valuable assets? How does our IT system interact with those assets? Do we believe we can fully protect those assets?

Do we think there is adequate protection in place if someone wanted to get at or damage our corporate “crown jewels?” If not, what would it take to feel comfortable that our assets are protected?

Are we investing enough so our corporate operating & network systems are not easy targets by a determined hacker?

Are we considering cybersecurity aspects of our major business decisions, such as mergers & acquisitions, partnerships, new product launches, etc., in a timely fashion?

Source: National Association of Corporate Directors (NACD), 2016–2017 NACD Public Company Governance Survey

Five Principles of Cyber Risk Oversight

Organizations need to understand & approach cybersecurity as enterprisewide risk management issue, not just IT issue1


Understand legal implications of cyber risks as they relate to their organization’s specific circumstances2


Have adequate access to cybersecurity expertise, & discussions about cyber risk management should be given regular & adequate time on the board meeting agenda

3


Set expectation management will establish an enterprisewide cyber risk management framework with adequate staffing & budget4


Include identification of which risks to avoid, accept, mitigate or transfer through insurance, as well as specific plans associated with each approach5

Assessing Your Cybersecurity Program

NIST Cybersecurity Framework (NIST CSF)

• Background• Published February 12, 2014, by the National Institute of Standards &

Technology (NIST)• Voluntary federal framework (not a set of standards) for critical

infrastructure services • Provides common language for organizations to assess, communicate

& measure improvement security posture

• Controls• High-level controls provide framework of “what” but not “how”• Five functions, 22 control categories & 98 key controls derived from

industry best practice & standards • Contains four maturity tier ratings

NIST Cybersecurity Framework

Framework Categories

Asset ManagementBusiness

EnvironmentGovernance

Risk AssessmentRisk Management

Strategy

Access ControlAwareness &

TrainingData Security

Information Protection Processes

MaintenanceProtective

TechnologyAnomalies & EventsSecurity Continuous MonitoringResponse PlanningDetection Processes

CommunicationsAnalysisMitigationImprovements

Recovery Planning ImprovementsCommunications

Framework Benefits

• Comprehensive in scope• Intuitive • Risk-based – allows the organization to prioritize remediation

activities depending on the organization’s risk appetite & cybersecurity control maturity desired

• Commonly accepted standard – provides basis of consistent assessment in the future

Overall Assessment Approach

Phase 1 – Discovery• Determine business & compliance requirements for cybersecurity• Review documentation related to cybersecurity infrastructure, e.g., network diagrams, asset inventory• Identify systems & data stores containing personally identifiable information (PII), electronic protected

health information (ePHI), etc.

Phase 2 – Analysis• Conduct on-site interviews with key stakeholders to• Document processes that identify cyber risk, protect key information assets, detect/respond to threats

& recover should a breach occur• Evaluate process/control maturity & determine risk

Phase 3 – Remediation Planning• Identify recommendations & action plans addressing remediation activities to be completed• Identify type of investment, e.g., resources, hardware/software

• Objective: provide a common framework through which an organization can communicate relevant, useful information about the effectiveness of its cybersecurity risk management program

• Components of the entity-level cybersecurity reporting framework

• Management’s description• Management’s assertion• Practitioner’s opinion

• Two criteria to implement the framework• Description criteria: used to describe the cybersecurity risk

management program• Control criteria: used to assess the effectiveness of controls within

the cybersecurity risk management program

SOC for Cybersecurity

Summary

• Cybersecurity risk has grown substantially forinsurance companies

• Framework-based cybersecurity assessment/attestation allows the company to determine if an effective cybersecurity program is in place

• Remediation activities can be prioritized & scheduled based on level of risk & control maturity

Jan Hertzberg, CIPT, CISA | [email protected] | 630.282.9500

Resources

• ISACA® & Institute of Internal Auditors Research Foundation (IIA RF), “Cybersecurity: What the Board of Directors Needs to Ask,” 2014

• National Institute of Standards & Technology (NIST), “Framework for Improving Critical Infrastructure Cybersecurity,” Version 1.0, February 12, 2014

• National Association of Corporate Directors, “Cyber-Risk Oversight,” Director’s Handbook Series, 2017

• National Association of Insurance Commissioners, “Insurance Data Security Model Law,” 2016• http://www.verizonenterprise.com/DBIR/2016/• http://www.dfs.ny.gov/reportpub/dfs_cyber_insurance_report_022015.pdf• http://www.databreachtoday.com/attacks-on-insurers-lessons-learned-a-8530• http://www.databreachtoday.com/insurer-bupa-blames-breach-on-rogue-employee-a-10111• http://www.databreachtoday.com/uk-insurance-co-hack-impacts-93000-a-6346• http://www.dfs.ny.gov/consumer/alert_columbian_security_breach.htm• http://www.databreachtoday.com/anthem-breach-tally-788-million-affected-a-7946• https://www.scmagazine.com/state-farm-security-incident-resulted-in-compromised-customer-

data/article/529371/

http://www.verizonenterprise.com/DBIR/2016/

http://www.dfs.ny.gov/reportpub/dfs_cyber_insurance_report_022015.pdf

http://www.databreachtoday.com/attacks-on-insurers-lessons-learned-a-8530

http://www.databreachtoday.com/insurer-bupa-blames-breach-on-rogue-employee-a-10111

http://www.databreachtoday.com/uk-insurance-co-hack-impacts-93000-a-6346

http://www.dfs.ny.gov/consumer/alert_columbian_security_breach.htm

http://www.databreachtoday.com/anthem-breach-tally-788-million-affected-a-7946

https://www.scmagazine.com/state-farm-security-incident-resulted-in-compromised-customer-data/article/529371/

TAX CUTS & JOBS ACTProvisions of Interest to InsurersPresented by: Brandy Shy & Kara Cramer

Introductions

Brandy ShyDirector

Kara CramerSenior Manager

3

OUR GOALS FOR TODAY

1 Outline Basic Provisions Applicable to All Corporations

Discuss Insurance-Specific Provisions

Summarize the Income Tax Accounting Effect of Bill

Highlight Tax Reform & Tax Planning Opportunities

2

3

4

4

GENERAL CORPORATE PROVISIONSOn the whole, some good news for corporations

View from 30,000 Feet• Reduction in federal corporate income tax rate to 20%

• Repeal of alternative minimum tax (AMT)

• Offset of regular tax with AMT credits

• Net operating losses (NOLs)• Unlimited carryforward• No carrybacks• Limited to 90% of regular taxable income• Carve-Out for P&C NOLs

• 100% bonus depreciation & expanded §179 expensing

5

GENERAL CORPORATE PROVISIONSSome not-so-good news for corporations

View from 30,000 Feet • Change to deferred compensation rules &

definition of “substantial risk of forfeiture” (?)

• Limitation on deductibility of business interest

• Modifications to §162(m)

• Dividends received deduction reduction• 70% DRD reduced to 50%• 80% DRD reduced to 65%

• Credits• Low income housing credits• Research & experimentation• Most others eliminated

6

CORPORATE TAX RATEOne federal tax rate for all C corporations

Can the Bill Pass with 20% Tax Rate?

• Current top tax rate of 35% is highest in the industrialized world

• Trump proposed a 15% tax rate • 20% tax rate is aggressive

• Will the tax rate settle at 25%?

7

AMT REPEALThis trap for the unwary particularly impacted P&C & small life insurers

Goodbye AMT!

• Corporations allowed a credit for AMT –used to offset regular tax to extent it exceeded tentative AMT in future years

• A prepaid tax to most companies• Small life insurers – many paid AMT with

limited ability to claim credit (see slide on SLICD)

• Benefit for P&C companies in poor underwriting years

8

AMT CREDITSEasier to use credits from pre-law periods, including refund mechanism

AMT Credits – A Thing of the Past?

• Use AMT credits to offset regular tax• Excess credits are refundable (over an

established period)

9

NET OPERATING LOSSESThe Lord Giveth, the Lord Taketh Away …

Net Operating Losses (NOLs)

• Conforms life operations loss deduction rules to NOLs

• No carryback of NOLs• Indefinite carryforward• Annual limitation of 90% of regular taxable

income• Capital loss carryback & carryforward rules

unchanged• Modified senate plan (11/14/17)

• Annual limitation of 80% of regular taxable income after 12/31/23

• Preserves current law for NOLs of P&C companies

10

LIBERALIZING FIXED ASSET EXPENSINGBonus Depreciation & §179

Good News …

• Bonus depreciation increased to 100% for assets placed in service after September 27, 2017 & before January 1, 2023

• §179 expensing • Expanded to $5 million (from $500K)

with phase-out beginning at $20 million (from $2 million)

• For additions after December 31, 2017 & before January 31, 2023

11

DEFERRED COMPENSATION PLANS Old Rules Intact for Now

That Was a Close One …

• §162(m) changes• Repeals commission & performance-based

compensation exceptions• Changes to “covered employee” definition to

align with SEC disclosure rules (CEO, CFO & next 3 highest paid employees)

• Deferred compensation• Accelerates income – “No substantial risk of

forfeiture”• “Not subject to future performance of

substantial services”• Covenant not to compete (CNC) – no

substantial risk of forfeiture• Applies to deferrals in 2018 & subsequent

years• Pre-2018 amounts subject in 2025• Removed from House bill & modified

Senate plan

12

NON-LIFE COMPANIESFocused on reserves & proration

Non-Life Insurance Company Provisions

• Loss reserves• Changes in interest rate & payment

pattern – reduce tax loss reserves• No company election• Repeal of §847

• Proration percentage increased from 15% to 26.25%• Keeps the after-tax yield of

tax-exempt bonds constant• Narrows the spread between taxables

& tax-exempts

13

LIFE COMPANIESFeel the burn …

Life Insurance Company Provisions

• DAC percentages [Withdrawn]• 4% for group contracts• 11% for other

• Life reserves 76.5% of SAP reserves (8-year phase in) [Withdrawn]

• 40% company share/60% policyholder share [Withdrawn]

• 8% surtax on life insurance company taxable income [Added]

• §807(f) changes subject to §481 rules• Inclusion of policyholder surplus account balance in

income over 8 years• NOL/OLD conformity• Elimination of small life insurance company

deduction (SLICD)

14

GAAP & SAPReduction in current Federal taxes with short-term impact of DTA reduction

Income Tax Accounting Impact

• Reduction in DTAs• Increase GAAP effective tax rate (ETR)

in P&L• Increase SAP ETR in surplus• Not as severe for life companies at

28% vs. 20%• Elimination of NOL carryback

• Removes a source of income for GAAP

• Makes SSAP 101, ¶11.A., effectively moot

• NOL limitation – effect on ¶11.B.

Brandy Shy | [email protected] | 314.231.5544Kara Cramer | [email protected] | 816.221.6300