enterprise risk management - cpa firms | accountant | financial …€¦ · ·...
TRANSCRIPT
ERM Process – Overview
Contents of Presentation• ERM Defined• Common Mistakes• Risk Components• ERM Process• Summary• Questions
• Enterprise risk management (ERM) is the process of planning, organizing, leading & controlling the activities of an organization in order to minimize the effects of risk on an organization’s capital & earnings
ERM Defined
• ERM program: everything an organization does to identify & mitigate risk
• ERM policy: a single company document that defines & organizes the overall ERM program of an organization. This document often refers to other documents (investment, operation & underwriting plans) in order to also define specific ERM risk policies
ERM Defined
• Indicating that you do not have an ERM program• The ERM program includes all policies around risk• Be honest while demonstrating risk controls
• Adopting a policy of another insurer• Your organization is unique & has specific risks• Anything within an official policy must be followed
Common Mistakes
ERM – Main Risk Areas
Underwriting Risk Operational RiskInvestment Risk
Asset/Liability Management Expenses Cyber RiskDiversification Persistency TaxesMarket/Reinvestment Risk New Business Regulatory ChangesCredit Risk Claims ReputationalInterest Rate Risk Mortality FraudLiquidity Risk Policyholder Behavior MismanagementSurplus Drift New Regulations Employee Turnover
• Buy-in at the top level• Lead by example• Encourage a risk focus• Reward
ERM Process – Encourage a Risk Focused Culture
• ERM committee• Responsibilities• Chief Risk Officer• Risk appetite statement
• Sub-committees• Investments/underwriting/operations• Diversity• Establish base for open dialogue
ERM Process – Committees
• Sub-committee initial risk identification• Dedicated, distraction-free initial meeting• Open “brainstorming”• Follow-up risk review meeting
• Sub-committee risk assessment – “heat map”• Probability of risk occurring• Magnitude of impact upon occurrence• Top risk recommendations to ERM committee
• ERM committee review
ERM Process – Identify Risks
• Examples – persistency ratios, product line profitability, solvency ratio trends in a multiyear budget
ERM Process – Quantify Measurement Tools for Top Risks
• Mitigation strategies• Simple policies – ERM document• Comprehensive policies – separate documents
• Event occurrence strategies• Disaster recovery• Cyberbreach
• ERM reports • Defined within policies• Trigger limits
ERM Process – Policies
• ERM policy connects all company policies• ERM program runs throughout the entire
organization like tree branches & roots• Examples of external ERM investment policies
• ALM policy• Diversification policy• OTTI policy• Surplus volatility policy
ERM Process – Other Documents
• Is surplus & the asset valuation reserve properly considered in diversification (diversification policy)?
• Are the assets appropriate for the products that are sold to policyholders (for life companies)?
• Does the organization have an appropriate other than temporary impairment (OTTI) policy?
Investment Policy Examples
• Size of any investment as it relates to the capital or unassigned funds of the firm
• The amount of any AVR (for life insurance companies)
Diversification An Insurance Company Should Consider
• Across all categories in assessing the risk of any investment portfolio
• By asset type, geographic location, industry, collateral type, coupon, maturity & placement into the market
Important To Consider Diversification
• Enhancements to net investment income• Positive impacts to capital/unassigned funds• Understanding statutory accounting• NAIC regulation
Performance for Insurance Companies Is Centered On
• The type of products offered by the insurer
What Is Main Factor that Determines Appropriate Portfolio Maturity & Cash Flows?
• Establish ERM meeting frequency in the ERM policy• Establish ERM reporting within the ERM policy
• Keep it simple• Keep it organized (timeline checklist)• Follow through with all reporting requirements
• Maintain good minutes
ERM Process – Documentation
• Minimum of annual policy review• Strategic planning process• Annual board approval
ERM Process – Review
• Begin the process• Understand ERM is already a part of the
organization• ERM is a “living & breathing process”• ERM regulations will change & adjust
Summary
Theron Robert Holladay Sr., CFA | [email protected] | 800.692.5123
The information contained in these slides is presented by professionals for your information only & is not to be considered as legal advice. Applying specific information to your situation requires careful consideration of facts & circumstances. Consult your BKD advisor or legal counsel before acting on any matters covered
BKD, LLP is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: www.nasbaregistry.org.
Your Presenter
Jan Hertzberg, Director
• Cybersecurity practice leader• More than 30 years of
experience providing IT audit, risk, cybersecurity & privacy compliance services
Rapidly Evolving Cyberthreats –Motivational Shifts
ADDITIVE MOTIVATION PROGRESSION LINE
HACKTIVISTS NATION-STATESFRAUDSTERS
THEFT DISRUPTION DESTRUCTION
Data Breaches in the News
2017
2017
Credential theft led to unauthorized access to policyholder NPI
2017
2015
A State Farm third-party vendor’s employees were misappropriating customer funds & misusing payment cards
Exposure of electronic protected health information (HIV patient information)
143 million consumers’ personal data was stolen
Equifax Breach Timeline
IT department receives notice that Apache Struts needs a security patch. Patching policy states must be taken care of within 48 hours
First Warning
Patching policy isn’t followed. Vulnerability scans don’t detect any issues with Apache Struts
Patch Ignored
CEO learns that customer data has “likely been stolen”
Data Stolen?
EarlyMarch
Senior officials are aware of suspicious activity & notify CIO
Suspicious Activity
July 29
CEO informs the board that there has been a breach. This is a full month after it is initially detected
Informed Board
August 24 – 25
CIO informs CEO of breach. CEO is unaware of scope or that customer data has been stolen
CIO Informs CEO
July 31
CEO holds senior leadership meeting & finds out that large volumes of customer data has been stolen. He informs the board director
Yes, Data Stolen
August 22
Public breach announces 143 million customers’ information has been stolen
Public Notification
September 7
Board meets to discuss the scale of the breach & remediation efforts
Scale & Remediation
September 1Late
March
August 15
Cyber Risk & the Insurance Industry
• Carriers maintain significant amounts of customer PII/ePHI• Given the nature & quantity of the data, breach may cause
serious impact• Receiving increasing focus by regulators• Technology
• Common systems across the insurance industry increase vulnerability for all, e.g., Broker Office, Smart Office, United Systems & Software Incorporated
• Shared infrastructure across multiple lines of business may increase risk
• Lagging adoption of common protective technologies, e.g., two-factor authentication
Potential Breach Impacts
Negative publicity
Regulatorysanctions
Refusal to share personal
information
Damage to brand
Regulatorscrutiny
Legal liability
Fines
Damaged customer
relationships
Damaged employee
relationships
Deceptive orunfair tradecharges
Diversion of resources
Lost productivity
!
Interesting Statistics
• Timing• In 93% of breaches, it took attackers minutes or less to compromise systems (Adobe products
easiest to hack; Mozilla the most difficult) • In 83% of cases, it took weeks or more to discover an incident occurred• Attackers take easiest route (63% leveraged weak, default or stolen passwords)• 95% of breaches were made possible by nine patterns, including poor IT support processes,
employee error & insider/privilege misuse of access• Companies go back to basics once breached
• 53% training & awareness• 49% additional manual controls• 52% expand use of encryption• 19% security certification or audit
• Financial loss• In 2015, NYDFS surveyed insurers that reported data breaches within 12 months• 70% reported no loss, 23% reported a loss < $250,000, 2% report a loss between $250,000 &
$500,000 & 2% reported between $6 & $10 million
Source: Verizon Data Breach Report, 2016
What Drives Cost of Breaches?
$ $INCREASEDECREASE
Third-party involvement
Extensive cloud migration
Rush to notify
BCM involvement
Employee training
Extensive use of encryption
Incident response team
$20$15$14
$13$15$18$25
Source: Ponemon 2016 Cost of Data Breach Study
Regulatory Response Over Time
1934SEC Act
1996HIPAA
2000CFR17 Part 248 Brokers Consumer
Protection
2003California
Data Breach Law
2017Executive Order Strengthening the
Cybersecurity of Federal Networks & Critical
Infrastructure
2006Indiana Breach
Notification Law
1974Family
Educational Rights and Privacy Act
(FERPA)
1998Safe Harbor
European Union
2001Cybersecurity
Enhancement Act 2006PCI DSS
2009HITECH
2018General Data Protection
Regulation (GDPR)
2013HIPAA
(Omnibus)
2016NAIC Insurance Data Security Model Law
2017New York
Department of Financial Services Cyber Regulation
NAIC Guidance
• Requirements include• Access controls are placed on systems• Physical access is restricted• PII is encrypted in transit or storage• System modifications adhere to licensee’s information security
program• Multifactor authentication, segregation of duties & background
checks are used• Systems are monitored for breaches• Implement response programs when needed• Measures are implemented to protect data against destruction
&/or loss• Information is properly disposed when no longer neededSource: National Association of Insurance Commissioners, “Insurance Data Security Model Law,” 2016
NYDFS Guidance
• Requirements include• Cybersecurity events are detected• Detected events are responded to &
negative effects are mitigated• Normal operations & services are restored after attacks• Applicable regulatory reporting obligations are fulfilled• Each covered entity has a “Cybersecurity Program” protecting
confidentiality, integrity & availability of covered entity’s information systems
• Internal & external cybersecurity risks that threaten private consumer information on covered entity’s information systems are identified
• Defensive infrastructure & policy implementation to protect from unauthorized access are used
Source: NYDFS 23 NYCRR 500
Written statement to superintendent covering the prior
calendar year by February 15
Penetration testing & vulnerability assessments
Written cybersecurity policies approved by a
senior officer
Chief Information Security Officer is
required
Financial audit trail retained for five years & an audit trail designed to detect & respond to cybersecurity
events
Security program
Cyber risk assessment
Third-party risk assessments
Response planning
Multifactor authentication
Incident response plan
Individual assigned to coordinate
security program
Oversight by board of directors or appropriate committee of the board
Required investigation of cybersecurity event by licensee or outside service provider/vendor
Notification of cybersecurityevent to state commissioner no later than 72 hours from
determination the event occurred
Licensee is required to communicateto the consumer the information provided to commissioner based
on state’s law & if consumer data is compromised
If licensee is an insurer, they are required to communicate to affected
consumers within 72 hours
NAIC Model Law NYDFS Cyber Regulation
Transitional Periods
2 years1.5 years
1 year180 days
500.22Covered entities shall have 180 days from the effective date of this Part to comply with the requirements set forth in this Part, except as otherwise specified
500.04(b), 500.05, 500.09, 500.12, 500.14(b)Covered entities have one year from the effective date of this Part to comply with the requirements of Sections 500.04(b), 500.05, 500.09, 500.12 & 500.14(b) of this Part
500.06, 500.08, 500.13, 500.14 (a), 500.15 Covered entities have eighteen months from the effective date of this Part to comply with the requirements of Sections 500.06, 500.08, 500.13, 500.14 (a) & 500.15 of this Part
500.11Covered entities have two years from the effective date of this Part to comply with the requirements of Section 500.11 of this Part
Source: NYDFS 23 NYCRR 500
Health Insurance Portability & Accountability Act (HIPAA)
• Covers• Health care providers, payors & clearinghouses • Employers who administer their own health plans• Business associates• Hybrid entities
• Protected health information (PHI)• Entities may only use or disclose PHI as permitted
• Enforced by• Department of Health & Human Services• State attorneys general
• Introduced• HITECH (2009) & The Omnibus Rule (2013)
Ransomware – the Threat
• U.S. government interagency report: there have been 4,000 daily attacks since early 2016 (300% increase over 2015)
• Exploits human & technical weakness to gain access to infrastructure to deny organization its own data
• Malicious software (malware) infects systems & encrypts user data
• HIPAA Security Rule requires• Conducting risk analysis to identify threats & vulnerabilities; remediate
gaps• Implementing procedures to guard against & detect malware• Training users to detect & report malware• Implementing access controls to limit access to ePHI to only those
persons or software programs requiring access
Payment Card Industry Data Security Standard (PCI DSS)
• Covers• Businesses accepting credit & debit card payments• “Card Present” transactions (card swipes)• “Card Not Present” transactions (eCommerce)
• Cardholder data• Handling, processing & transmission by “merchants”
• Enforced by• Credit card brands• “Acquiring Bank” responsible for processing payment transactions
• Introduced• PCI Security Standards Council (PCI SSC), consisting of five credit card brands (Visa,
MasterCard, Discover, American Express & JCB), created the PCI DSS in 2006; updated on three-year cycle
What Do Boards Want to Know?
What do we consider our most valuable assets? How does our IT system interact with those assets? Do we believe we can fully protect those assets?
Do we think there is adequate protection in place if someone wanted to get at or damage our corporate “crown jewels?” If not, what would it take to feel comfortable that our assets are protected?
Are we investing enough so our corporate operating & network systems are not easy targets by a determined hacker?
Are we considering cybersecurity aspects of our major business decisions, such as mergers & acquisitions, partnerships, new product launches, etc., in a timely fashion?
Source: National Association of Corporate Directors (NACD), 2016–2017 NACD Public Company Governance Survey
Five Principles of Cyber Risk Oversight
Organizations need to understand & approach cybersecurity as enterprisewide risk management issue, not just IT issue1
Five Principles of Cyber Risk Oversight
Understand legal implications of cyber risks as they relate to their organization’s specific circumstances2
Five Principles of Cyber Risk Oversight
Have adequate access to cybersecurity expertise, & discussions about cyber risk management should be given regular & adequate time on the board meeting agenda
3
Five Principles of Cyber Risk Oversight
Set expectation management will establish an enterprisewide cyber risk management framework with adequate staffing & budget4
Five Principles of Cyber Risk Oversight
Include identification of which risks to avoid, accept, mitigate or transfer through insurance, as well as specific plans associated with each approach5
NIST Cybersecurity Framework (NIST CSF)
• Background• Published February 12, 2014, by the National Institute of Standards &
Technology (NIST)• Voluntary federal framework (not a set of standards) for critical
infrastructure services • Provides common language for organizations to assess, communicate
& measure improvement security posture
• Controls• High-level controls provide framework of “what” but not “how”• Five functions, 22 control categories & 98 key controls derived from
industry best practice & standards • Contains four maturity tier ratings
NIST Cybersecurity Framework
Framework Categories
Asset ManagementBusiness
EnvironmentGovernance
Risk AssessmentRisk Management
Strategy
Access ControlAwareness &
TrainingData Security
Information Protection Processes
MaintenanceProtective
TechnologyAnomalies & EventsSecurity Continuous MonitoringResponse PlanningDetection Processes
CommunicationsAnalysisMitigationImprovements
Recovery Planning ImprovementsCommunications
Framework Benefits
• Comprehensive in scope• Intuitive • Risk-based – allows the organization to prioritize remediation
activities depending on the organization’s risk appetite & cybersecurity control maturity desired
• Commonly accepted standard – provides basis of consistent assessment in the future
Overall Assessment Approach
Phase 1 – Discovery• Determine business & compliance requirements for cybersecurity• Review documentation related to cybersecurity infrastructure, e.g., network diagrams, asset inventory• Identify systems & data stores containing personally identifiable information (PII), electronic protected
health information (ePHI), etc.
Phase 2 – Analysis• Conduct on-site interviews with key stakeholders to• Document processes that identify cyber risk, protect key information assets, detect/respond to threats
& recover should a breach occur• Evaluate process/control maturity & determine risk
Phase 3 – Remediation Planning• Identify recommendations & action plans addressing remediation activities to be completed• Identify type of investment, e.g., resources, hardware/software
• Objective: provide a common framework through which an organization can communicate relevant, useful information about the effectiveness of its cybersecurity risk management program
• Components of the entity-level cybersecurity reporting framework
• Management’s description• Management’s assertion• Practitioner’s opinion
• Two criteria to implement the framework• Description criteria: used to describe the cybersecurity risk
management program• Control criteria: used to assess the effectiveness of controls within
the cybersecurity risk management program
SOC for Cybersecurity
Summary
• Cybersecurity risk has grown substantially forinsurance companies
• Framework-based cybersecurity assessment/attestation allows the company to determine if an effective cybersecurity program is in place
• Remediation activities can be prioritized & scheduled based on level of risk & control maturity
Jan Hertzberg, CIPT, CISA | [email protected] | 630.282.9500
Resources
• ISACA® & Institute of Internal Auditors Research Foundation (IIA RF), “Cybersecurity: What the Board of Directors Needs to Ask,” 2014
• National Institute of Standards & Technology (NIST), “Framework for Improving Critical Infrastructure Cybersecurity,” Version 1.0, February 12, 2014
• National Association of Corporate Directors, “Cyber-Risk Oversight,” Director’s Handbook Series, 2017
• National Association of Insurance Commissioners, “Insurance Data Security Model Law,” 2016• http://www.verizonenterprise.com/DBIR/2016/• http://www.dfs.ny.gov/reportpub/dfs_cyber_insurance_report_022015.pdf• http://www.databreachtoday.com/attacks-on-insurers-lessons-learned-a-8530• http://www.databreachtoday.com/insurer-bupa-blames-breach-on-rogue-employee-a-10111• http://www.databreachtoday.com/uk-insurance-co-hack-impacts-93000-a-6346• http://www.dfs.ny.gov/consumer/alert_columbian_security_breach.htm• http://www.databreachtoday.com/anthem-breach-tally-788-million-affected-a-7946• https://www.scmagazine.com/state-farm-security-incident-resulted-in-compromised-customer-
data/article/529371/
The information contained in these slides is presented by professionals for your information only & is not to be considered as legal advice. Applying specific information to your situation requires careful consideration of facts & circumstances. Consult your BKD advisor or legal counsel before acting on any matters covered
BKD, LLP is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: www.nasbaregistry.org.
3
OUR GOALS FOR TODAY
1 Outline Basic Provisions Applicable to All Corporations
Discuss Insurance-Specific Provisions
Summarize the Income Tax Accounting Effect of Bill
Highlight Tax Reform & Tax Planning Opportunities
2
3
4
4
GENERAL CORPORATE PROVISIONSOn the whole, some good news for corporations
View from 30,000 Feet• Reduction in federal corporate income tax rate to 20%
• Repeal of alternative minimum tax (AMT)
• Offset of regular tax with AMT credits
• Net operating losses (NOLs)• Unlimited carryforward• No carrybacks• Limited to 90% of regular taxable income• Carve-Out for P&C NOLs
• 100% bonus depreciation & expanded §179 expensing
5
GENERAL CORPORATE PROVISIONSSome not-so-good news for corporations
View from 30,000 Feet • Change to deferred compensation rules &
definition of “substantial risk of forfeiture” (?)
• Limitation on deductibility of business interest
• Modifications to §162(m)
• Dividends received deduction reduction• 70% DRD reduced to 50%• 80% DRD reduced to 65%
• Credits• Low income housing credits• Research & experimentation• Most others eliminated
6
CORPORATE TAX RATEOne federal tax rate for all C corporations
Can the Bill Pass with 20% Tax Rate?
• Current top tax rate of 35% is highest in the industrialized world
• Trump proposed a 15% tax rate • 20% tax rate is aggressive
• Will the tax rate settle at 25%?
7
AMT REPEALThis trap for the unwary particularly impacted P&C & small life insurers
Goodbye AMT!
• Corporations allowed a credit for AMT –used to offset regular tax to extent it exceeded tentative AMT in future years
• A prepaid tax to most companies• Small life insurers – many paid AMT with
limited ability to claim credit (see slide on SLICD)
• Benefit for P&C companies in poor underwriting years
8
AMT CREDITSEasier to use credits from pre-law periods, including refund mechanism
AMT Credits – A Thing of the Past?
• Use AMT credits to offset regular tax• Excess credits are refundable (over an
established period)
9
NET OPERATING LOSSESThe Lord Giveth, the Lord Taketh Away …
Net Operating Losses (NOLs)
• Conforms life operations loss deduction rules to NOLs
• No carryback of NOLs• Indefinite carryforward• Annual limitation of 90% of regular taxable
income• Capital loss carryback & carryforward rules
unchanged• Modified senate plan (11/14/17)
• Annual limitation of 80% of regular taxable income after 12/31/23
• Preserves current law for NOLs of P&C companies
10
LIBERALIZING FIXED ASSET EXPENSINGBonus Depreciation & §179
Good News …
• Bonus depreciation increased to 100% for assets placed in service after September 27, 2017 & before January 1, 2023
• §179 expensing • Expanded to $5 million (from $500K)
with phase-out beginning at $20 million (from $2 million)
• For additions after December 31, 2017 & before January 31, 2023
11
DEFERRED COMPENSATION PLANS Old Rules Intact for Now
That Was a Close One …
• §162(m) changes• Repeals commission & performance-based
compensation exceptions• Changes to “covered employee” definition to
align with SEC disclosure rules (CEO, CFO & next 3 highest paid employees)
• Deferred compensation• Accelerates income – “No substantial risk of
forfeiture”• “Not subject to future performance of
substantial services”• Covenant not to compete (CNC) – no
substantial risk of forfeiture• Applies to deferrals in 2018 & subsequent
years• Pre-2018 amounts subject in 2025• Removed from House bill & modified
Senate plan
12
NON-LIFE COMPANIESFocused on reserves & proration
Non-Life Insurance Company Provisions
• Loss reserves• Changes in interest rate & payment
pattern – reduce tax loss reserves• No company election• Repeal of §847
• Proration percentage increased from 15% to 26.25%• Keeps the after-tax yield of
tax-exempt bonds constant• Narrows the spread between taxables
& tax-exempts
13
LIFE COMPANIESFeel the burn …
Life Insurance Company Provisions
• DAC percentages [Withdrawn]• 4% for group contracts• 11% for other
• Life reserves 76.5% of SAP reserves (8-year phase in) [Withdrawn]
• 40% company share/60% policyholder share [Withdrawn]
• 8% surtax on life insurance company taxable income [Added]
• §807(f) changes subject to §481 rules• Inclusion of policyholder surplus account balance in
income over 8 years• NOL/OLD conformity• Elimination of small life insurance company
deduction (SLICD)
14
GAAP & SAPReduction in current Federal taxes with short-term impact of DTA reduction
Income Tax Accounting Impact
• Reduction in DTAs• Increase GAAP effective tax rate (ETR)
in P&L• Increase SAP ETR in surplus• Not as severe for life companies at
28% vs. 20%• Elimination of NOL carryback
• Removes a source of income for GAAP
• Makes SSAP 101, ¶11.A., effectively moot
• NOL limitation – effect on ¶11.B.
Brandy Shy | [email protected] | 314.231.5544Kara Cramer | [email protected] | 816.221.6300
Brandy Shy | [email protected] | 314.231.5544Kara Cramer | [email protected] | 816.221.6300
The information contained in these slides is presented by professionals for your information only & is not to be considered as legal advice. Applying specific information to your situation requires careful consideration of facts & circumstances. Consult your BKD advisor or legal counsel before acting on any matters covered
BKD, LLP is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: www.nasbaregistry.org.