Des Moines Business Record
By Joe Gardyasz
April 27, 2017

What emerging issues are insurance companies’ chief risk officers most concerned about? Cyber threats and new regulatory standards are high on the list.

For Brent Mardis, vice president and chief risk officer for Sammons Financial Group in Des Moines, regulatory risk has been a theme for at least the past five years. Mardis was part of a panel a panel discussion at the Global Insurance Symposium on Wednesday at Veterans Memorial Community Choice Credit Union Convention Center.

“The Department of Labor’s fiduciary rule has taken a lot of our time over the last 18 to 24 months, and will continue to do so for the next 18 to 24 months,” he said. The prolonged low-interest rate environment and cyber risk are also top of mind for Sammons, which specializes in life, annuity and securities sales.

The fourth annual insurance conference, which began Tuesday and ends today, has drawn a record 540 industry leaders, regulators, entrepreneurs and other insurance and technology professionals from across the country as well as globally.

Joining Mardis on the chief risk officers panel were Reddy Pakanati, vice president of credit, collections and analytics at Sherwood Management Co., a California-based jewelry retailer with nearly 100 stores; and Alessandrea Quane, chief risk officer for multinational insurance giant American International Group, and a graduate of Drake University’s actuarial science program. Jeff Lorenzen, chief investment officer of West Des Moines-based American Equity Investment Life Holding Co., moderated the panel.

Not surprisingly, cyber risk is a threat that each of the organizations has in common. Sammons, for instance, now has a dedicated team that assesses cyber risks on a daily basis, Mardis said.

AIG developed a comprehensive cybersecurity program two years ago, said Quane, who leads a global risk management operation for AIG which encompasses about 500 employees.

“I think the insurance industry in general is behind the banking industry in terms of the amount of money and time we’re spending on this topic,” she said. “We do 24/7 monitoring now of incoming attempts at penetration. We also run a series of tabletop exercises where we go through, if something happens, how do we want to react?”

A related major concern as a risk officer, Quane said, is protecting the data within the cyber risk insurance policies themselves and how to handle the threat of a security breach of data stored in the cloud. Working internally and with cybersecurity experts, “we’ve looked to make sure we’re managing that risk in totality relative to the risk appetite that we have,” she said.

Mardis said that Sammons has had outside cyber coverage in place for the past five years. “That provides us with financial assistance if we have a breach; it allows us to access subject matter experts to help us work through those breaches, he said.

Pakanati — who earlier in his career developed a risk and analytics function for Toyota Financial and later headed risk management for financial services at Tesla Motors — said that establishing the right metrics and having everyone from the top down buy into them is key to building an effective risk management culture.

Other emerging risks include a more free-flowing exchange of data internationally, driven by new regulations in Europe, Pakanati said. The European Union’s Public Services Directive 2, or PSD2, for instance, that goes into effect next year will require large traditional banks in Europe to provide access to customer information to smaller institutions that provide third-party services such bill payment or person-to-person transfers, while account holders keep their money in the traditional bank.

“So if I have relationships with five banks in six countries and I use a third-party payer to manage all of those relationships, the banks are now on the hook to provide in standard format all that information, both to me and to the service provider,” he said.

“If you think about that, it puts a lot of the traditional business models at tremendous risk, where data is free-flowing,” Pakanati said. “Technology is going to leapfrog some of the capabilities and the brand names that traditional players have built. So in our business we are kind of playing along with that, and we are partnering with fintech companies in California because we cannot innovate as fast as they do.”

Companies must also be watchful for vulnerabilities of those they do business with. Sammons has recently spent a lot of time ensuring that its business partners have proper cyber programs in place, Mardis said.

“We have a nice little phishing button now on our emails so that when we get emails we don’t think are real, we hit the phishing button,” he said. “And we test our employees on that on a regular basis. So far I’m two for two, which is good. We’re spending a lot of resources to make sure we stay up with what’s going on. But it’s certainly a difficult task and something that I don’t think is going to end soon.”