Highly resolved: PHI priorities for the new year
Good afternoon and thank you for the invitation to be with you today.
This is my first speaking engagement since being appointed last October as APRA Executive Board Member with responsibility for private health insurance (PHI) and life insurance. The past four months have been a hectic but exciting period as I have become reacquainted with the workings of two industries that provide important financial protection and peace of mind to the community. I have already had the chance to talk to many stakeholders in PHI and to hear perspectives on the industry's outlook – including both opportunities and challenges.
The start of a new year always provides us with an opportunity to pause and reflect on what has been going well and what we can improve or focus on in the coming 12 months. And on a personal level, we often translate those reflections into new year’s resolutions (mine was to try to be more conscious of where I spend my time – both in and out of work. The jury is out on whether it’s working!).
If the PHI industry were to reflect right now on its position and trajectory, it would be entitled to feel cautiously satisfied. After many years of declining membership, the past two years have seen the industry’s vital signs start to improve: membership growth has increased for nine successive quarters, and PHIs have made progress developing more innovative solutions to some of the industry challenges – such as via alternative models or partnerships in providing care and through the better use of data. From a prudential perspective, the PHI industry remains sound – policyholders can have confidence that private health insurers have the financial capacity to pay their claims and the industry remains well-capitalised.
Although it’s unfortunate that it took a global health crisis for many Australians to re-evaluate the importance of PHI in complementing our public health system, we know that many of the industry’s long-term structural challenges remain; in particular, increasing pressure on insurance affordability as health care costs continue to outpace wages growth, and an ageing population with associated higher claims costs. Coupled with this is a challenging macroeconomic environment. Higher inflation, interest rates and workforce constraints put pressure on the costs of providing healthcare and on household budgets – pressures which could see those sustainability risks increase once more. As APRA has stated previously, responding effectively to these challenges will require a co-ordinated effort by all industry participants, including insurers, regulators and Government.
A few days ago, APRA released its annual Policy and Supervision Priority papers. These documents – which are the closest we have to an organisational new year’s resolution – outline our key priorities for the industries we regulate. In PHI, we remain focused on bolstering the industry’s financial resilience and long-term sustainability through measures such as embedding the new capital framework. Many of our other priorities for PHI, however, are issues that impact all APRA-regulated industries, such as cyber risk, operational risk and risk culture.
Ultimate responsibility for addressing these pressure points sits with PHIs and their boards. So today, I’d like to talk to you about some of the things that should be front of mind for you as board directors this year as you make decisions on behalf of the policyholders that you serve.
Since the very first speech APRA gave on cyber risk back in 2018, we have been consistent in our message that a material cyber attack on an APRA-regulated entity was a matter of when – not if. So let me start by asking you some questions: do you know what data you are holding? Do you know where that data is stored and whether it is stored safely? And a question that a lot of boards are now asking themselves is: do you need to retain all the data that you have?
Late last year, a material cyber attack became an unfortunate reality for one private health insurer – a stark reminder that there is no room for complacency and reinforcing the need for ongoing vigilance and focus by boards on operational resilience. As the earlier data breach at Optus demonstrated, not even the country’s biggest corporations are immune from a breach.
That doesn’t mean we should be fatalistic or complacent. Cyber risks are escalating and evolving globally, and financial services companies are among the most prized targets for criminals, opportunists and others with bad intent. There has certainly been a clear shift from cyber criminals wanting to disrupt services to the weaponization of data. The impacts of a data loss are enormous – particularly given the highly personal and sensitive nature of the data that PHIs hold.
For these reasons, I want to reiterate that as board directors, cyber security and IT data risks should be front of mind for you.
All private health insurers responded to APRA's 2022 Technology Resilience Survey, which helped to provide insight into the management of technology resilience risks for the industry. We can see that considerable effort has gone into considering the risks that were uncovered since we last surveyed the industry in 2019.
However, there remain several areas that warrant improvement, so I want to share with you some of the things I encourage you to actively think about and question as board members.
Firstly, think carefully about your exposures to critical service providers and better consider what you need to do if one or more of those providers is significantly compromised. Ensure you adequately interrogate key service providers on their cyber controls and any contagion risk because their failures quickly become yours. Members Health Fund Alliance members are understandably proud of the trust placed in them by their policyholders. Your customers have placed that trust in you, not your service providers.
Secondly, ensure you not only have your systems in place, but are satisfied those systems are regularly tested. Critically, this extends to recovery testing to ensure data can be restored from backups in a timely manner. Be clear on the status of critical systems and if they are near end of life, ensure actions are being taken to address that risk.
Thirdly, ensure you are well-prepared. Does everybody in your organisation understand their roles and responsibilities during a crisis? Do you have a well thought-out and practiced playbook? Have you conducted dynamic simulations? Have you preselected external partners to help you manage through a crisis?
And finally, ensure you have adequate IT risk governance and IT audit coverage to help identify and address current and emerging issues.
As I outlined late last year, APRA will be intensifying its supervision of all entities not meeting Information Security Prudential Standard CPS 234, based on the results of independent reviews and supervisory activities. We will also enforce and uplift business continuity testing capabilities through implementation of Prudential Standard CPS 230 Operational Risk Management (CPS 230).
In summary, we want to see you remaining vigilant and proactively addressing the growing threats in this space.
Another supervisory focus area for APRA in 2023 is outsourcing. This continues to be a key feature of the PHI industry, with many outsourced services such as claims management and hospital contracting being essential to the smooth functioning of an insurer. A board’s decision to outsource parts of its operations and its choice of service provider have the potential to significantly impact outcomes for policyholders.
APRA recently issued letters to PHIs outlining observations arising from its 2022 outsourcing thematic review of selected insurers in the private health insurance industry. We expect insurers to incorporate the observations in preparing for the cross-industry CPS 230.
The good news is that, overall, the thematic review found that outsourcing policies are fit-for-purpose and that controls are generally appropriate. There are, however, opportunities to improve practices in contingency planning and testing, strengthen monitoring of outsourcing risk within enterprise risk reporting, and develop assurance activities on key outsourcing controls.
The letters to each insurer provide detail on several key elements APRA expects to see across all entities we regulate with regards to outsourcing risk and control frameworks. But there are two I would like to call out today.
The first is contingency planning. There was only one example of a strong contingency plan identified during the thematic review. Where contingency plans were in place for an outsourced material business activity, they deferred to the business unit’s business continuity plan rather than planning for the permanent loss of a service provider as well as a temporary disruption.
The second area where PHI practices fell short of better practice relates to monitoring of outsourcing risk and assurance of controls. All the insurers involved in the thematic review reported that they had not performed independent testing of the effectiveness of key outsourcing controls by either the first line or second line of defence. Most assurance activity relied on attestations from management, monitoring of key performance indicators and audit reporting from material service providers.
Business disruptions will inevitably occur and problems at service providers can quickly impact on the availability and level of service provided by the insurer, with flow-on impacts to both the financial system and the quality of service received by your policyholders.
The ability to continue operations in the face of disruptions is critical to maintain community confidence. Considering the high concentration risk amongst critical service providers in PHI, boards must have strong governance processes in place to adequately monitor outsourced services, seek independent assurance on the effectiveness of key outsourcing controls, and a contingency plan if these arrangements fall over.
Strengthening operational resilience should be a focus for you in 2023, particularly the oversight of third-party service provision, IT systems resilience, and the maturity of operational risk and compliance functions and practices.
A broader agenda
Before closing, I’d like to touch on a couple of other things that are on APRA’s 2023 agenda for PHI.
As you know, our new PHI capital framework will come into effect on 1 July this year. It is a framework that will strengthen the financial resilience of private health insurers for the protection of policyholders. I want to thank many of you here today for your thoughtful input as we consulted with industry on the changes.
A requirement under the framework is for insurers to have an Internal Capital Adequacy Process (ICAAP) which will replace the current Capital Management Plan (CMP) requirement. contained in Prudential Standard HPS 110 Capital Adequacy. While many of you are familiar with the key components of an ICAAP, I want to reinforce a couple of key points on APRA’s expectations regarding this process.
The ICAAP is fundamentally the responsibility of the board. The board should be actively engaged in the development of the insurer’s ICAAP and its implementation and must ultimately approve the ICAAP. While the ICAAP may be developed by senior management with input from relevant areas (including the Appointed Actuary), the capital standards require the board to be actively engaged in the development and finalisation of the ICAAP and the oversight of its implementation on an ongoing basis.
APRA expects that preparing the ICAAP, the summary statement, and report will be an education process for both insurers and boards at first. We are not expecting perfection on the first attempt. However, APRA does expect boards to robustly challenge the assumptions and methodologies behind the ICAAP and the associated documentation. We also expect the board to understand and to be able to explain the key aspects of the ICAAP and why it is appropriate for the insurer. There should be clear links between the ICAAP and the insurer’s risk management framework. Boards should be confident that, where there is a material change in risk appetite, the impact is considered in the ICAAP and there is a clear description of why – or why not – the ICAAP has changed as a result.
The new capital framework should be taken as an opportunity for a comprehensive reassessment of an insurer’s capital requirements. Setting target levels of capital based on the insurer’s assessment of its capital needs is a key component of an ICAAP. Good practice would involve modelling, stress testing and scenario testing to establish linkages between risk appetite and capital and as essential inputs into the determination of target capital.
Transitional arrangements are in place to support insurers with the ICAAP requirement, and for insurers here today, an ICAAP transition plan will be required which should help you think about the transition from current CMP requirements to the ICAAP.
Risk culture is another item on APRA’s agenda for all regulated entities. The important role the board plays in the risk culture of any organisation has been well documented by APRA. In short, a board needs to understand the risk culture in the insurer and the extent to which that risk culture supports the insurer’s ability to operate consistently within its risk appetite. APRA has completed risk culture surveys across several insurance entities and plans to share insights from the surveys for insurance soon, so all entities can elevate their own practices.
Finally, APRA plans to continue our work on modernising the prudential architecture. Our end goal is a digital framework that is easier for the industry to understand and comply with. As part of this work, the industry can expect several things. First, future reviews of standards that include a focus on rationalising existing requirements and better embedding guidance and FAQs. Secondly, more opportunities to engage with APRA to address key pain points and improve the overall design of the framework. Lastly, industry can expect opportunities to work with APRA on the development of a prototype digital prudential handbook, which will bring together standards and guidance into a new digital format that will be easier to navigate, search and filter.
Viva la resolution
Australia’s private health insurance industry has a long and proud history of delivering care to millions of Australians. This record of service has only been underlined throughout the pandemic as the industry has successfully complemented the public system to manage health outcomes during a hugely challenging period. APRA also recognises the close connection between not-for-profit, regional and community-based insurers and the communities they serve.
But to continue fulfilling that commitment, insurers must remain relevant and financially resilient in a rapidly changing world. Although the PHI industry starts 2023 in its strongest position for some time, structural barriers to long-term sustainability remain. Some, such as declining affordability or the potential for deferred claims from COVID, can’t be resolved in the space of a year. Others, such as Australia’s ageing population or the growing cyber threat, may never be fully resolved.
However, we can resolve to confront them in order to put PHI on the long-term sustainable trajectory that will ensure the industry’s proud and successful history translates to being a proud and successful future. On that score, I look forward to working closely with you in 2023 and the years ahead because you do play such a critically important role for the Australian community.