Sep 15, 2023 3 min read

Insurers Admit to Limited Governance of Data Ethics

The Irish regulator has published a survey of 'data ethics and insurance'. The standout finding is just how little insurers have done on data ethics in their governance and risk management systems.

data ethics
Irish insurers are under pressure on data ethics

Insurers in Ireland are regulated by the Central Bank of Ireland (CBoI) and as part of their ‘Future Focussed' strategy, CBoI has published a survey on ‘Data Ethics within Insurance’.

In many ways, the opportunities and risks they identify in relation to the sector's digitalisation, along with the priorities of insurers, are pretty much as I would expect.

What stood out for me however was the section of ‘governance risks’. Their findings were pretty damning. Here’s how CBoI set it out...

some firms had established data governance committees, which were generally focussed on data quality, data protection, information security and use of external data.
a limited number of firms had an explicit focus on ethical considerations.
most firms did not have explicit definitions of data ethics or specific policies in relation to data ethics.
many firms looked to GDPR and information security in response to questions related to data ethics considerations.
in relation to models, most firms did not have an enterprise wide model inventory or enterprise-wide model risk procedures in place.

Expectations on Governance

The CBoI report is a masterpiece of diplomatic writing. The narrative tone is so measured, so rounded that insurers are in danger of being lulled into a false sense of security. That is what makes the section ‘observations on governance risks’ stand out...

“...the Central Bank... stresses the need for firms to explicitly consider ethics. It is important for firms to note the Central Bank’s expectation in this respect would extend far beyond compliance with existing requirements and controls e.g. GDPR.” (my underlining)

Put the findings alongside the observation and the conclusion that insurers should draw is that they are running a significant governance risk around data and ethics. The regulator has explicitly set expectations for governance standards at a level “far beyond” compliance.

Is ‘far beyond’ a proportionate statement? I think it is, for the survey findings point very strongly to data ethics being equated with data protection and little more. Insurers have been thinking that working within the GDPR satisfies expectations around data ethics, which is far from the case.  

And for most firms, by their own admission, not to have a model inventory or model risk procedures is extraordinary. That points to all sorts of problems ahead with model alignment and development. It’s a bit like being in charge of a big ship and not caring how it moves forward.

Some Clear Steps

There are some clear steps that insurers in Ireland need to move forward on quickly.

First and foremost, they need to dramatically increase knowledge around data ethics at board and senior management level. An earlier survey by CBoI pointed to this being too low.

Then insurers need to widen their perspective on what they mean by data ethics and align it firmly with their corporate strategy. Leaders then need to be clear about their firm’s commitment to data ethics and what this means for its strategy.

And they need to do a proper risk management job around data, ethics and their associated management systems, and to then plug what comes out of that into their wider systems (not just compliance ones). The danger to avoid here though is that insurers do a big push on data ethics but then leave it to wither on the vine.

Similarities and Differences

Is this a situation peculiar to just Irish insurers? I think not. A similar survey of UK insurers would I believe reveal a pretty similar situation. This makes these two CBoI surveys worth reading over here.

Where the real difference lies of course is with Ireland having a regulator willing to spend time and money on data ethics, and the UK having a regulator that started by talking bold but who now does nothing.

If you’re working on your firm's approach to data ethics, consider bringing me in as an independent and expert voice. This broadens the perspectives that decisions will be based around. Get in touch here.
Duncan Minty
Duncan Minty
Duncan has been researching and writing about ethics in insurance for over 20 years. As a Chartered Insurance Practitioner, he combines market knowledge with a strong and independent radar on ethics.
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Ethics and Insurance.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.