The financial regulator Bafin has publicly reprimanded Axa health insurance for deficiencies in information technology (IT). This is the first time in its history that the regulator has resorted to this means. “An examination of the IT-related business organization had shown that the business organization was not correct in all areas examined,” Bafin said. The deficiencies are “to be eliminated in a timely manner”.
It also obliged the company to increase its venture capital because the IT problems posed an additional risk. The authority did not name the amount of the surcharge.
Neither the insurer nor the supervisory authority wanted to say what problems Axa had with its data system. But Frank Grund, head of insurance supervision at Bafin, had repeatedly requested better security systems against external attacks by cybercriminals and against unauthorized internal data access. “We attach great importance to the fact that the security measures are up to date,” he told the SZ in February. The supervisors have carried out tests: “The result is quite sobering.”
A problem for many insurers is poorly controlled access to data. In this way, even employees who have nothing to do with the processes can see which medical bills a neighbor has submitted or which liability claims an acquaintance has reported.
With the public criticism of Axa, the supervisory authority is fundamentally changing its approach. So far, she has discreetly asked the insurers concerned to make changes when she has identified deficiencies. Now she’s going public with it. This is also part of the new approach of the authority under the head Mark Branson, who has been in office since August 2021. After the financial supervisory authority had to take a lot of beatings in the Wirecard scandal because they had remained inactive, he ordered the Bafin to bite more. The insurance supervisory authority emphasizes that it only wants to make full use of the instruments offered by the EU supervisory rules Solvency II.
The authorities did not want to say where the problems lie in detail and how high the capital surcharge is. Axa also remained vague. “We take the findings very seriously and are grateful to Bafin for the intensive and constructive exchange,” said a spokesman.
When it comes to insurers’ IT, things are amiss. Many companies use a patchwork of IT systems that are decades old. At the same time, the companies have a wealth of sensitive customer data that could be of interest to cyber criminals. This is especially true for health insurers like Axa. Several insurers such as liability insurance and the Baloise subsidiary Basler have already fallen victim to cyber attacks.
The Bafin therefore took a close look at the insurers’ IT systems – and was not happy with what they found. She sees serious deficiencies above all in risk management, in business organization or in authorization and outsourcing management. “Such deficiencies are unacceptable,” said a Bafin spokesman. “We are now pricing in the risk of this.”
The reasoning of the authority: The IT deficiencies result in additional risks for an insurer, which must be taken into account with capital surcharges under the Solvency II equity rules. When the topic first came up, there was talk of a capital premium of around five percent. Axa health insurance had to hold solvency capital of EUR 634 million at the end of 2022, so a premium of five percent would be EUR 32 million. Insurers are likely to be hurt much more than this sum by the negative publicity caused by the publication.
The Bafin is examining two other insurers, and they are also threatened with capital surcharges. According to SZ research, Allianz is said to be among them.