Navigating Third-Party Risks in the Insurance Industry
In today’s interconnected world, the insurance industry relies heavily on third-party vendors, alliances, and partners to deliver a wide range of services. While these relationships can enhance operational efficiency and customer satisfaction, they also introduce significant risks that must be managed proactively. Therefore, it is essential that boards, audit committees, and management are properly educated and thoroughly understand how to mitigate the myriads of emerging third-party risks that exist.
This article explores the nature of certain highlighted third-party risks in the insurance sector and offers strategies for mitigating them, with additional considerations for reinsurers and independent agents (including managing general agents (“MGAs”) and Third-Party Administrators (“TPAs”).
Understanding Third-Party Risks
Third-party risks in the insurance industry can be broadly categorized into several key areas:
Operational Risks: These arise from the potential for third-party service disruptions, which can impact an insurer’s ability to deliver services. For example, if a claims processing vendor experiences a system outage, it can delay claim settlements and affect customer satisfaction. Furthermore, the popularity and usage of contractors embracing the “gig economy” creates operational risk for short-term labor needs as the rules involving a 1099 contractor versus a W2 employee are a matter of management judgment.
Compliance Risks: Insurance companies must ensure that their third-party partners comply with relevant regulations and standards. Non-compliance can lead to legal penalties and damage to the insurer’s reputation. This is particularly critical in regions with stringent data protection laws, such as the GDPR in Europe.
Cybersecurity Risks: With the increasing digitization of insurance services, third-party vendors often have access to sensitive customer data. A breach at a third-party provider can expose insurers to data theft, financial loss, and reputational damage. Any New York City insurer must have an officer provide an annual Certification of Material Compliance under 23NYCRR 500.17(b)(1)(i) to the New York Department of Financial Services, and a continuous monitoring of third-party risks is one critical component in achieving overall compliance. In June 2024, Forbes mentioned that 60% of all data breaches are initiated by third parties, with cyberattacks involving AI now becoming ever more prevalent.
Financial Risks: The financial stability of third-party vendors is crucial. If a key vendor faces financial difficulties or bankruptcy, it can disrupt services and force insurers to find alternative solutions quickly.
Climate Risks: For insurers domiciled or writing business in California and have over $1billion in total direct written premium, climate-related risks should also be heavily monitored for compliance. California’s Climate Corporate Data Accountability Act (i.e. SB 253) requires monitoring of Scope 3 emissions for greenhouse gas (“GHG”) reporting. Scope 3 emissions are categorized as indirect emissions both upstream and downstream from an insurer’s entire supply chain and an insured’s use of its products. Insurers will be required to report Scope 3 reporting in 2027 if they do any business (not necessarily domiciled) in California. The insurer’s supply chain may include, but not be limited to, reinsurers, agency networks who distribute policies, managing general agents, and third-party administrators.
Considerations for Reinsurers
Reinsurers play a critical role in the insurance ecosystem by providing risk management, operational stability, and surplus relief to primary insurers. However, they also introduce unique third-party risks:
Counterparty Risk: The financial health and creditworthiness of reinsurers are paramount. Insurers must assess the solvency and stability of their reinsurers to ensure they can meet their obligations during claims events. Furthermore, insurers need to be on the pulse of the A.M. Best credit ratings and outlook of their reinsurance panel in order to verify that the reinsurers are maintaining their solvency obligations outlined in their executed reinsurance agreements. Lastly, an insurer should carefully monitor the collateral obligations of unauthorized reinsurers based on their cession activity.
Contract Clarity: Reinsurance agreements should be meticulously drafted to avoid ambiguities that could lead to disputes. Clear terms regarding coverage, exclusions, and claims processes are essential. These agreements should be in alignment with the insurer’s reinsurance strategy and overall risk appetite.
Regulatory Compliance: Reinsurers must comply with international and local regulations. Insurers should verify that their reinsurers adhere to these standards to avoid regulatory penalties and ensure smooth operations.
Transferring Insurance Risk: One of the primary functions of reinsurance is to transfer risk from the primary insurer to the reinsurer. As stated in the NAIC Examiner’s Handbook, the transfer of insurance risk should be modelled with supportable and reasonable assumptions using a discounted cash flow model over the life of the treaty to validate the notion that insurance risk has effectively transferred from the insurer to the reinsurer based on the treaty’s economics. This process involves several considerations:
- Risk Appetite: Insurers must evaluate the risk appetite of their reinsurers to ensure alignment with their own risk management strategies. Any material deviations from this strategy should be summarized and reviewed by those charged with governance.
- Diversification: Transferring risk to multiple reinsurers can help diversify exposure and reduce the impact of any single reinsurer’s failure. The reinsurer with the highest signing line should be properly analyzed to validate it has the proper solvency.
- Proportional vs. Non-Proportional Reinsurance: Understanding the differences between proportional (e.g., quota share, surplus) and non-proportional (e.g., excess of loss) reinsurance agreements are crucial for effective risk transfer.
- Data Needs and Safeguards:For cession bordereaux being invoiced from the insurance carrier to the reinsurer, the data fields and the method of secure transfer should be agreed upon up-front to minimize any disputed or misstated reinsurance recoverable from the reinsurer to the insurer.
- Retention Levels: Determining appropriate retention levels (the amount of risk retained by the primary insurer) is essential to balance risk transfer and cost efficiency.
Considerations for Independent Agents
Independent agents are vital intermediaries in the insurance distribution chain, but they also pose specific third-party risks:
Sales Practices: Insurers must ensure that independent agents adhere to ethical sales practices and provide accurate information to customers (both in-person, digital, and social media advertising practices). If an insurance company significantly utilizes Managing General Agents (“MGAs”) with an active sub-producer network, the insurance carrier must have significant controls to validate that the sub-producer network is utilizing only approved marketing techniques. Misrepresentation or unethical behavior can lead to legal issues and reputational damage, especially with the proliferation of social media in society.
Training and Support: Providing ongoing training and support to independent agents helps ensure they are knowledgeable about the products they sell and the regulatory environment. This reduces the risk of non-compliance and enhances customer service.
Performance Monitoring: Regularly monitoring the performance of independent agents can help identify potential issues early and mitigate any possible overpayment of broker commissions. This includes tracking sales performance, customer feedback, timely investigation of any filed complaints, and compliance with company policies.
Market Conduct: Ensuring that independent agents comply with market conduct standards is crucial for maintaining trust and integrity in the insurance industry:
- Regulatory Adherence: Independent agents must follow all relevant market conduct regulations, including those related to fair treatment of customers, transparency, and disclosure requirements.
- Ethical Behavior: Promoting ethical behavior among independent agents helps prevent practices such as mis-selling, which can harm customers and damage the insurer’s reputation.
- Complaint Handling: Establishing clear procedures for handling customer complaints ensures that issues are resolved promptly and fairly, maintaining customer trust and satisfaction.
- Audit and Review: Conducting regular audits and reviews of independent agents’ market conduct practices helps identify and address any deviations from expected standards and carrier processes.
Mitigation Strategies
To effectively manage third-party risks, insurance companies should adopt a comprehensive and quantifiable risk management framework that includes the following strategies:
Due Diligence: Conduct thorough due diligence before engaging with third-party vendors, reinsurers, and independent agents. This includes assessing their financial health, operational capabilities, and compliance with regulatory requirements.
There should be proper written notification if the third-party vendor has the ability to subcontract (i.e. a fourth-party risk), especially if the third-party or subcontractor is offshore. Potentially, this may present a risk of policyholder data loss. This is sometimes seen with managing general agents with routine tasks such as policy administration system entry, application processing, and use of appointed sub-producers
Contractual Safeguards: Ensure that contracts with third-party vendors, reinsurers, and independent agents include clear terms regarding service levels, data protection, compliance obligations, and termination clauses. Consider establishing, disseminating, and continuously monitoring service level agreement (“SLA”) metrics with the third-party administrator. Regularly review and update these contracts to reflect changing risks and regulations.
Continuous Monitoring: Implement ongoing monitoring of third-party vendors, managing general agents, reinsurers, and independent agents to detect and address potential risks promptly. This can involve regular audits, performance reviews, real-time monitoring of transactions and real-time monitoring of cybersecurity threats (i.e. continuous monitoring).
As a routine exercise, take a hard look at the annual SOC-2 reports produced by those third parties for which the insurance company is leveraging their systems. Validate that any complementary end user considerations are addressed in a timely manner and the opinion noted is unqualified.
Insurers leveraging third-party vendors for artificial intelligence tools, especially as they relate to underwriting and claims practices, should have assurance that the algorithm being used is not biased or discriminatory toward any insured.
Incident Response Planning: Develop and maintain robust incident response plans that outline the steps to be taken in the event of a third-party service disruption or data breach. Also, consider requesting from the third party that their business continuity plan is annually tested, reviewed, and provided to the insurer so it is aligned to current business practice at the vendor. This ensures a swift and coordinated response to minimize any potential business interruption.
Collaboration and Communication: Foster strong relationships with third-party vendors, reinsurers, and independent agents through regular formal and informal communication and collaboration. This helps to build trust and ensures that all parties are aligned in their risk management efforts.
The Need for a Risk-Based Third-Party Risk Management Solution
Third-party risks are an inherent part of the insurance industry’s ecosystem. By understanding these risks and implementing effective mitigation strategies, insurers can protect their operations, maintain regulatory compliance, and safeguard their reputation. As the industry continues to evolve, proactive third-party risk management will be essential for sustaining growth and delivering value to customers.
At the end of the day, it is critical that insurers develop, deploy, and monitor an integrated third-party risk management solution. This is an initiative you should not embark on alone, but with the advice of a trusted business partner. This solution should analyze and monitor third-party risks in accordance with an established authoritative framework (for example, NIST). In summary it must quantify:
- Loss exposure generated by third parties (measured in local currency). The amount of loss exposure will inevitably prioritize the third party, with those with a higher loss exposure taking priority.
- ROI analysis, and answer the question: At what cost can our financial risk be mitigated?
- Continuous and automated assessment of risk and effectiveness of controls to monitor third-party risk.
- Alignment of Management’s risk management to the third-party’s risk management.
Additionally, there needs to be an overall sense of risk awareness at the board and within the echelons of management. Metrics should be communicated regularly, with the appropriate timely escalation mechanisms should a particular third party’s risk increase, in conjunction with proper analysis of downstream operational effects.
How Centri Can Help
Centri offers specialized advisory services to help insurers navigate these regulatory requirements. Our insurance industry experts provide comprehensive risk assessments, compliance strategies, and ongoing support to ensure your business meets all third-party risk management standards. By partnering with Centri, insurers can confidently manage third-party risks and focus on achieving their business goals. Contact us to learn how we can help your company succeed.
Managing Director | Insurance Practice Leader | CPA
Joe is a Managing Director at Centri Business Consulting and the leader of the firm’s Insurance Practice. He has over 30 years of global leadership experience performing and leading complex regulatory compliance, risk, internal audit, and controls engagements for large multinational companies. View Joe Hayes's Full Bio
Senior Director | Insurance Practice | CPA
John is a Senior Director at Centri Business Consulting within the firm’s Insurance Practice. He has over 38 years of public accounting and management consulting experience serving both public and non-public clients within the Financial Services and Insurance sectors. View John Swanick's Full Bio
Managing Director | IT Risk & Cybersecurity Practice Leader | CISA
Rich is a Managing Director at Centri Business Consulting and the leader of the firm’s IT Risk & Cybersecurity Practice. He has more than 14 years of combined experience in internal control consulting, IT risk, cybersecurity advisory, and risk-based internal audits and accounting. View Rich Sowalsky's Full Bio
Senior Manager | CPA
Doug is a Senior Manager at Centri Business Consulting. He has more than 15 years of experience in professional services supporting startups to Fortune 50 companies. He joined Centri in July 2024 and assists insurance clients with risk advisory services, technical accounting advisory, outsourced accounting, and financial transformation services.. . View Doug Borell's Full Bio
About Centri Business Consulting, LLC
Centri Business Consulting provides the highest quality advisory consulting services to its clients by being reliable and responsive to their needs. Centri provides companies with the expertise they need to meet their reporting demands. Centri specializes in financial reporting, internal controls, technical accounting research, valuation, mergers & acquisitions, and tax, CFO and HR advisory services for companies of various sizes and industries. From complex technical accounting transactions to monthly financial reporting, our professionals can offer any organization the specialized expertise and multilayered skillsets to ensure the project is completed timely and accurately.
Centri’s Capital Conference
The Centri Capital Conference is a one-day event held at Nasdaq on April 22, 2025. This platform will connect investors with executives from presenting companies in various emerging and rapid-growth sectors, including disruptive technology, life sciences, healthcare, and more. The conference will feature industry panels, dynamic speakers, and networking opportunities and will give growth-oriented private and public companies a place to showcase their innovations.
For more details, contact us at capitalconference@centriconsulting.com.
Eight Penn Center
1628 John F Kennedy Boulevard
Suite 500
Philadelphia, PA 19103
530 Seventh Avenue
Suite 2201
New York, NY 10018
4509 Creedmoor Rd
Suite 206
Raleigh, NC 27612
615 Channelside Drive
Suite 207
Tampa, FL 33602
1175 Peachtree St. NE
Suite 1000
Atlanta, GA 30361
50 Milk St.
18th Floor
Boston, MA 02109
1775 Tysons Blvd
Suite 4131
McLean, VA 22102
One Tabor Center
1200 17th St.
Floor 26
Denver, CO 80202
1-855-CENTRI1
virtual@CentriConsulting.com