Governance

Working in a regulated industry means we take staff training seriously. Our Three Lines of Defence model for managing risk means that everyone, at every level of our organisation, has responsibility for risk management on a day-to-day basis. We deliver a year-round programme of internal training, testing, awareness and education on issues such as information security, data privacy and data protection, and how to report an incident. This includes a cyber security awareness month, where we provide hints and tips on what to look out for when it comes to phishing, smishing and other cyber security issues. We perform regular company-wide phishing tests to monitor internal vigilance when it comes to suspicious emails and timely news items on issues such as mobile security during the summer holidays or online shopping security in the run-up to Christmas.

Keeping on top of emerging risks and regulations allows us to explore how our business can adapt and respond to change, if necessary, to be able to operate in the medium term. One way we do this is through our emerging risk forum, which assesses risks and opportunities which could potentially affect the business - topics have included climate change, data regulation and the impact of changes in governments. In addition, our Group compliance function and our exposure management groups regularly perform horizon scanning for regulatory change, for example monitoring general insurance value measures, the 2021 transition from LIBOR and Solvency II enhancements.

A regular cycle of stress testing and scenario analysis helps us identify and measure the likelihood and impact of potentially plausible, but extreme, events. Testing our resilience in this way is important to ensure we manage risk well and evolve at the same pace as the risks we cover. We have embedded an internal programme of stress testing, which is performed annually to assess the resilience of the business plan in extreme, adverse scenarios. We participate in regulator-led exercises, most notably the Prudential Regulation Authority's (PRA) General Insurance Stress Test (GIST), part of which was carried out in conjunction with the Bermuda Monetary Authority (BMA).
The scenario in 2019 required us to examine climate and cyber events as new scenarios alongside the traditional scenarios which include a deterioration in the economic environment. This confirmed that the Group is able to withstand the considered short-term shocks and has strong controls and mitigation strategies in place across risk types.

We carry out a combination of events with leadership and underwriting teams to ensure our preparedness for reputational issues and large losses. In 2019 this included a three-day cyber large loss training exercise (CLLTE), which brought together over 50 participants across 14 locations to test our response to a market-changing cyber loss event, put us under pressure and challenge our plans. We also conducted a series of desktop simulations with country leadership teams to work through operational challenges arising from a reputational event.

Hiscox led a consortium of London insurance market organisations and associated entities in an exercise to simulate a serious disaster resulting in extraordinary global insurance losses of around US$200 billion. The aim was to test how the world’s pre-eminent insurance market would respond in a worst-case scenario catastrophe. The events chosen reflect the changing nature of risk; a highly-destructive hurricane, an unprecedented cyber event, one of the largest stock market declines, and a major reinsurer default with consequent delays in reinsurance payments. We published the results and recommendations for improving industry resilience in our white paper.