COVID-19 and other policies – Saudi Arabia
Whilst much has been written about the responses of Property Damage and Business Interruption Coverages to COVID-19, we should not lose sight of institutions’ other insurance policies in the light of the current situation. Why so?
Many KSA regulators are expecting institutions under their supervision to exercise enhanced standards of governance, not only from a public health point of view, but to preserve the financial integrity of businessES. The Saudi Arabian Monetary Authority (SAMA) has imposed enhanced requirements. Following the outbreak of COVID-19 in December 2019, SAMA ramped up its monitoring of the market and “required institutions to prudentially manage risks posed by a widespread (sic.) of COVID-19”. So, what was required of regulated institutions:
- All institutions are now required to establish a formal, internal, COVID-19 committee (the Committee) to ensure that a risk management plan is developed in a timely manner and that is implemented, if and when required. The Committee is required to adopt a cross-disciplinary approach and should, therefore, address human resources, business continuity management and risk management functions. These should all to tested against plausible risk scenarios.
- The plan should be realistic and proportionate and should be easily understandable. The plan should address, as a minimum: alternative work arrangements, staff health and welfare measures, alternative processing arrangements, controls and compliance, technology options, communications plans and resource priorities.
With regard to insurers, in addition to establishing the Committee, SAMA set out the following developments:
- SAMA announced the postponement of annual supervisory visits and internal capital adequacy reviews for the year 2020.
- To follow instructions issued by Saudi authorities, including regarding quarantine requirements and travel to work (which is, in any event, presently, highly restricted).
- Permit employees to work from home/remotely, whether displaying symptoms or as a precautionary measure; consider the settlements of insurance disputes through their branches only if matters cannot be resolved remotely.
- Cancellation of all events requiring gatherings in the workplace and instead encouraging use of video conferencing or other communication technology.
- Ensuring that the required levels of cleanliness and sterilisation are applied in all of the insurance company’s facilities.
- Activate call centers to receive customer’s requests and inquiries.
- Finally, SAMA urged insurers to remain vigilant on the cyber security front and beware of cyber threat actors taking advantage of the situation to conduct cyber-attacks.
Given the emphasis on senior management planning, clearly their activities will be carefully monitored by their regulator. That therefore throws into sharp relief the institution’s D&O cover and, whilst certain D&O covers have been scaled back, the basic elements, Side A and B (and C, where relevant) are available still. That said, some D&O covers will exclude cover where claims are brought by regulators (unless it is, in effect, a subrogated claims where the regulator has made good the claimant and is therefore seeking to be made whole).
Whilst the regulator is requiring greater governance by senior management, the postponement of annual supervisory visits may exacerbate solvency risk in a market where (re)insurers are likely to come under significant pressure regarding covers such as business interruption. Given that insurers in the KSA are required to be quoted on the stock market, and combined with a more litigious environment, the potential for shareholder claims could increase significantly.
A further area for cover is that of cyber insurance. We have already written extensively on cyber risks in the current environment.1 Nevertheless, cyber risks do not just occur through the malfeasance of third party actors. Risks can occur in a number of other ways which can lead to considerable claims:
- The lack of management supervision can lead to internal processes breaking down (and not just the non-observance of controls to stop third party crime (e.g. phishing, CEO social engineering)). For example, the loss or mis-handling of customer personal or financial data.
- Working from home places stress on hardware and software – the failure of such systems can lead to incomplete or failed transactions with consequential issues.
- Any risks which are not insured (or laid off to third parties), may lead to questions being asked of directors of the institution i.e. the directors own insurance may be called upon to meet claims for not adequately transferring the risks which could, for example, a reduction in the quoted share price. In short, the failure to purchase cyber cover may lead to claims being made against directors.
For further information, please contact:
T +971 4 423 0547
Mohammed Abdulrahman Alkhliwi
T +966 11 834 3516