The Financial Conduct Authority (FCA) is concerned about data protection and resilience at insurers and will conduct further work in the field, its director of supervision has said.
Megan Butler told delegates at the Association of British Insurers (ABI) conference yesterday (27 February) the regulator was concerned insurance firms were not adequately protecting the personal data of their clients.
She said the FCA was in the process of putting together its business plan for the next year and while it had not made any definitive plans for thematic reviews, data protection was high up on its list.
The regulator has already asked individual firms about their processes and was thinking to broaden its work going forward.
Ms Butler, who spoke as part of a panel discussion, said: "One of the things that is coming very fast on our to do list is resilience and cyber risk and appropriate protection of data, which hasn't been on top of our agenda for this sector in the past but you can safely assume it is getting up there very quickly.
"We will do a great deal more in that area of cyber resilience connected to outsourcing which is a source of increasing risk and can do some real harm to end consumers."
Ms Butler explained insurers were playing a prominent part in the field as they held vast amounts of sensitive personal data on their clients.
But she clarified any forthcoming probe would not centre on the way insurers communicate with their clients - a main topic of yesterday's conference - but on confidentiality of information and the integrity of firms’ systems.
She said: "There are some great opportunities around technology and the route to digital but that is your job. The area we worry about is that this is an industry that sits with its hands on vast amounts of very valuable personal data attaching to every single individual and the worry is that it isn't as well looked after as it might be.
"There are strong and clear obligations about appropriate protection of that data."
Firms currently have to abide by FCA rules concerning the protection of personal data but will soon be subject to additional European rules from the General Data Protection Regulation (GDPR).
GDPR introduces a number of data regulations, including the right to erasure, meaning an individual can request the deletion of personal data relating to them, and the right to access, meaning an individual can demand information on how their data is being used and a free copy of their personal data.
It also introduces the right to data portability, but explicit consent must be obtained for the collection of data and all the purposes it is used for, while all data breaches must be reported within 72 hours.
Craig Thornton, general insurance and protection director at Lloyds Banking Group, agreed there was more to do on data protection but thought the existing rules were clear to insurers.
He said: "There is plenty of regulation around looking after data that we have to comply with now and we see it as part of our job."
Sue Lewis, chair of the Financial Services Consumer Panel, said the problem was people did not understand the concept of owning their data or giving permission, which is where GDPR would bring clarity.
She said: "Consumers worry not as much as they should do what is going to happen to their data, who is actually going to have it and for what purpose. And GDPR should help a lot with this because then people will have to give their explicit consent."
The FCA said earlier this month it was in talks with the Information Commissioners Office to smooth out any inconsistencies between the incoming data protection rules and the wider regulatory landscape after firms had been in touch asking about their ability to comply with both rule sets.
Apart from data protection, Ms Butler suggested the FCA would take a step back from making new interventions and was looking to limit further thematic work to assessments of the way its most recent interventions have bedded in.
She said: "Looking at the outcomes post pension freedoms is going to be a big one for us. [We will be] continuing to look at the effectiveness of some of the interventions we’ve made in the last couple of years rather than [start] something new.
"We have intervened quite extensively in this sector over the past couple of years, I think we need to evaluate the impact we have had."
carmen.reichman@ft.com
