Insurer cybersecurity - Executive Summary
Cyber risk presents the insurance sector with a growing challenge and one that supervisors need to address. To provide guidance to insurance supervisors seeking to develop or enhance their regulatory regimes and supervisory practices applicable to insurance sector cybersecurity, the International Association of Insurance Supervisors (IAIS) published the Application Paper on Supervision of Insurer Cybersecurity in November 2018. This paper follows up the Issues Paper on Cyber Risk to the Insurance Sector, published in August 2016.
The Application Paper draws from different cyber security frameworks and guidance developed by international, national and industry organisations, both public and private sector. In particular, it builds on the following guidance: the G7 Fundamental Elements of Cybersecurity for the Financial Sector (G7FE), the Committee on Payments and Market Infrastructures-Technical Committee of the International Organization of Securities Commissions (CPMI-IOSCO) Guidance on Cyber Resilience for Financial Market Infrastructures, and the G7 Fundamental Elements for Effective Assessment of Cybersecurity in the Financial Sector (G7FEA).
Supervision of insurer cybersecurity practices
The Application Paper uses as the G7FE as a starting point. It identifies the following fundamental elements of cybersecurity for the financial sector: (1) Cybersecurity Strategy and Framework; (2) Governance; (3) Risk and Control Assessment; (4) Monitoring; (5) Response; (6) Recovery; (7) Information Sharing; and (8) Continuous Learning.
It then analyses how each fundamental element conforms with the Insurance Core Principles (ICPs) and provides a series of recommendations based on the CPMI-IOSCO guidance but presented in an insurance context. The paper then provides examples of current practice in different countries.
Finally, the paper describes the assessment of desirable outcomes for each element, which are based on the G7FEA's five desirable outcomes that a mature entity is likely to exhibit and that less mature entities can aim for. These desirable outcomes are: outcome 1 (O1) - the fundamental elements are in place; O2 - cybersecurity influences organisational decision-making; O3 - there is an understanding that disruption will occur; O4 - an adaptive cybersecurity approach is adopted; and O5 - there is a culture that drives secure behaviour.
The table summarises the main conclusions of the paper and presents some selected examples of recommendations.
Assessing insurers' cybersecurity practices
Jurisdictions may develop supervisory requirements or expectations based on the above recommendations, examples and desirable outcomes. To assess insurers' progress and compliance with the expected cybersecurity outcomes, supervisors need to plan and design effective programmes for conducting cybersecurity assessments.
The Application Paper offers the following "assessment components", based on G7FEA, for insurance supervisors to consider in their assessment programmes:
- Establish clear assessment objectives and communicate those objectives to insurers
- Set and communicate methodology and expectations
- Maintain a diverse toolkit and process for tool selection
- Report clear findings and concrete remedial expectations
- Ensure that assessments are both reliable and fair
* This Executive Summary and related tutorials are also available in FSI Connect, the online learning tool of the Bank for International Settlements.