The International Association of Insurance Supervisors has published for public consultation a draft issues paper on cyber risk to the insurance sector, prepared by its Financial Crime Task Force.

Key issues arising

The IAIS has published its draft issues paper at least in part to raise awareness about cyber risk in the insurance industry. The paper is descriptive and brings together a wealth of research on the area, together with the results of the 2015 IAIS survey of its members on their perceptions of insurance industry cyber risk, their involvement as regulators in combating cyber threats, and supervisory approaches to cyber security that are either already being used or under development. 

IAIS has highlighted reported cyber weaknesses in the insurance sector together with the sheer scale of the cyber risks in the marketplace and associated adverse consequences for both firms and their clients. 

A central focus of the paper is the need for insurer cyber resilience. The varied challenges need to be met with a broad response by insurers. Appropriately high-level management attention is a necessity, as is an effective governance structure able to understand, prevent, detect, respond to, and address cyber security incidents. The IAIS has made it clear that this approach is consistent with its own Insurance Core Principles. In addition, a well-functioning risk management programme consistent with cyber resilience best practices should be in place and verified through supervisory review. 

To be effective, cyber security needs to be addressed at all levels of an institution. Generally, a cyber risk management programme includes:

• continuous process and control improvements;

• incident management procedures such as response and disaster recovery;

• state-of-the-art network policies and procedures;

• rigorous management and control of user privileges;

• secure configuration guidance;

• appropriate malware protection procedures;

• consistent control of removable media usage;

• monitoring of mobile and home working procedures; and

• continuing awareness and educational initiatives for all personnel.

The IAIS has said that the best practices for cyber resilience include:

• Governance: together with the engagement and commitment of the board and senior managers, a proper cyber resilience framework contributes to the mitigation of cyber risk. For example, senior managers should include someone with access to the board, who is responsible for developing and implementing the cyber resilience framework, such as a chief information security officer.

• Identification: means identifying critical business functions and processes that should be protected against compromise. Information assets (including sensitive personal information) and related system access should be part of the identification process. Regular reviews and updates are essential, as cyber risk is constantly evolving and "hidden risks" can emerge. Connected entities are part of the whole picture; the significance of the risks they pose is not necessarily proportionate to the criticality of the particular service. For example, the well-known cyber attack against retailer Target involved entry via a ventilation service provider.

• Protection: controls should be in line with leading technical standards. Resilience can be provided by design. Continued strong IT controls contribute to protection. Comprehensive protection entails protecting interconnections and other means of access to insider and outsider threats. When designing protection, the "human factor" should be taken into consideration. Training is therefore also an essential part of the safety net against cyber risk. The same degree of IT controls should be ensured for outsourced activities.

• Detection: comprehensive cyber security monitoring is essential, and should include third-party providers, because detection goes hand-in-hand with continuous monitoring. Performing security analytics also helps to detect and offset cyber incidents.

• Response and recovery: it is not always possible to detect or prevent cyber incidents before they happen, even with the best processes in place, and so incident response planning is very important. Resumption of services (if interrupted) should be achieved within a reasonable timeframe, depending on the impact of the incidents and the criticality of the service. Contingency planning, design and business integration, as well as data integrity (also in the case of data-sharing agreements), also help speedy resumption. To make contingency planning effective, it should be subject to regular testing. Steps to prevent contagion can offset further risks. A disclosure policy should be in place to enhance crisis communication. 
  
  Last but not least, forensic readiness is essential for deep dive investigations. Business continuity planning should consider these elements.

• Testing: testing programmes, vulnerability assessments, scenario-based testing, penetration tests and red team tests are cornerstones in the testing phase. Cyber security testing should be included when systems are specified, developed and integrated.

• Situational awareness: awareness contributes to the identification of cyber threats. Accordingly, the establishment of a threat intelligence process helps to offset cyber risk, and insurers should participate in established information-sharing initiatives.

• Learning and evolving: insurers should continually re-evaluate the effectiveness of cyber security management. Lessons learned from cyber events and cyber incidents contribute to improved planning. New developments in technology should be monitored.

The IAIS said the survey had given it some insight into the range of current supervisory approaches to cyber risk. Most respondents indicated that they had established or would establish regulatory or supervisory requirements for insurers’ corporate governance with respect to cyber security. 

Although many of the survey respondents had not yet defined specific cyber security provisions, the IAIS expected that insurers would cope with cyber risk under broader regulatory and supervisory requirements, i.e., through enterprise risk management activities, and particularly IT risk assessments. 

The IAIS has pointed out that cyber resilience does not, as yet, appear to be perceived as a regulatory priority for most survey respondents. Reasons given included the current stage of IT development, the lack of specific regulatory requirements for cyber resilience and reliance on insurers' self-assessments. Furthermore, most survey respondents (i.e., insurance regulators) appeared to have limitations on staff with responsibility for and expertise in cyber security monitoring and supervision. 

The report has provided detail about the approach taken by a number of jurisdictions including France, Germany, the EU, the Netherlands, Singapore, the UK and the United States. In the United States, for instance, among the range of cyber risk initiatives, the role of the insurance state supervisor is considered. 

In general, where there is a breach at a domestic insurer, the lead state may use its regulatory authority in the following ways:

1. Coordinate calls with the insurer to determine: when breach took place; who is affected by such breach and, using that information, determine which regulators need to be informed of this impact on state residents; how notifications will be made to affected individuals (e.g., mail, email, newspaper advertisements, etc.).

1. Ensure that appropriate actions are taken by the insurer in response to the breach (e.g., identity theft protection, etc.).

1. Communicate with state/federal regulators as appropriate.

1. Determine if a targeted exam is necessary/appropriate and, if so:
   1. coordinate selection of vendor to perform cyber security exam;
   
   
   
   1. coordinate the execution of the examination procedures; determine the scope of work using Financial Condition Examiners Handbook concepts where appropriate;
   
   
   
   1. communicate the results of the exam; and determine if regulatory action is necessary.
   Relevant state insurance regulators have joined multi-state market conduct examinations following insurer data breaches, looking into, among other things, the details of the breaches, the insurers' responses to the breaches and the financial impact of the breaches on both policyholders and the insurers. 
   
   Compliance tips and next steps
   
   The IAIS is seeking to raise awareness of cyber risks in the insurance industry, but it is being less prescriptive and directional than the International Organisation of Securities Commissions, which published a report setting out an international perspective on cyber security in securities markets and outlining its cyber risk coordination efforts earlier in April. 
   
   There are marked similarities between the IAIS and IOSCO papers, with the IOSCO report also bringing together an overview of some of the different regulatory approaches taken to cyber security and pointing out that regulators are generally still in the early stages of developing policy responses. 
   
   Both publications outline emerging good practices, potential tools and the various plans and measures firms have put in place to enhance cyber security, although IOSCO is specifically seeking to encourage, where appropriate, the adoption of those or similar practices. 
   
   Cyber risk, cyber attacks and the need for comprehensive cyber resilience are now not only on the risk radar of all financial services firms but are also likely to be part of the remit of the compliance function given the potential for customer detriment. 
   
   Both the IAIS and IOSCO have made clear the prevalence, size and impact of cyber attacks on financial services firms and have stressed the need for more effort to establish an internationally coordinated response to cyber threats.
   
   The IAIS draft issues consultation is a valuable source of insight into what good is beginning to look like for cyber risk management, and insurers would be well-advised to benchmark their current approach and tools used. Although the IAIS has not been as directional as, say, IOSCO and others in prescribing a proposed approach to cyber risk resilience, the insurance sector should not take cyber risk management any less seriously. 
   
   The IAIS will continue to monitor initiatives and issues related to cyber risk as they evolve. The consultation has recommended that the IAIS considers follow on from the draft issues paper with specific cyber risk policy suggestions regarding guidance on examination practices for supervisors and risk management practices for insurers. 
   
   The consultation closes on May 13, 2016. The IAIS has requested that responses should be submitted through its consultation tool.