Share with your friends
earth view from space

Insurance cybersecurity

Insurance cybersecurity

The IAIS has published for consultation an application paper on how insurance supervisors should supervise cyber risk, cybersecurity, and the cyber resilience of insurers.

The main implication for insurers is that the breadth, depth and intensity of supervision in this area is certain to expand in most countries, with an ever-growing list of considerations that supervisors are likely to focus on through both their on-site and off-site work. The approach of the IAIS is also easily transferable across sectors, so in some countries this may also form the basis for the supervisory assessment of banks, securities firms and financial market infrastructures.

The approach recommended by the IAIS builds on frameworks and guidance from multiple sources, in particular the G7 Fundamental Elements of Cyber Security for the Financial Sector (G7FE) and the related G7 Fundamental Elements for Effective Assessment of Cybersecurity for the Financial Sector.

The G7FE was developed by a group of experts under the joint leadership of the US Treasury and the Bank of England. The elements are intended to provide building blocks upon which a financial institution can design and implement its cybersecurity strategy and operating framework, informed by its approach to risk management and culture, and can be used to re-evaluate the firm's cybersecurity programme as the operational and threat environments evolve.

The G7FE identifies eight high-level elements of cybersecurity: strategy and framework, governance; risk and control assessment, monitoring, response, recovery, information sharing, and continuous learning.

The IAIS application paper amplifies each of these elements by setting out:

  • examples of good practice that supervisors should be looking for in insurers;
  • what supervisory authorities in a number of countries (Canada, France, Germany, Netherlands, Singapore, UK, US) have done in practice, in terms of both regulation and supervision, that relates to these elements;
  • how each element relates to the IAIS's insurance core principles and to the EU's Solvency 2 Directive; and
  • how supervisors might assess insurers against the desired outcomes for each element as set out in the G7FE.

In addition, the paper provides a brief case study of the experience of De Nederlandsche Bank (DNB) in using its framework to assess the level of information security maturity (including for cybersecurity) within the insurance sector. The DNB's assessment framework is based on 54 control objectives, developed in close consultation with the industry.

Connect with us

Also on