“One important point is the need for ownership of technology risk and cybersecurity at Board and senior management level. Such is the potential impact of these threats; final responsibility cannot be delegated or outsourced.” Gerry Cross, Director of Policy and Risk, Central Bank of Ireland, Nov. 2015)
Ultimate responsibility for cybersecurity rests with the board of directors – it is indeed a familiar theme for boards of (re)insurance companies in the new Solvency II environment. During 2015, cybersecurity was a significant area of supervisory focus for the Central Bank across all financial services sectors and (re)insurance was no exception. We expect this regulatory scrutiny to intensify during 2016 as cybersecurity establishes itself as a permanent fixture on the board and supervisory agenda. This article highlights some key considerations for your board as the cyber threat continues its rapid rise up the Central Bank’s priority list.
The Cyber Landscape
The next big financial shock will arise from a succession of cyber-attacks on financial services firms. This was the prediction last year cited by Cyril Roux, Deputy Governor of the Central Bank. Cybersecurity is a major issue facing almost all businesses in the modern commercial world. Cyber attacks against businesses are becoming more frequent, more sophisticated and more widespread and can threaten entire firms due to the reputational, commercial and regulatory risk. There is now an active market of cyber criminals deliberately going after data and attacking financial services firms. In many cases, the attackers benefit from insider information provided by disgruntled current or former employees. The human element (which may also be accidental) represents potentially the most vulnerable and unpredictable part of any firm’s tech infrastructure and can be the most challenging risk to manage effectively.
Governance & Cybersecurity
The message coming from the Central Bank is that a significant weakness exists in this area across all regulated firms and addressing this risk should be considered a matter of priority. The Central Bank expects cybersecurity to be considered within a (re)insurer’s overall risk appetite and business strategy. The board also needs to have sufficient knowledge and understanding of cybersecurity risk to be able to effectively challenge senior management on the security strategy. Cybersecurity due diligence should also be performed on prospective and existing outsourced service providers and appropriate cybersecurity and data protection provisions should be incorporated into outsourcing agreements.
In September 2015, the Central Bank highlighted cybersecurity as one of the significant operational risks which was not always considered by boards of (re)insurers in the context of its Forward Looking Assessment of Own Risks (FLAOR) submitted as part of the Solvency II preparatory phase. Solvency II is now in full force since 1 January 2016 and it is likely the Central Bank will have limited tolerance for any such omissions in its review of a (re)insurer’s Own Risk Solvency Assessment (ORSA) going forward.
Best Practice Recommendations
An important point of reference for (re)insurers in addressing the cyber issue is the list of best practices issued by the Central Bank in relation to cybersecurity risk (link here), which includes the following recommendations:
- the board should drive a culture of security and resilience throughout the firm;
- cybersecurity should be a standing agenda item for discussion at board meetings;
- a clear reporting line to the board should be established for incidents;
- the board should satisfy itself that the policies and procedures of the firm are sufficiently adequate and robust; and
- firms should report any substantial attacks, or successful breaches of their systems to the Central Bank.
Cyber threats are constantly evolving and are increasing in intensity and sophistication. Cybersecurity is set to remain an area of supervisory priority for both the Central Bank and regulators internationally. Boards of insurers need to ensure that they are adequately prepared to confront the evolving risks and can demonstrate to regulators that they have actively sought to minimise the risk of cyber attack. If your firm is investigated by the Central Bank or pursued following a cyber-related breach, it is vital that you can demonstrate that appropriate security measures were embedded within your firm and amongst your staff.
An ever-growing list of regulatory and contractual requirements is due to be augmented by new legislation which will introduce specific obligations in terms of cybersecurity and data breach management. Under the new EU Data Protection Regulation (due for formal adoption in early 2016), businesses will be required to notify data protection authorities of security breaches involving personal information within 72 hours of their occurrence, with breaches potentially resulting in substantial fines (the higher of €20 million or 4% of total annual worldwide turnover). The recently agreed EU Network and Information Security Directive will also have significant implications for businesses in critical sectors including finance and will also introduce breach reporting requirements and sanctions.