On September 13, 2023, the Canadian Insurance Services Regulatory Organizations (CISRO) released a publication on Cybersecurity Readiness (Publication), to assist insurance intermediaries in Canada, including insurance adjusters, agents, brokers representatives, managing general agents and third-party administrators (collectively, Insurance Intermediaries) in their efforts to prevent cybersecurity incidents and to be prepared to respond to them, should they occur.

As cyber attacks become more frequent, it is important that all organizations, particularly Insurance Intermediaries, assess their data and technology systems to identify where cyber risks exist and to mitigate such cyber risks accordingly. A study conducted by the Insurance Bureau of Canada in 2022 found that only 34% of small and medium-sized business employees report receiving mandatory cybersecurity awareness training.[1] The same study also found that 72% of employees of small and medium-sized businesses reported at least one behaviour that could allow a bad actor to access their company’s computer systems (e.g., using one password to access multiple websites for work; accessing public Wi-Fi on a work computer, and downloading software or applications to their work device not provided by their employer, among others).

The Publication includes five suggestions from CISRO that Insurance Intermediaries may leverage to assist with cybersecurity readiness. This article summarizes CISRO’s suggestions and discusses the implications for Insurance Intermediaries conducting business in Canada.

I. Five key suggestions for Insurance Intermediaries

Cybersecurity refers to any practice that safeguards the confidentiality, integrity and availability of business, employee and customer data using computer systems. Breakdowns in these safeguards may be due to human error, a system not operating adequately or a deliberate intrusion such as a cyber attack.

(1) Make cybersecurity a priority

Building a culture of cybersecurity within an organization and ensuring the necessary expertise and resources are available is important to achieve cybersecurity readiness. This can include developing policies and procedures on cybersecurity practices and giving an individual within an organization the responsibility of overseeing and reporting on its cybersecurity risks. Mandatory and regular training should be offered to every individual in the organization to ensure employees remain up to date on best practices and procedures.

(2) Know what client information and technology to safeguard

Knowing what client information is held electronically and how it is being stored is important to determining the cybersecurity measures needed when responding to a cyber incident. Insurance Intermediaries should also consider the importance of having back-ups and storing them on off-site servers, including digital cloud services.

(3) Identify cyber risks arising from the organization or outsourcing activities to third-party service providers

Identifying cyber risks arising from access granted to staff, management or third-party service providers is important in determining the cybersecurity measures needed to respond to a cyber incident. Insurance Intermediaries are responsible for services outsourced to third parties and should therefore carefully assess third-party service providers’ cybersecurity practices. In addition, CISRO recommends that commercial agreements entered into by Insurance Intermediaries with third-party service providers include the following concepts:

a) Confidentiality of client information and security of the Insurance Intermediary’s computer systems;

b) Clear parameters regarding each parties’ liability for cybersecurity matters under a particular commercial agreement; and

c) An action plan, should a cybersecurity breach occur (including points of contact and notice requirements).

We strongly recommend that, when entering into or renegotiating contracts with third-party service providers, Insurance Intermediaries have such contracts reviewed for legal risks associated with data privacy and cybersecurity matters, in addition to ensuring that any obligations imposed on Insurance Intermediaries by insurance carriers with respect to contracts between Insurance Intermediaries and their respective third-party service providers are adequately addressed.

(4) Implement adequate cybersecurity measures

The Publication also discusses the importance of implementing appropriate measures to adequately prevent or mitigate cyber risks. This includes controlling access to an organization’s networks and ensuring the secure disposal or recycling of computing devices. In addition, employing cyber safety practices in day-to-day activities such as using strong security passwords, avoiding the use of work devices for personal use and ensuring the software on any devices are always up to date is important.

(5) Detect and respond to cyber incidents

CISRO notes that it is important that Insurance Intermediaries have a plan to detect and respond to cyber incidents. This includes having a response team for handling cyber incidents, investing in intrusion detection systems and developing a written cybersecurity incident response plan.

CISRO identifies five key elements for Insurance Intermediaries to include in a Cyber Incident Response Plan, which are summarized below:

a) Investigation: Investigate the nature and the extent of the cyber incident and its impact on the organization and clients;

b) Mitigation: Apply mitigation measures such as suspending access to impacted client information or technology. This includes identifying vulnerabilities, correcting them and restoring affected systems or lost information including implementing safeguards;

c) Evaluation: Evaluate whether the incident causes client information or technology to be unavailable for a significant period of time and whether it triggers the business continuity plan;

d) Communication: Communicate with stakeholders affected by the cyber incident, applicable regulators or law enforcement and determine what next steps need to be taken to mitigate harm to affected stakeholders; and

e) Documentation: Document the steps to uncover and respond to the cyber incident while ensuring to preserve any evidence and documentation detailing the analysis of the incident. Document when systems are back online and fully functional and when the cyber threat no longer exists.

II. Next steps for Insurance Intermediaries

The distribution and management of insurance products and services increasingly takes place on web portals, web applications, mobile applications and other platforms. Cybersecurity awareness and incident response management are critical as insurers and intermediaries continue to interact with customers primarily through digital channels.

We recommend that Insurance Intermediaries examine their internal policies and procedures regarding cybersecurity and data privacy matters. This includes ensuring that processes dealing with the negotiation of commercial agreements include a review of cybersecurity and privacy terms (if applicable) by legal counsel.

We echo CISRO’s recommendation that Insurance Intermediaries consider the assistance of a cybersecurity professional to assess their current cybersecurity practices and provide specific advice based on their needs, size and organizational structure. Insurance Intermediaries should, if they have not done so already, consider cyber insurance liability coverage as part of their cybersecurity threat mitigation strategy.