Is the BMA’s cyber Code of Conduct just another regulatory burden or an opportunity to drive real business change and encourage digital transformation? Kerr Kennedy of the EY region of the Bahamas, Bermuda, British Virgin Islands and Cayman Islands investigates.
In December 2019, the Bermuda Monetary Authority (BMA) issued its first set of regulations around cybersecurity, aimed explicitly at the insurance industry: “Insurance Sector Operational Cyber Risk Management, Code of Conduct” (the Code).
The Bermuda insurance market was granted a consultation period for comments ending January 31, 2020, after which point it became a published set of regulatory requirements. BMA-registered insurance entities (covering insurers, insurance managers and intermediaries) now have until January 1, 2021 to comply with this new legislation.
Therefore, those tasked with compliance must now understand to what extent their organisations meet these new regulatory obligations. Furthermore, they will need to outline the required roadmap of activities they must achieve in order to meet those requirements within the agreed time frame.
Alternatively, there may be those within the insurance industry in Bermuda with a different view, who may regard this as an opportunity or driver to initiate real change across their organisation, as opposed to yet another compliance hurdle.
Today, more than ever, we are seeing organisations making bold steps into this new digital world, whether it be via leveraging the many advantages of cloud computing, adopting the likes of artificial intelligence into their arsenal of new technologies, and continually seeking opportunities to either acquire or partner with innovative startup organisations that can offer streamlined solutions for one (or some) of their legacy issues, as well as access to a broader customer base.
While we are seeing elements of this in Bermuda, much more can be done to take advantage of what is available. In general terms, companies (not just insurance) need to seriously challenge themselves and fully investigate the art of the possible when it comes to today’s technologies.
This does not need to be, nor should it be, an “all-in” approach. The question should not be cloud or not cloud, digital or not digital, etc. The question should be a simple one: how can I leverage technology in order to help me meet my organisational and business objectives while maintaining appropriate levels of compliance? Start small, aim high.
In line with the output from the EY Global Information Security Survey (GISS) for 2020, the 22nd edition of the survey, the messaging is clear: there is now a real opportunity to position cybersecurity at the heart of business transformation and innovation. A key driver of these changes will be the chief information security officer (CISO) who, as per the Code, is responsible for the delivery of an organisation’s operational cyber risk management programme and is expected to have sufficient seniority in order to do so.
It is perhaps a fortuitous coincidence that the production of the Code was roughly contemporaneous with Bermuda appointing its first data privacy commissioner. Data privacy and cyber are often spoken about as if they are the same, or at least very similar, but the Code and the Personal Information Protection Act (PIPA) are two very complementary regulations that strongly reflect Bermuda’s stance as a jurisdiction that takes the security and privacy of those who work, rest and play on the Island very seriously.
With the increasing importance placed on data privacy over recent years, we have seen the term “privacy by design” being talked about more freely, primarily via the EU’s General Data Protection Regulation. Now, from an information security standpoint, we are seeing the term “security by design” being discussed, which is a key approach for organisations that wish to maximise their efforts in the continued protection of their organisation and assets.
The term security by design has come about as, for a long time now, a number of organisations have adopted a more reactive approach to cybersecurity, whereby action is taken after an attack has occurred, a fine has been levied and/or new regulation has been passed. Cyber has often been an afterthought or invited to the table well into a project or initiative.
In the current environment, cyber representation should be required much earlier in the process. As per this year’s GISS, it was found that 65 percent of businesses typically consider cybersecurity only when it is already too late.
While data breaches are key elements of cyber risk, the motives of cyber criminals are broad; purely focusing on protecting the data an organisation holds will not suffice when considering an organisation’s cyber stance.
Over the last few years, business interruption has been a growth industry in the cyber world, with ransomware attacks on the rise and cases of significant global disruption caused by the Wannacry and NotPetya attacks in 2017. This ever-changing risk landscape has introduced a focus on an organisation’s ability to respond and recover, irrespective of the data it holds.
The capacity to recover from an attack has traditionally stemmed from business continuity planning and disaster recovery (BCP/DR) processes and, while these are still critical and are referred to in the Code, in recent times the broader concepts of “operational resilience” and its subset, “cyber resilience”, are becoming the buzzwords of the regulators.
Embedding operational resilience within an organisation goes beyond traditional BCP/DR activities. It requires the business to not only understand its essential services and the wider risks to their disruption (eg, third parties, internal capability, system capacity and cyber threats) but to challenge the design of the technical architecture, processes and controls underpinning those services and in some cases, rethink the organisational structure and wider operating model of the business.
In increasingly digitally integrated business, the response to cyber threats will need to be taken in tandem with a holistic approach to resilience and risk management.
With the combination of regulations such as PIPA and the Code, as well as the current backdrop of rapid technological change and advancement, is it not time that organisations take a serious look outside of their respective silos and short- to medium-term goals, and broaden their views as to what is possible?
What are their long-term strategic goals? What levels of growth can realistically be achieved with the status quo? Regulations such as the Code and PIPA now offer organisations, and their CISOs, a catalyst to significantly transform aspects (or all) of their business model.
For this more holistic approach to crystallise, it will require organisations to foster new relationships between CISOs, the board, the C-suite, and every function of the business. There is still work to be done here. The GISS indicates that 59 percent of organisations say that the relationship between cybersecurity and the lines of business is at best neutral, ranging to mistrustful or nonexistent.
So, with security by design as the goal, CISOs and their colleagues across the organisation—including functions such as marketing and sales—need to form much closer relationships in order to improve overall business understanding of cybersecurity and meet the mark of security by design.
Increased collaboration with other functions must be a priority, but cybersecurity also needs to form much more productive relationships with the board, the C-suite and senior leaders.
With the expectation that this new cyber regulation, while restricted to the insurance industry at this point, will soon be rolled out into banking and other sectors, all Bermuda businesses (and beyond) would be well-advised to properly assess and challenge themselves (i) as to what they wish their future self to look like; and (ii) to act now.
For CISOs and those who work in the general security areas of their organisations who are advocates of change, and have the likes of the BMA’s new code combined with the PIPA legislation, now is as good a time as they may get to influence their senior executive and/or boards.
Now is their opportunity to encourage the leadership to, at the very least, seriously consider how the principles of resilience, security and privacy can help shape their business operating model for the better, in this period of digital innovation and transformation.
The views reflected in this article are the views of the author and do not necessarily reflect the views of the global EY organisation or its member firms.
Kerr Kennedy is an associate partner, advisory practice, in the EY region of the Bahamas, Bermuda, British Virgin Islands and Cayman Islands. He can be contacted at: firstname.lastname@example.org
Kerr Kennedy, EY, Bermuda Monetary Authority, BMA, General Data Protection Regulation