BMA cybersecurity report highlights concerns
The Bermuda Monetary Authority has issued a new report looking at the state of cybersecurity in the market at the moment.
According to the BMA: “From information provided in the 2017 year-end cyber resiliency questionnaire and feedback from the Authority’s on-site reviews covering cyber, it is apparent that technology risk awareness and cybersecurity in particular has grown. Most (re)insurers have made efforts to enhance technology risk resiliency, however, much work remains to be done before the BMA can achieve a level of assurance that the possibility of large-scale cyber-attacks and financial and reputational loss is effectively mitigated.”
However, the BMA report also said that a number of areas have been identified as still needing significant enhancements across the Bermuda Commercial Insurer market.
1) Board approval of technology risk strategy - The technology risk strategy and policies for a number of Commercial Insurers are approved by the Board, and cyber security is a standing item for the board meetings, but this practice needs to be more consistently implemented across the broader market.
2) Appointment of Chief Information Security (CISO) and/or data privacy officers - While a number of (re)insurers have a designated Chief Information Security Officer (CISO) or a data privacy officer, there are others that have not filled these positions and, in certain cases, it is unclear whether other individuals in the organisation are performing this role.
3) Third party cybersecurity risk assessments – Just over half of the Commercial Insurers commission third party cybersecurity risk assessments. It is also important to ensure that contracts with suppliers and third-party partners are structured in a manner that is consistent with the (re)insurer’s cybersecurity policies.
4) Ongoing cybersecurity and data privacy training – The vast majority of Commercial Insurers indicated that staff are provided with ongoing cybersecurity and data privacy training; however, the effectiveness of the training, including social engineering and penetration testing, and tracking, was assessed as generally being inadequate.
5) Incident response plans - Incident response and recovery plans, and procedures to ensure timely restoration of systems and assets affected by cybersecurity events were generally not present or not updated and tested regularly. A number of Commercial Insurers also do not have formal incident response communication plans.
6) Cybersecurity standards - A wide range of globally recognised cyber security standards or practices have been adopted by a number of Commercial Insurers, but a fit for purpose framework needs to be more broadly adopted by the wider market, for example NIST or Cobit.
7) Review of the cyber security programme by the third line of defence – While the majority of Commercial Insurers ensure that the cyber security programme is subject to internal audit review, this practice needs to become more common across the market.
To obtain evidence that the above deficiencies are being sufficiently addressed, the BMA said that it will continue to closely monitor and ensure that cyber risk assessments are a key feature of its regulatory reporting framework and onsite reviews.