BMA finds cybersecurity vulnerabilities in Bermuda insurers
Weaknesses remain in Bermuda re/insurers cyber security controls, according to a new report by the Bermuda Monetary Authority.
The regulator’s review of enhanced Bermuda Solvency Capital Requirement (BSCR) cyber filing returns found fewer insurers than expected with controls in place across several areas.
These include third-party cyber risks, where the BMA says insurers should consider having contractual clauses in place regarding security requirements for third parties entrusted with data or delivering IT services; and data classification, where information should be classified in terms of its value, legal requirements, sensitivity and criticality to the organisation.
Annual board approval of cyber risk strategies, data loss prevention assessments and software maintenance, including patches and updates, were other areas where controls were not sufficiently widespread, according to the BMA.
“The authority is pleased with the industry’s continued focus on cyber risk. However, the data indicates that for some cyber risks, a lower than expected percentage of insurers indicate they have controls in place,” its executive summary states.
Its report is based on year-end 2019 filing returns. Since then, the industry has seen the Insurance Amendment Act 2020 requiring notification of cyber reporting to the Authority and the Insurance Sector Operational Cyber Risk Management Code of Conduct, which came into effect in January 2021. Companies have until 1 January 2022 to ensure compliance.
“The code is designed to promote the stable and secure management of information technology systems of regulated entities,” the BMA states. “The Authority is not adopting a ‘one-size-fits-all’ approach and expects cyber risk controls will be proportional to the nature, scale and complexity of the organisation. It is acknowledged some entities will use a third party to provide technology services and they may outsource their IT resources (e.g., to an insurance manager). All third-party and outsourced services should be subject to cyber risk review.”
The report also comments on the recent shift to remote working. “[This] may present a number of changes to organisations’ cyber risk profiles,” it notes.
“Cyber resilience, though, is the ability to prepare for and recover rapidly from disruptions resulting from deliberate attacks, accidents or naturally occurring threats or incidents—such as disruptions created by this shift to remote working. As such, cyber resilience should be managed as part of the overall operational risk process of an organisation.”
The BMA will continue to consult with the sector and monitor cyber risk filing returns and organisations’ compliance with the code, it states. It will also “continue to require that companies clearly detail operational cyber risk in the Solvency Self-Assessment/Group Solvency Self-Assessment (CISSA/GSSA) process,” the report concludes.
