Other parts of this series:
In this series examining the necessity of insurance supervisors to increase their efforts to protect their organizations from cyber criminals, we have seen what some critical cyber security weaknesses look like for carriers and their potential financial ramifications. So where should insurance supervisors look first when determining where they need to bolster their organizations’ cyber risk resilience?
As the International Assn. of Insurance Supervisors (IAIS) notes in its recent Issue Paper on Cyber Risk to the Insurance Sector, valuable guidance for supervisors is found in the standards-setting organization’s Insurance Core Principles (ICPs). This supervisory framework does not address cyber risk specifically yet. IAIS continues to study cyber security regulations and practices worldwide before moving forward on a global standard, the organization’s top official noted during the National Assn. of Insurance Commissioners’ International Insurance Forum this spring. Even so, the ICPs’ principle statements and accompanying standards and guidance address the various issues that cyber risk raises.
In particular, IAIS recommends that supervisor focus on these five principles:
- ICP 7—Corporate governance. Under this principle, insurance company boards are responsible for ensuring that risk management has appropriate systems and functions in place and that they are operating effectively with proper oversight.
- ICP 8—Risk management and internal controls. Under this principle, a risk management system should cover operational risk management, the conduct of business and other risk-mitigation techniques, as well as cover all reasonably foreseeable and material risks—current and emerging. Guidance for ICP 8 also discusses what an effective control system should address, and that includes various aspects of information technology, including IT functionalities, access to data bases and employee access to IT systems. In addition, guidance for the principle states that the board and senior management should evaluate the impact that outsourcing will have on the organization’s risk profile and business continuity.
- ICP 9—Supervisory Review and Reporting. This ICP focuses on supervisors paying “due attention to the evolving nature, scale and complexity or risks” that insurers and their customers could face by obtaining and analyzing sufficient information.
- ICP 19—Conduct of business. This ICP encourages insurers and intermediaries to establish policies and procedures to protect customers’ private information. IAIS guidance lays out various measures for ensuring privacy and preventing security breaches.
- ICP 21—Countering insurance fraud. This ICP guides insurance supervisors in ensuring that their organizations and intermediaries implement measures that effectively prevent, detect, report and remedy fraudulent activity.
Next time: The best practices in developing insurer resilience against cyber attacks.
- The International Assn. of Insurance Supervisors’ Issue Paper on Cyber Risk to the Insurance Sector