The Securities and Exchange Commission of Pakistan (SECP) Monday issued the SEC Guidelines on Cyber Security Framework for the Insurance Sector, 2020 (Guidelines) specifying guiding principles for adoption of suitable cyber security measures to protect companies' data.
According to the guidelines issued by the SECP, the SECP recognizes that while cyber security is necessary for all insurers, there is no one-size-fits-all prescription for insurers; rather it is dependent on the nature, size and complexity of the insurers business.
The insurers need to take into account the underlying cyber risk at the time of formulation of risk management policy by the Board of Directors (the "Board") of the insurer, as part of significant policy as required under the clause (xi) of the Code of Corporate Governance for Insurers, 2016.
The Chief Information Security Officer (CISO) and the Risk Management Department (or function) will jointly identify, assess, quantify, monitor, and control the nature, significance and interdependencies of the cyber risks, and will be required to develop a cyber security strategy and framework to be put in place for mitigation of inherent cyber risk, the SECP said.
The SECP has directed the insurance companies that the insurers will formulate a sound cyber security framework in order to anticipate, withstand, detect, prevent and respond to cyber attacks, in line with international standards and best practices.
Few guiding principles in respect of formulation of cyber security framework are given in this section.
The insurers should establish systematic monitoring processes to rapidly detect cyber incidents, and periodically evaluate the effectiveness of identified controls, including through network monitoring, testing, audits, and exercises.
The SECP states that the insurers, as a starting point, shall consider existing core technical standards on cyber security such as the National Institute of Standards and Technology (NIST) Cyber security Framework, and Information Systems Audit and Control Association (ISACA)'s COBIT ("Control Objectives for Information and Related Technologies"), and the International Organisation for Standardisation (ISO) 27000 series, which consist of a set of standards and best practices to manage cyber risks.
In 2017, the Financial Stability Board (FSB) had also published a Stocktake of Publicly Released Cyber Security Regulations, Guidance and Supervisory Practices to discuss cyber security in the financial sector.
Further, International Association of Insurance Supervisors (IAIS) has published Application Paper on Supervision of Insurer Cyber security, November 2018 which focuses on supervision (ie, from regulatory perspective) of insurers' cyber security.
An insurer should implement an adaptive cyber security framework that evolves with the dynamic nature of cyber risks and allows the insurer to identify, assess, and manage security threats and vulnerabilities for the purpose of implementing appropriate safeguards into its systems.
Insurers should implement cyber risk management practices that go beyond reactive controls and include proactive protection against future cyber events.
The SECP guided that the insurers should work towards achieving or acquiring predictive capabilities, capturing data from multiple internal and external sources, and defining a baseline for behavioural and system activity, including through outsourcing such expertise.
An insurer should systematically identify and distil key lessons from cyber events that have occurred within and outside the organization in order to advance its resilience capabilities.
An insurer should actively monitor technological developments and keep abreast of new cyber risk management processes that can more effectively counter existing and newly developed forms of cyber attack.
An insurer should consider acquiring such technology and know-how to maintain its cyber security, including through outsourcing such expertise, the SECP added.
The insurers should be able to implement incident response policies and other controls to facilitate effective incident response, and among other things, these controls should clearly address decision-making responsibilities, define escalation procedures, and establish processes for communicating with internal and external stakeholders, the SECP directed the insurance companies.
Comments
Comments are closed.