BMA: more needs to be done on cybersecurity
Insurers and reinsurers in Bermuda need to step up their cybersecurity defences and strategic planning.
The Bermuda Monetary Authority has carried out an assessment of the level of technology risk that faces the island's commercial insurance and reinsurance business, and has identified areas of concern.
It discovered that while some businesses have levels of cybersecurity and procedures in place, gaps exist and there is a need for “significant enhancements” in a number of key areas.
It comes in the wake of a number of high-profile cybersecurity incidents elsewhere, including the Marriott data breach, where the Starwood reservation database was subject to unauthorised access during a four-year period — a breach that came to light in September, and which may result in losses of hundreds of millions of dollars for the company.
In its Cyber Report 2018, the BMA said: “Most (re)insurers have made efforts to enhance technology risk resiliency, however, much work remains to be done before the BMA can achieve a level of assurance that the possibility of large-scale cyberattacks and financial and reputational loss is effectively mitigated.”
The boards of some commercial insurers approve technology risk strategy and policies and have those matters as a standing item for meetings, but the BMA said that practice needs to be consistently implemented across the broader market.
The regulatory authority noted that while some insurers and reinsurers have appointed chief information security officers and data privacy officers, other have not.
Around 60 per cent of commercial insurers have commissioned third-party cybersecurity risk assessments, and most have indicated they provide ongoing cybersecurity and data privacy training to staff. However, the BMA said: “The effectiveness of the training, including social engineering and penetration testing, and tracking, was assessed as generally being inadequate.”
Penetration testing is when an outside individual or team is tasked with finding ways to breach the cybersecurity of a company in order to highlight weaknesses.
Incident response, recovery plans and procedures to restore systems and assets affected by a cybersecurity event were either not present, or not updated and regularly tested, the BMA discovered. It said a number of commercial insurers do not have formal incident response communications plans.
The findings were deduced from the answers to questions the BMA included in the 2017 year-end commercial insurer capital and solvency return filing. The information request is being enhanced of the 2018 filing to include all financial services sector entities in Bermuda.
In February, the BMA sent a message to licensed companies reminding them that they “are required to have robust policies, procedures and controls in place to identify, assess and manage cybersecurity risks on an ongoing basis”.
The BMA has adopted the NIST Cybersecurity Framework, from the US, to help it assess the standards and methodology being used by businesses.
While the authority recognises that there is no “one size fits all” approach to cyber-risk, it said business must assess risks and create policies and procedures to mitigate those risks, and ensure that employees are properly trained and equipped from a cybersecurity perspective. It also expects board of directors to evaluate technology risk facing their business — including information security, cybersecurity and data privacy and have incorporated those factors into their “enterprise risk management process”.
The Cyber Report also looked at the growth of cyberinsurance in Bermuda, and at the end of last year the filings showed 37 Bermuda commercial insurers and 15 groups were writing direct cyberinsurance. Gross written premiums for cyber-risk stood at $845 million at the end of 2017.
Insurers provided data on their worst-case cyber-risk loss scenarios from direct cyber-risk coverage. The results showed there would not be significant impact to the companies' statutory capital and surplus, with the average gross and net impacts of 5 per cent and 4 per cent respectively.
However, the BMA believes that much larger losses could arise from “silent cyber” contracts — that is, cyber exposures on other liability insurance policies where cyberlosses are not explicitly excluded.