BMA: more needs to be done on cybersecurity – The Royal Gazette | Bermuda News, Business, Sports, Events, & Community

Log In

Reset Password
BERMUDA | RSS PODCAST

BMA: more needs to be done on cybersecurity

Insurers and reinsurers in Bermuda need to step up their cybersecurity defences and strategic planning.

The Bermuda Monetary Authority has carried out an assessment of the level of technology risk that faces the island's commercial insurance and reinsurance business, and has identified areas of concern.

It discovered that while some businesses have levels of cybersecurity and procedures in place, gaps exist and there is a need for “significant enhancements” in a number of key areas.

It comes in the wake of a number of high-profile cybersecurity incidents elsewhere, including the Marriott data breach, where the Starwood reservation database was subject to unauthorised access during a four-year period — a breach that came to light in September, and which may result in losses of hundreds of millions of dollars for the company.

In its Cyber Report 2018, the BMA said: “Most (re)insurers have made efforts to enhance technology risk resiliency, however, much work remains to be done before the BMA can achieve a level of assurance that the possibility of large-scale cyberattacks and financial and reputational loss is effectively mitigated.”

The boards of some commercial insurers approve technology risk strategy and policies and have those matters as a standing item for meetings, but the BMA said that practice needs to be consistently implemented across the broader market.

The regulatory authority noted that while some insurers and reinsurers have appointed chief information security officers and data privacy officers, other have not.

Around 60 per cent of commercial insurers have commissioned third-party cybersecurity risk assessments, and most have indicated they provide ongoing cybersecurity and data privacy training to staff. However, the BMA said: “The effectiveness of the training, including social engineering and penetration testing, and tracking, was assessed as generally being inadequate.”

Penetration testing is when an outside individual or team is tasked with finding ways to breach the cybersecurity of a company in order to highlight weaknesses.

Incident response, recovery plans and procedures to restore systems and assets affected by a cybersecurity event were either not present, or not updated and regularly tested, the BMA discovered. It said a number of commercial insurers do not have formal incident response communications plans.

The findings were deduced from the answers to questions the BMA included in the 2017 year-end commercial insurer capital and solvency return filing. The information request is being enhanced of the 2018 filing to include all financial services sector entities in Bermuda.

In February, the BMA sent a message to licensed companies reminding them that they “are required to have robust policies, procedures and controls in place to identify, assess and manage cybersecurity risks on an ongoing basis”.

The BMA has adopted the NIST Cybersecurity Framework, from the US, to help it assess the standards and methodology being used by businesses.

While the authority recognises that there is no “one size fits all” approach to cyber-risk, it said business must assess risks and create policies and procedures to mitigate those risks, and ensure that employees are properly trained and equipped from a cybersecurity perspective. It also expects board of directors to evaluate technology risk facing their business — including information security, cybersecurity and data privacy and have incorporated those factors into their “enterprise risk management process”.

The Cyber Report also looked at the growth of cyberinsurance in Bermuda, and at the end of last year the filings showed 37 Bermuda commercial insurers and 15 groups were writing direct cyberinsurance. Gross written premiums for cyber-risk stood at $845 million at the end of 2017.

Insurers provided data on their worst-case cyber-risk loss scenarios from direct cyber-risk coverage. The results showed there would not be significant impact to the companies' statutory capital and surplus, with the average gross and net impacts of 5 per cent and 4 per cent respectively.

However, the BMA believes that much larger losses could arise from “silent cyber” contracts — that is, cyber exposures on other liability insurance policies where cyberlosses are not explicitly excluded.

Cybersecurity landscape: averages for the Bermuda commercial insurer market as indicated by the 2017 year-end cyber questions. The BMA noted that the averages for the large commercial insurers were higher than those for small commercial insurers (Graph data by Bermuda Monetary Authority)

You must be Registered or to post comment or to vote.

Published December 24, 2018 at 8:00 am (Updated December 23, 2018 at 11:47 pm)

BMA: more needs to be done on cybersecurity

What you
Need to
Know
1. For a smooth experience with our commenting system we recommend that you use Internet Explorer 10 or higher, Firefox or Chrome Browsers. Additionally please clear both your browser's cache and cookies - How do I clear my cache and cookies?
2. Please respect the use of this community forum and its users.
3. Any poster that insults, threatens or verbally abuses another member, uses defamatory language, or deliberately disrupts discussions will be banned.
4. Users who violate the Terms of Service or any commenting rules will be banned.
5. Please stay on topic. "Trolling" to incite emotional responses and disrupt conversations will be deleted.
6. To understand further what is and isn't allowed and the actions we may take, please read our Terms of Service
7. To report breaches of the Terms of Service use the flag icon