Historically, the predominant IT risk for a financial service enterprise was the possibility that a critical IT component or system would suffer an operational mishap or otherwise simply fail to function in accordance with its contractually stipulated specifications.
Today however, the most notable magnifying glass to view a financial enterprise’s IT dependence has become the steep rise in cybersecurity incidents, interruptions, ransomware attacks, data theft and unauthorized intrusions. Cyber risk is now the lens through which corporate governance, regulatory scrutiny and commercial transactions has focused on the fundamental issues of IT security and protection.
Although operational cyber risk management is critical for IT infrastructure that is operated inside the protective castle walls of a financial enterprise, those operational risks are greatly increased when those business operations leave the castle to be provided through cloud, SaaS, DaaS and other outsourcing services by third parties who, whether as affiliates or commercial vendors, are often operating in far distant jurisdictions. The communication of data, and the remote provision of business operations across vast networks, inherently increases the possible exposure of those operations to cyber risk. Where any aspects of a financial institution’s operational infrastructure is not under the direct and physical control of that financial enterprise’s executive management, those operational risks can only be overseen and governed by the service customer through the robust terms and conditions of a comprehensive service agreement.
It is for those reasons that the BMA, like so many other leading financial sector regulators around the world, have been proactive in their governance and management practice requirements related to IT security, outsourcing, and cyber security. No financial service sector is more important to the Bermuda economy than the insurance sector. Not only has the BMA issued a range of guidelines, codes of conduct and other directives to the Bermuda insurance companies it regulates concerning outsourcing and operational cyber risk management (including IT services such as cloud computing), but the BMA also monitors (through its enhanced 2021 Bermuda Solvency Capital Requirement (BSCR) cyber filing returns for Bermuda’s insurance sector) the engagement of those registrants in cyber security preparedness and compliance. Based on the 2021 filing returns it received, the BMA recently published its 2022 report on ‘Insurance Sector Operational Cyber Risk’ (BMA Cyber Report). The findings set out in the BMA Cyber Report are offered by the BMA as a “best practice” aid for improved cyber risk management, and (by implication) as recommended practice guidance for the insurance sector.
Here are the five constructive executive findings of the BMA Cyber Report that, in part, express an appreciation for the enhanced cyber risk that is assumed where business operations are remotely conducted “outside the castle walls” through third party service arrangements:
Key Findings from Cyber-Reporting Events Reported in 2021
- E-mail is commonly targeted successfully by malicious attackers.
- Data breaches include e-mail breaches where unstructured data is exfiltrated from an entity. When data is ‘unstructured’ (i.e., not arranged in a pre-set schema, and therefore, not stored in a traditional database), it leads to a situation where it is not known what data has been exfiltrated, to whom that data belongs or who should be notified of the breach under contractual law and the relevant regulatory requirements.
- Poor security testing practices lead to undetected vulnerabilities, which attackers then exploit.
- Security incidents are impacting third-party IT service providers. The trend continues to be businesses utilising different cloud services including Software as a Service (SaaS) solutions. Business processes are also being outsourced. Examples include processes related to ‘know your customer’, customer service operations, human resources services and IT services. The two most common attack vectors that impact third-party provided IT services are: a) Attacking the administrative accounts of IT administrators to gain access into a network; and b) Attacking the weaknesses of internet-facing systems. Once access is gained, the target is most often Personally Identifiable Information (PII) or gaining access to financial systems for financial gain.
- Ransomware continues to be a threat. Successful ransomware attacks have led to the encryption of both desktop and server infrastructure, leading to the loss of availability of systems. Note that ransomware is also sometimes associated with attempts to exfiltrate data. Next the Authority will: • Continue to monitor the evolving nature of the cyber risk threat landscape • Continue to assess cyber risk filing returns • Propose and introduce ways to streamline the cyber risk filing return • Continue to review cyber reporting events to further understand the risk profile of individual insurers and the sector as a whole • Review registrants’ compliance with the Code as part of the supervisory review process • Continue to consult proactively with the insurance sector • Continue to require that companies clearly detail operational cyber risk in the Commercial Insurer Solvency Self-Assessment/Group Solvency Self-Assessment process.
Practice Guidance Recommendations
The BMA Cyber Report advanced the following two cyber risk management recommendations to Insurance enterprises, both of which reflect the inherent risks where insurance companies retain IT (including outsourcing) services from third parties: an insurer who trusts third parties with data, or to deliver Information Technology (IT) services, should consider having contractual clauses in place to ensure its security requirements are met; and, Data Loss Prevention requirements should be assessed against data criticality and regulatory and contractual requirements.
For all situations where third parties provide services (whether cloud based, SaaS, outsourcing or otherwise) as part of an insurance company’s business or operational infrastructure, the most important tool that any Board or executive management could have to oversee and manage all aspects of service performance risk (including all related cyber risk) is a robust service delivery contract with all of the standard risk management provisions, including those related to: service quality; delivery requirements; service performance reporting; risk management oversight; security quality; risk allocation and assumption of liability; dispute resolution; and, regulatory compliance – all of which are provisions that are generally required, as a matter of regulatory compliance, corporate governance best practices and pervasive commercial norms.
The survey data contained in the BMA Cyber Report reveals that, although there have been tremendous strides made over a short period of time by Bermuda’s insurance sector, there is still room for increased governance and compliance improvement. In particular, the BMA summarized its findings, and offered encouragement to the insurance sector, as follows:
The Authority is pleased with industry’s continued focus on cyber risk. The 2021 data indicates that overall, the industry’s cyber risk posture is improving year on year. Nevertheless, for some cyber risks, a lower-than expected percentage of insurers have controls in place….The 2021 data suggests that some entities would benefit from reviewing their network security risks and the status of their corresponding controls… An insurer who trusts third parties with data, or to deliver Information Technology (IT) services, should consider having contractual clauses in place to ensure its security requirements are met. Only 79% of entities have reviewed the cyber risk associated with their third-party IT providers in the last 12 months. Although this is an improvement over the 60% reported in 2020, the overall percentages have room for further improvement.
I expect that the BMA will continue to be diligent and proactive in its commitment to seeing the financial sectors that it regulates, including the insurance sector, improve their IT and cyber security oversight, whether by way of internal controls or by way of robust contracts that procure the operational services that are delivered to them by third parties.
Please reach out to Bermuda Managing Partner Brad Adderley or Partner Duncan Card who specialises in IT and outsourcing contracts, privacy law and cybersecurity compliance in Bermuda if you have any questions or need advice.