Facebook logo
Facebook logo
Facebook logo
Facebook logo

Latest Headlines

Captive Insurance Times home | Features | Cyber security regulations: The shape of things to come for captives?← You are here

Latest News
XL Catlin appoints Steve Bauman
22 May 2017 | New York
Steve Bauman has joined XL Catlin as head of global programmes and the captive practice in North America, effective 23 May Read more

New general counsel for California insurance department
22 May 2017 | California
The California insurance commissioner Dave Jones has appointed Ken Schnoll as general counsel for the state’s department of insurance Read more

For more news visit our news section

Upcoming events
PARIMA 2017 Shanghai
Date: 21 June 2017
Location: Intercontinental Shanghai Pudong, Shanghai
Find out more

WRCIC conference
Date: 22-24 May
Location: Marriott City Centre, Salt Lake City
Find out more

For more events visit our event section
Industry recruitment
There are currently no jobs available
For more jobs visit our recruitment section
Captive Insurance Times
View the latest issues online now

Sister publications
Securities Lending Times

Asset Servicing Times

Real Estate Investment Times

Media pack [download]
Ad specs [download]
Latest features
A noughties hit
Feature: SACs in Bermuda, first crafted in the statute in 2000, are a useful tool for both captive and commercial insurers, says Kim Willey of ASW Law Read more

Cook Islands
Country profile: In an era of increasing uncertainty, Tamatoa Jonassen suggests that the Cook Islands can be a bridge to financial security in a captive Read more

Brian McDonagh :: Marsh Captive Solutions Dublin
Interview: Many captive owners are exploring alternative forms of capital in order to strengthen their capital base in a more efficient manner, says Brian McDonagh of Marsh Read more

For more features visit our features section
Latest news
Cyber security regulations: The shape of things to come for captives?
In an environment of technological threats, cyber security is moving up the captive agenda, say EY Bermuda’s Daniel Message, Kerr Kennedy and Chris Maiato
In an environment of growing technological threats, it was perhaps only a matter of time before enhanced regulatory oversight emerged for cyber security in the insurance sector. New requirements issued by the New York Department of Financial Services (NYDFS) represent an early version of what is likely to be a new wave of such regulations, with the topic simultaneously coming in to sharper focus for other regulators across the globe. Cyber security is now moving up the agendas of captive owners, as steps are taken to address these emerging issues.

Emerging regulatory oversight

The NYDFS regulations come in response to concerns over the growing number of cyber security events and the corresponding risks currently faced by the financial services industry. They pertain to banks, insurance companies and other financial services institutions regulated by the NYDFS, effective 1 March this year and a subsequent transitional period. Other regulators such as the US Securities and Exchange Commission and those in countries including Singapore, Malaysia, China and Japan have announced cyber security regulations, while others such as the Bank of Ireland have issued guidance (as opposed to requirements).

In the case of NYDFS, for example, there are limited exemptions to some reporting criteria, which may preclude some captives from having to necessarily comply with all regulatory requirements. However, those that do not fall within the scope, or are exempt from current regulation, may still wish to enhance their cyber security approach, for reasons which may include: strategic alignment with the approach taken by parent or other group companies that may be regulated in their own right; as a tool to aim for best practice, with a structured approach to cyber security; and in anticipation of future additional regulatory and/or third party oversight.

To highlight some of the areas of regulatory focus, key elements of the NYDFS regulations include:

  • Cyber security programme and policy: Firms should adopt an approved, written cyber security policy and supporting policies and procedures to protect their information systems and non-public information (NPI), as defined in the regulations. The spirit of the programme includes enabling the firm to identify cyber risks, protect against unauthorised access/use or other malicious acts, detect cyber security events, respond to identified cyber security events to mitigate any negative events, and recover from cyber security events and restore normal operations and services.

  • Risk assessment, testing and compliance: Firms should rigorously assess the risks associated with their information systems. A firm’s risk assessment will be utilised to provide the basis for how it addresses requirements under the finalised NYDFS requirements. On an annual basis, firms should conduct penetration testing, and vulnerability assessments should be performed biannually, both of which are based on the firm’s risk assessment.

  • Personnel, resources and training: Firms should designate a qualified chief information security officer to drive the cyber security programme. More broadly, in light of these proposals, firms should validate that they have the necessary resources (in-house or from a third party) to meet their new cyber responsibilities, and that employees have the necessary training.

  • Access privileges, application security and NPI encryption: Firms need robust policies and procedures to address these issues. NPI should be encrypted but where compensating controls are used instead, they must be approved by the chief information security officer.

  • Audit and NPI records retention: Firms need rigorous systems, policies and procedures to provide for a holistic audit trail. NPI should be destroyed appropriately.

  • Third parties: Firms need to validate that third parties are capable of adhering to new requirements and implement guidelines and/or contractual terms to enforce these requirements.

  • Incident response and notification: Firms should adopt robust incident management plans and should be able to notify the NYDFS of material events within 72 hours.

  • Due to the nature of how captives operate, the cyber security programme may involve multiple stakeholders such as captive employees, captive managers, the parent company and third parties. A clear understanding of what falls in the domain of each is needed in order to design appropriate strategies and controls, with the objective of ensuring the captive is equipped to deal with constantly evolving threats and a changing regulatory environment. Some upskilling of existing captive personnel and/or the use of third parties may be needed in order to handle more technical aspects or to fulfil a role such as that of the chief information security officer.

    However, while the impetus of this enhanced oversight is on protecting registered entities and their stakeholders, adding a further layer of regulatory oversight could be seen as adding further bureaucracy, using valuable captive resources. This will be compounded if the cyber security requirements of one regulator are not streamlined with those of other regulators, which could complicate the reporting process. For example, state versus federal versus industry-specific requirements. Further, having potentially been created for all regulated entities and not just insurers, some regulatory prescriptions may not be as applicable to captives.

    Some exemptions perhaps imply an acknowledgement of this, with carve-outs for entities of a more limited scope or scale. Boards might consider adopting their own proportionate, risk-based approach in the absence of any formal requirements. Even if not directly applicable, however, the emerging regulations can still provide a forum for discussion and a structure in which cyber security can be brought to the boardroom table.

    Cyber security’s rise in prominence will likely result in captive boards placing further emphasis on its inclusion in governance, risk management and controls frameworks, perhaps necessitating the design and implementation of altogether new policies. Regulations are likely to permeate in an already complex landscape, although it remains to be seen which bodies ultimately drive them and the extent to which compliance for captives is mandated. In any case, the enhanced focus of regulators on the topic points to a wider cyber security issue, which warrants careful consideration by captives going forward.

    The views expressed in this article are those of the authors and do not necessarily reflect the views of any member firm of the global EY organisation.

    To view the full issue in which this article appeared - Click Here

    XL Catlin appoints Steve Bauman
    Steve Bauman has joined XL Catlin as head of global programmes and the captive practice in North Ame Read more

    New general counsel for California insurance department
    The California insurance commissioner Dave Jones has appointed Ken Schnoll as general counsel for th Read more

    A.M. Best affirms NextEra Energy captive
    A.M. Best has affirmed the financial strength rating of “A (Excellent)” and the long-term issuer Read more

    PRIIA puts insurance market at ease
    PRIIA has reassured the insurance industry that although Puerto Rico has filed for voluntary bankrup Read more

    Peter Allen joins Moore Stephens from Grant Thornton
    Allen joined the company from Grant Thornton Singapore where he served as CEO and senior adviser Read more

    Captive Insurance Times site map


    Issue archive
    Back issues online
    Events andtraining
    Upcoming events

    Upcoming training

    Company info
    About us

    Contact us

    Copyright (C) 2013 Black Knight Media Ltd. All rights reserved. No reproduction without prior authorization