The IAIS has published for consultation an application paper on how insurance supervisors should supervise cyber risk, cybersecurity, and the cyber resilience of insurers.
The main implication for insurers is that the breadth, depth and intensity of supervision in this area is certain to expand in most countries, with an ever-growing list of considerations that supervisors are likely to focus on through both their on-site and off-site work. The approach of the IAIS is also easily transferable across sectors, so in some countries this may also form the basis for the supervisory assessment of banks, securities firms and financial market infrastructures.
The approach recommended by the IAIS builds on frameworks and guidance from multiple sources, in particular the G7 Fundamental Elements of Cyber Security for the Financial Sector (G7FE) and the related G7 Fundamental Elements for Effective Assessment of Cybersecurity for the Financial Sector.
The G7FE was developed by a group of experts under the joint leadership of the US Treasury and the Bank of England. The elements are intended to provide building blocks upon which a financial institution can design and implement its cybersecurity strategy and operating framework, informed by its approach to risk management and culture, and can be used to re-evaluate the firm's cybersecurity programme as the operational and threat environments evolve.
The G7FE identifies eight high-level elements of cybersecurity: strategy and framework, governance; risk and control assessment, monitoring, response, recovery, information sharing, and continuous learning.
The IAIS application paper amplifies each of these elements by setting out:
In addition, the paper provides a brief case study of the experience of De Nederlandsche Bank (DNB) in using its framework to assess the level of information security maturity (including for cybersecurity) within the insurance sector. The DNB's assessment framework is based on 54 control objectives, developed in close consultation with the industry.