Time flies with great content! Renew in to keep enjoying all our premium content.
Prime
Insurers given 24 hours to report major cyber attacks to regulator
IRA says cybersecurity incidents that qualify as material will include those causing significant disruption of critical services, platforms or systems, results in unauthorised access or loss of sensitive personal and customer data or leads to financial loss to insurer, its clients or third parties.
Insurance companies will have to disclose to the regulator major cyber attacks on their business within 24 hours in line with the newly issued cybersecurity compliance framework for the industry.
The Insurance Regulatory Authority (IRA) guidance note on cybersecurity for insurers is warning of heightened exposure to cybersecurity threats and data breaches as companies step up use of technology in onboarding customers and managing claims.
In the guidance note, which sets minimum standards for the management of cybersecurity risks, insurers are required to develop and implement cybersecurity strategies, policies and procedures, which must be approved by their boards and IRA.
“All licensed insurers and reinsurers are required to familiarise themselves with the contents of the guidance note and ensure full and timely implementation,” said Godfrey Kiptum, IRA chief executive in a circular accompanying the note.
Insurers have also been directed to report all material cybersecurity incidents to the IRA within 24 hours from confirmation or substantiated detection, whichever is earlier.
IRA says incidents that qualify as material will include those causing significant disruption of critical services, platforms or systems, results in unauthorised access or loss of sensitive personal and customer data or leads to financial loss to insurer, its clients or third parties.
Insurers will be expected to review the document and update the policy at least annually or upon significant changes in their ICT environment, threat landscape or regulatory obligations.
In addition, insurers will be required to track cybersecurity incidents and submit a quarterly report to IRA within 15 days of the end of each quarter. The regulator’s move aims at enhancing visibility into cybersecurity breaches.
The regulator warns that cyber incidents in the industry can significantly affect policyholders through compromise of personal and financial data, disruption of claims processing, denial of service or erosion of trust.
The guidance explicitly makes boards of directors accountable for cybersecurity governance, marking a shift from IT departments to executive-level responsibility. The note recommends that the board should include at least one member with experience and knowledge in cybersecurity to enhance oversight.
“The ultimate responsibility for an insurer’s cybersecurity framework rests with the board of directors and senior management,” the note states.
IRA has also asked insurers to increase staff training, phishing simulations and secure backup protocols, signaling that cybersecurity is going to be viewed as a company-wide responsibility and not just a preserve of the technology departments.
The IRA note also addresses artificial intelligence-related cyber risks and third-party vulnerabilities, acknowledging that these emerging trends have increased the exposure of companies.
