SECP says insurers must get cyber risk insurance

The Securities and Exchange Commission of Pakistan (SECP) has issued directives to the insurance sector for protection against cyber attacks, saying the probability of cyber risk is greater today than ever before due to increasing reliance on technology for business operations and expansion of financial technology.

The SECP directives, issued under SRO 31 (I)/2019 on Wednesday, warned that all life and non-life insurers including family and general takaful operators are required to obtain cyber risk insurance to cover their own cyber risks to mitigate losses or damages from a variety of cyber incidents, including data breaches, business interruption, and network damage.

The corporate sector regulator has directed insurers to submit the cyber security framework assessment reports by April 30 of every year to the SECP.

The SECP said that because insurers are significant contributors to the national financial sector, interruptions of insurers’ systems due to cyber security incidents may have far-reaching implication.

SECP has further directed insurance companies that the cyber risk insurance will protect insurers against the claims arising from cyber attacks and the insurer’s cyber security framework should support and promote both its operational security and the protection of policyholder’s data.

The SECP has also directed the insurance companies that they should protect their network including hardware, firmware and software components, integrity, control of information flow, boundary protection, and network segregation if needed.

The insurers’ cyber security framework will be able to protect the policyholder data in wake of enhanced reliance on BPO (business process outsourcing), technology-based agency arrangements and other strategic partnerships for offering technology based innovative insurance products and services, SECP said.

The SECP has explained that cyber risk means “any risks that emanate from the use of electronic data and its transmission, including technology tools such as the internet and telecommunications networks.”

The SRO said that this risk also includes physical damage that can be caused by cybersecurity incidents, fraud committed by misuse of data, any liability arising from data storage, and the availability, integrity, and confidentiality of electronic information be it related to individuals, companies, or governmesnts.

The SECP has also explained that the insurers gather, store, and maintain substantial volumes of confidential personal and organisational information, and because of these reservoirs of data, insurers are potential targets for cyber criminals who seek information that later can be used for financial gain through extortion, identity theft, or other illegal activities.

The insurance companies have been directed to appoint a senior executive as Chief Information Security Officer (CISO) having adequate qualification and experience, who will be responsible for implementation of overall cybersecurity framework within the organisation.

The CISO will be consulted for taking input with regards to cyber risk and required cybersecurity strategy and framework to be put in place for mitigation of inherent cyber risk.