Recorder report

ISLAMABAD: All life and non-life insurers including the family and general Takaful operators would be required to obtain cyber-risk insurance to cover their own cyber risks to mitigate losses or damages from a variety of cyber incidents, including data breaches, business interruption and network damage.

According to the SRO 31 (I)/2019 issued by the Securities and Exchange Commission of Pakistan (SECP) here on Wednesday, the commission has issued a directive to all the insurance companies and Takaful operators.

The SECP has further directed insurance companies that the cyber risk insurance shall preferably protect the insurers against the claims arising out of at least privacy wrongful act and network security wrongful act.

The insurer’s cyber security framework shall be able to protect the policyholder data in the wake of enhanced reliance on business process outsourcing (BPO), technology based agency arrangements and other strategic partnerships for offering technology based innovative insurance products and services, said the SECP.

The insurer’s cyber security framework should support and promote both its operational security and the protection of policyholder data.

The SECP has further directed the insurance companies that the insurers shall protect network (hardware, firmware and software components) integrity including control of information flow, boundary protection and network segregation, if needed.

Under SRO 31 (I)/2019, the SECP has warned insurance companies that with the increasing reliance on technology for business operations and expansion of financial technology, the probable impact of cyber risk in recent times can be greater than ever before. The cyber risk means any risks that emanate from the use of electronic data and its transmission, including technology tools such as the internet and telecommunications networks. It also encompasses physical damage that can be caused by cyber security incidents, fraud committed by misuse of data, any liability arising from data storage, and the availability, integrity and confidentiality of electronic information be it related to individuals, companies, or governments.

The SECP said that the cyber risk presents an evolving challenge for the insurance sector and overall financial sector due to growing interconnectedness. Insurers gather, store and maintain substantial volumes of confidential personal and organisational information. Because of these reservoirs of data, insurers are potential targets for cyber criminals who seek information that later can be used for financial gain through extortion, identity theft or other illegal activities. In addition, because insurers are significant contributors to the national financial sector, interruptions of insurers’ systems due to cyber security incidents may have far-reaching implication.

The increasing reliance of the insurance sector of Pakistan on the technology, in distribution and in offering other innovative products through usage of technology, makes it imperative that adequate measures must be taken to make its information technology systems, and of its intermediaries, secure and resilient.

The SECP has directed that the insurers shall implement at least annual assessment programmes to help the board and senior management to evaluate and take necessary measures for the adequacy and effectiveness of the insurer’s cyber security framework including, where appropriate, through independent compliance programme and audit carried out by qualified individuals to assess the cyber security framework and measure implementation.

The insurers will appoint a senior executive as chief information security officer (CISO) having adequate qualification and experience who will be responsible for implementation of overall cyber security framework within the organisation.

The insurers need to take into account the underlying cyber risk at the time of formulation of risk management policy by the Board of insurer, as part of significant policy as required under the clause (xi) of the Code of Corporate Governance for Insurers, 2016. The Chief Information Security Officer (CISO) will be consulted for taking input with regards to cyber risk and required cyber security strategy and framework to be put in place for mitigation of inherent cyber risk.

The insurers are required to submit to the Commission the cyber security framework assessment reports, formulated by April 30 of every year, added the SECP.