Cyber security regulations: The shape of things to come for captives?

In an environment of growing technological threats, it was perhaps only a matter of time before enhanced regulatory oversight emerged for cyber security in the insurance sector. New requirements issued by the New York Department of Financial Services (NYDFS) represent an early version of what is likely to be a new wave of such regulations, with the topic simultaneously coming in to sharper focus for other regulators across the globe. Cyber security is now moving up the agendas of captive owners, as steps are taken to address these emerging issues.

Emerging regulatory oversight

The NYDFS regulations come in response to concerns over the growing number of cyber security events and the corresponding risks currently faced by the financial services industry. They pertain to banks, insurance companies and other financial services institutions regulated by the NYDFS, effective 1 March this year and a subsequent transitional period. Other regulators such as the US Securities and Exchange Commission and those in countries including Singapore, Malaysia, China and Japan have announced cyber security regulations, while others such as the Bank of Ireland have issued guidance (as opposed to requirements).

In the case of NYDFS, for example, there are limited exemptions to some reporting criteria, which may preclude some captives from having to necessarily comply with all regulatory requirements. However, those that do not fall within the scope, or are exempt from current regulation, may still wish to enhance their cyber security approach, for reasons which may include: strategic alignment with the approach taken by parent or other group companies that may be regulated in their own right; as a tool to aim for best practice, with a structured approach to cyber security; and in anticipation of future additional regulatory and/or third party oversight.

To highlight some of the areas of regulatory focus, key elements of the NYDFS regulations include:

  • Cyber security programme and policy: Firms should adopt an approved, written cyber security policy and supporting policies and procedures to protect their information systems and non-public information (NPI), as defined in the regulations. The spirit of the programme includes enabling the firm to identify cyber risks, protect against unauthorised access/use or other malicious acts, detect cyber security events, respond to identified cyber security events to mitigate any negative events, and recover from cyber security events and restore normal operations and services.

  • Risk assessment, testing and compliance: Firms should rigorously assess the risks associated with their information systems. A firm’s risk assessment will be utilised to provide the basis for how it addresses requirements under the finalised NYDFS requirements. On an annual basis, firms should conduct penetration testing, and vulnerability assessments should be performed biannually, both of which are based on the firm’s risk assessment.

  • Personnel, resources and training: Firms should designate a qualified chief information security officer to drive the cyber security programme. More broadly, in light of these proposals, firms should validate that they have the necessary resources (in-house or from a third party) to meet their new cyber responsibilities, and that employees have the necessary training.

  • Access privileges, application security and NPI encryption: Firms need robust policies and procedures to address these issues. NPI should be encrypted but where compensating controls are used instead, they must be approved by the chief information security officer.

  • Audit and NPI records retention: Firms need rigorous systems, policies and procedures to provide for a holistic audit trail. NPI should be destroyed appropriately.

  • Third parties: Firms need to validate that third parties are capable of adhering to new requirements and implement guidelines and/or contractual terms to enforce these requirements.

  • Incident response and notification: Firms should adopt robust incident management plans and should be able to notify the NYDFS of material events within 72 hours.

  • Due to the nature of how captives operate, the cyber security programme may involve multiple stakeholders such as captive employees, captive managers, the parent company and third parties. A clear understanding of what falls in the domain of each is needed in order to design appropriate strategies and controls, with the objective of ensuring the captive is equipped to deal with constantly evolving threats and a changing regulatory environment. Some upskilling of existing captive personnel and/or the use of third parties may be needed in order to handle more technical aspects or to fulfil a role such as that of the chief information security officer.

    However, while the impetus of this enhanced oversight is on protecting registered entities and their stakeholders, adding a further layer of regulatory oversight could be seen as adding further bureaucracy, using valuable captive resources. This will be compounded if the cyber security requirements of one regulator are not streamlined with those of other regulators, which could complicate the reporting process. For example, state versus federal versus industry-specific requirements. Further, having potentially been created for all regulated entities and not just insurers, some regulatory prescriptions may not be as applicable to captives.

    Some exemptions perhaps imply an acknowledgement of this, with carve-outs for entities of a more limited scope or scale. Boards might consider adopting their own proportionate, risk-based approach in the absence of any formal requirements. Even if not directly applicable, however, the emerging regulations can still provide a forum for discussion and a structure in which cyber security can be brought to the boardroom table.

    Cyber security’s rise in prominence will likely result in captive boards placing further emphasis on its inclusion in governance, risk management and controls frameworks, perhaps necessitating the design and implementation of altogether new policies. Regulations are likely to permeate in an already complex landscape, although it remains to be seen which bodies ultimately drive them and the extent to which compliance for captives is mandated. In any case, the enhanced focus of regulators on the topic points to a wider cyber security issue, which warrants careful consideration by captives going forward.

    The views expressed in this article are those of the authors and do not necessarily reflect the views of any member firm of the global EY organisation.
    The latest features from Captive Insurance Times
    What should a captive look for when hiring a firm to manage its portfolio? Stephen Nedwicki of Comerica Bank takes a look
    Martin Membery and Andrew Holland of Sidley Austin discuss the signing of the EU-US bilateral covered agreement and who will potentially benefit from it
    Join Our Newsletter

    Sign up today and never
    miss the latest news or an issue again

    Subscribe now
    Michael Zuckerman of Temple University Fox School of Business makes the case for a captive insurance company independent board director
    This year’s Bermuda Captive Conference highlighted the importance of the captive industry to the island, and the need to stay ahead of the curve in terms of regulation and innovation in order to maintain its global status
    Brady Young, Stuart King and Andrew Berry tell Becky Butcher about the decision to expand into Europe with a new operation in Dublin
    Unscrupulous micro captive managers and their motley crews might have walked their last plank following the ruling in the good ship Avrahami
    More than 200 delegates gathered in Charlotte, North Carolina, to attend the state’s three-day annual captive insurance conference. Becky Butcher reports
    John Dies and Steve Miller of alliantgroup analyse the Avrahami tax court case decision, and warn captives to take a look at their own programmes
    Domicile profiles
    The latest domicile profiles from Captive Insurance Times
    Although the Isle of Man is currently focusing on updating its regulatory framework, Solvency II, Brexit and the Asian market all hold big opportunities for the island
    Debbie Walker of the North Carolina Department of Insurance tells Becky Butcher why the state is among 2017’s standout performers
    Asset Servicing Times

    Visit our sister site
    for all the latest asset servicing news and analysis
    Experts convene to talk to Becky Butcher about the stability that Guernsey represents in a challenging financial and political environment
    In an era of increasing uncertainty, Tamatoa Jonassen suggests that the Cook Islands can be a bridge to financial security in a captive
    With a dedicated captive plan in place, the Lone Star State is on the rise, says Josh Magden of the Texas Captive Insurance Association
    After 36 years of captive business, Vermont boasts a culture of legislative change, and still has a few tricks up its sleeve. Dan Towle and David Provost explain
    After a successful 2016 and the licensing of its first securitisation cell company, Malta insurance industry professionals are looking ahead to 2017
    Missouri’s captive programme is approaching a decade in operation. John Talley explains how the state has made it to this milestone
    The latest interviews from Captive Insurance Times