Facebook logo
Facebook logo
Facebook logo
Facebook logo

Latest Headlines

Captive Insurance Times home | Features | Cyber security regulations: The shape of things to come for captives?← You are here

[close]
Latest News
John Harris to head up Brady Risk Program Managers
28 April 2017 | New York
John Harris has joined Brady Risk Management to head up the company’s newly formed Brady Risk Program Managers Read more

Captive business in Labuan on the rise
28 April 2017 | Kuala Lumpur
Since Labuan’s first captive was established in 1998, the sector reached approximately 40 captives in 2016, contributing to an aggregated written premium value of $348.6 million Read more

For more news visit our news section

Upcoming events
PARIMA 2017 Shanghai
Date: 21 June 2017
Location: Intercontinental Shanghai Pudong, Shanghai
Find out more

WRCIC conference
Date: 22-24 May
Location: Marriott City Centre, Salt Lake City
Find out more

For more events visit our event section
Industry recruitment
There are currently no jobs available
For more jobs visit our recruitment section
Captive Insurance Times
View the latest issues online now

Sister publications
Securities Lending Times
http://captiveinsurancetimes.com

Asset Servicing Times
www.assetservicingtimes.com

Real Estate Investment Times
www.realestateinvestmenttimes.com

Media pack [download]
Ad specs [download]
Latest features
Notice 2016-66: Is the IRS repeating the mistakes of the past or learning from them?
Feature: Mikhail Raybshteyn, Ann Cammack and Paul H Phillips III of EY break down the controversial notice as the 1 May deadline for reporting the latest transaction of interest rapidly approaches Read more

Cook Islands
Country profile: In an era of increasing uncertainty, Tamatoa Jonassen suggests that the Cook Islands can be a bridge to financial security in a captive Read more

Dan Towle :: CICA
Interview: As the new president of CICA, Dan Towle aims to continue supporting the association’s efforts to grow its membership, increase advocacy, and ensure the smoothest of transitions Read more

For more features visit our features section
Features
Latest news
Cyber security regulations: The shape of things to come for captives?
In an environment of technological threats, cyber security is moving up the captive agenda, say EY Bermuda’s Daniel Message, Kerr Kennedy and Chris Maiato
In an environment of growing technological threats, it was perhaps only a matter of time before enhanced regulatory oversight emerged for cyber security in the insurance sector. New requirements issued by the New York Department of Financial Services (NYDFS) represent an early version of what is likely to be a new wave of such regulations, with the topic simultaneously coming in to sharper focus for other regulators across the globe. Cyber security is now moving up the agendas of captive owners, as steps are taken to address these emerging issues.

Emerging regulatory oversight

The NYDFS regulations come in response to concerns over the growing number of cyber security events and the corresponding risks currently faced by the financial services industry. They pertain to banks, insurance companies and other financial services institutions regulated by the NYDFS, effective 1 March this year and a subsequent transitional period. Other regulators such as the US Securities and Exchange Commission and those in countries including Singapore, Malaysia, China and Japan have announced cyber security regulations, while others such as the Bank of Ireland have issued guidance (as opposed to requirements).

In the case of NYDFS, for example, there are limited exemptions to some reporting criteria, which may preclude some captives from having to necessarily comply with all regulatory requirements. However, those that do not fall within the scope, or are exempt from current regulation, may still wish to enhance their cyber security approach, for reasons which may include: strategic alignment with the approach taken by parent or other group companies that may be regulated in their own right; as a tool to aim for best practice, with a structured approach to cyber security; and in anticipation of future additional regulatory and/or third party oversight.

To highlight some of the areas of regulatory focus, key elements of the NYDFS regulations include:

  • Cyber security programme and policy: Firms should adopt an approved, written cyber security policy and supporting policies and procedures to protect their information systems and non-public information (NPI), as defined in the regulations. The spirit of the programme includes enabling the firm to identify cyber risks, protect against unauthorised access/use or other malicious acts, detect cyber security events, respond to identified cyber security events to mitigate any negative events, and recover from cyber security events and restore normal operations and services.

  • Risk assessment, testing and compliance: Firms should rigorously assess the risks associated with their information systems. A firm’s risk assessment will be utilised to provide the basis for how it addresses requirements under the finalised NYDFS requirements. On an annual basis, firms should conduct penetration testing, and vulnerability assessments should be performed biannually, both of which are based on the firm’s risk assessment.

  • Personnel, resources and training: Firms should designate a qualified chief information security officer to drive the cyber security programme. More broadly, in light of these proposals, firms should validate that they have the necessary resources (in-house or from a third party) to meet their new cyber responsibilities, and that employees have the necessary training.

  • Access privileges, application security and NPI encryption: Firms need robust policies and procedures to address these issues. NPI should be encrypted but where compensating controls are used instead, they must be approved by the chief information security officer.

  • Audit and NPI records retention: Firms need rigorous systems, policies and procedures to provide for a holistic audit trail. NPI should be destroyed appropriately.

  • Third parties: Firms need to validate that third parties are capable of adhering to new requirements and implement guidelines and/or contractual terms to enforce these requirements.

  • Incident response and notification: Firms should adopt robust incident management plans and should be able to notify the NYDFS of material events within 72 hours.


  • Due to the nature of how captives operate, the cyber security programme may involve multiple stakeholders such as captive employees, captive managers, the parent company and third parties. A clear understanding of what falls in the domain of each is needed in order to design appropriate strategies and controls, with the objective of ensuring the captive is equipped to deal with constantly evolving threats and a changing regulatory environment. Some upskilling of existing captive personnel and/or the use of third parties may be needed in order to handle more technical aspects or to fulfil a role such as that of the chief information security officer.

    However, while the impetus of this enhanced oversight is on protecting registered entities and their stakeholders, adding a further layer of regulatory oversight could be seen as adding further bureaucracy, using valuable captive resources. This will be compounded if the cyber security requirements of one regulator are not streamlined with those of other regulators, which could complicate the reporting process. For example, state versus federal versus industry-specific requirements. Further, having potentially been created for all regulated entities and not just insurers, some regulatory prescriptions may not be as applicable to captives.

    Some exemptions perhaps imply an acknowledgement of this, with carve-outs for entities of a more limited scope or scale. Boards might consider adopting their own proportionate, risk-based approach in the absence of any formal requirements. Even if not directly applicable, however, the emerging regulations can still provide a forum for discussion and a structure in which cyber security can be brought to the boardroom table.

    Cyber security’s rise in prominence will likely result in captive boards placing further emphasis on its inclusion in governance, risk management and controls frameworks, perhaps necessitating the design and implementation of altogether new policies. Regulations are likely to permeate in an already complex landscape, although it remains to be seen which bodies ultimately drive them and the extent to which compliance for captives is mandated. In any case, the enhanced focus of regulators on the topic points to a wider cyber security issue, which warrants careful consideration by captives going forward.

    The views expressed in this article are those of the authors and do not necessarily reflect the views of any member firm of the global EY organisation.

    To view the full issue in which this article appeared - Click Here



    John Harris to head up Brady Risk Program Managers
    John Harris has joined Brady Risk Management to head up the company’s newly formed Brady Risk Prog Read more

    Captive business in Labuan on the rise
    Since Labuan’s first captive was established in 1998, the sector reached approximately 40 captives Read more

    Interest in captives on the up, says Aon
    More companies are showing an interest in forming new captives or protected cell companies over the Read more

    Validus ILS business receives generous inflows
    The insurance-linked securities and third-party reinsurance capital business of Validus Holdings, Al Read more

    Citadel Risk launches new Tennessee ICC
    Citadel Risk has opened a new incorporated cell captive company in Tennessee, Citadel Tennessee Capt Read more

    Captive Insurance Times site map
    Home
    Home

    Sitemap

    Issue archive
    Back issues online
    Recruitment
    Recruitment
    Events andtraining
    Upcoming events

    Upcoming training

    Company info
    About us

    Contact us


    Copyright (C) 2013 Black Knight Media Ltd. All rights reserved. No reproduction without prior authorization