Emerging regulatory oversight
The NYDFS regulations come in response to concerns over the growing number of cyber security events and the corresponding risks currently faced by the financial services industry. They pertain to banks, insurance companies and other financial services institutions regulated by the NYDFS, effective 1 March this year and a subsequent transitional period. Other regulators such as the US Securities and Exchange Commission and those in countries including Singapore, Malaysia, China and Japan have announced cyber security regulations, while others such as the Bank of Ireland have issued guidance (as opposed to requirements).
In the case of NYDFS, for example, there are limited exemptions to some reporting criteria, which may preclude some captives from having to necessarily comply with all regulatory requirements. However, those that do not fall within the scope, or are exempt from current regulation, may still wish to enhance their cyber security approach, for reasons which may include: strategic alignment with the approach taken by parent or other group companies that may be regulated in their own right; as a tool to aim for best practice, with a structured approach to cyber security; and in anticipation of future additional regulatory and/or third party oversight.
To highlight some of the areas of regulatory focus, key elements of the NYDFS regulations include:
Due to the nature of how captives operate, the cyber security programme may involve multiple stakeholders such as captive employees, captive managers, the parent company and third parties. A clear understanding of what falls in the domain of each is needed in order to design appropriate strategies and controls, with the objective of ensuring the captive is equipped to deal with constantly evolving threats and a changing regulatory environment. Some upskilling of existing captive personnel and/or the use of third parties may be needed in order to handle more technical aspects or to fulfil a role such as that of the chief information security officer.
However, while the impetus of this enhanced oversight is on protecting registered entities and their stakeholders, adding a further layer of regulatory oversight could be seen as adding further bureaucracy, using valuable captive resources. This will be compounded if the cyber security requirements of one regulator are not streamlined with those of other regulators, which could complicate the reporting process. For example, state versus federal versus industry-specific requirements. Further, having potentially been created for all regulated entities and not just insurers, some regulatory prescriptions may not be as applicable to captives.
Some exemptions perhaps imply an acknowledgement of this, with carve-outs for entities of a more limited scope or scale. Boards might consider adopting their own proportionate, risk-based approach in the absence of any formal requirements. Even if not directly applicable, however, the emerging regulations can still provide a forum for discussion and a structure in which cyber security can be brought to the boardroom table.
Cyber security’s rise in prominence will likely result in captive boards placing further emphasis on its inclusion in governance, risk management and controls frameworks, perhaps necessitating the design and implementation of altogether new policies. Regulations are likely to permeate in an already complex landscape, although it remains to be seen which bodies ultimately drive them and the extent to which compliance for captives is mandated. In any case, the enhanced focus of regulators on the topic points to a wider cyber security issue, which warrants careful consideration by captives going forward.
The views expressed in this article are those of the authors and do not necessarily reflect the views of any member firm of the global EY organisation.