Cyber security regulations: The shape of things to come for captives?

In an environment of growing technological threats, it was perhaps only a matter of time before enhanced regulatory oversight emerged for cyber security in the insurance sector. New requirements issued by the New York Department of Financial Services (NYDFS) represent an early version of what is likely to be a new wave of such regulations, with the topic simultaneously coming in to sharper focus for other regulators across the globe. Cyber security is now moving up the agendas of captive owners, as steps are taken to address these emerging issues.

Emerging regulatory oversight

The NYDFS regulations come in response to concerns over the growing number of cyber security events and the corresponding risks currently faced by the financial services industry. They pertain to banks, insurance companies and other financial services institutions regulated by the NYDFS, effective 1 March this year and a subsequent transitional period. Other regulators such as the US Securities and Exchange Commission and those in countries including Singapore, Malaysia, China and Japan have announced cyber security regulations, while others such as the Bank of Ireland have issued guidance (as opposed to requirements).

In the case of NYDFS, for example, there are limited exemptions to some reporting criteria, which may preclude some captives from having to necessarily comply with all regulatory requirements. However, those that do not fall within the scope, or are exempt from current regulation, may still wish to enhance their cyber security approach, for reasons which may include: strategic alignment with the approach taken by parent or other group companies that may be regulated in their own right; as a tool to aim for best practice, with a structured approach to cyber security; and in anticipation of future additional regulatory and/or third party oversight.

To highlight some of the areas of regulatory focus, key elements of the NYDFS regulations include:

  • Cyber security programme and policy: Firms should adopt an approved, written cyber security policy and supporting policies and procedures to protect their information systems and non-public information (NPI), as defined in the regulations. The spirit of the programme includes enabling the firm to identify cyber risks, protect against unauthorised access/use or other malicious acts, detect cyber security events, respond to identified cyber security events to mitigate any negative events, and recover from cyber security events and restore normal operations and services.

  • Risk assessment, testing and compliance: Firms should rigorously assess the risks associated with their information systems. A firm’s risk assessment will be utilised to provide the basis for how it addresses requirements under the finalised NYDFS requirements. On an annual basis, firms should conduct penetration testing, and vulnerability assessments should be performed biannually, both of which are based on the firm’s risk assessment.

  • Personnel, resources and training: Firms should designate a qualified chief information security officer to drive the cyber security programme. More broadly, in light of these proposals, firms should validate that they have the necessary resources (in-house or from a third party) to meet their new cyber responsibilities, and that employees have the necessary training.

  • Access privileges, application security and NPI encryption: Firms need robust policies and procedures to address these issues. NPI should be encrypted but where compensating controls are used instead, they must be approved by the chief information security officer.

  • Audit and NPI records retention: Firms need rigorous systems, policies and procedures to provide for a holistic audit trail. NPI should be destroyed appropriately.

  • Third parties: Firms need to validate that third parties are capable of adhering to new requirements and implement guidelines and/or contractual terms to enforce these requirements.

  • Incident response and notification: Firms should adopt robust incident management plans and should be able to notify the NYDFS of material events within 72 hours.

  • Due to the nature of how captives operate, the cyber security programme may involve multiple stakeholders such as captive employees, captive managers, the parent company and third parties. A clear understanding of what falls in the domain of each is needed in order to design appropriate strategies and controls, with the objective of ensuring the captive is equipped to deal with constantly evolving threats and a changing regulatory environment. Some upskilling of existing captive personnel and/or the use of third parties may be needed in order to handle more technical aspects or to fulfil a role such as that of the chief information security officer.

    However, while the impetus of this enhanced oversight is on protecting registered entities and their stakeholders, adding a further layer of regulatory oversight could be seen as adding further bureaucracy, using valuable captive resources. This will be compounded if the cyber security requirements of one regulator are not streamlined with those of other regulators, which could complicate the reporting process. For example, state versus federal versus industry-specific requirements. Further, having potentially been created for all regulated entities and not just insurers, some regulatory prescriptions may not be as applicable to captives.

    Some exemptions perhaps imply an acknowledgement of this, with carve-outs for entities of a more limited scope or scale. Boards might consider adopting their own proportionate, risk-based approach in the absence of any formal requirements. Even if not directly applicable, however, the emerging regulations can still provide a forum for discussion and a structure in which cyber security can be brought to the boardroom table.

    Cyber security’s rise in prominence will likely result in captive boards placing further emphasis on its inclusion in governance, risk management and controls frameworks, perhaps necessitating the design and implementation of altogether new policies. Regulations are likely to permeate in an already complex landscape, although it remains to be seen which bodies ultimately drive them and the extent to which compliance for captives is mandated. In any case, the enhanced focus of regulators on the topic points to a wider cyber security issue, which warrants careful consideration by captives going forward.

    The views expressed in this article are those of the authors and do not necessarily reflect the views of any member firm of the global EY organisation.
    The latest features from Captive Insurance Times
    Jeremy Colombik of MSI and NCCIA chair explains to Becky Butcher that Notice 2016-66 could be detrimental to not just North Carolina, but other domiciles that are home to smaller captives
    Dan Towle, president of CICA and Zach Finn, professor at Butler University, discuss their new professional development partnership, which will see students learn about the variety of career opportunities in captive insurance
    Join Our Newsletter

    Sign up today and never
    miss the latest news or an issue again

    Subscribe now
    Alan Cabello of AGCS discusses blockchain technology, captives and the future
    Alan Fine of Brown Smith Wallace explains how the industry should proceed after the Avrahami court case ruling
    Dana Hentges Sheridan, general counsel and chief compliance officer at Active Captive Management, provides insight into the differences between business risks and insurance risks
    Predicting when interest rates will change is difficult, which is even more reason to maintain a disciplined approach to your investments, according to Stephen Nedwicki of Comerica Bank
    Looking ahead to 2018, Phillip Giles of QBE North America predicts continued uncertainty for the healthcare reform
    Michael Schroeder of Roundstone explains why transparency, control and cost savings are the secret sauce offered by a medical captive
    Domicile profiles
    The latest domicile profiles from Captive Insurance Times
    Tennessee’s governor, commissioner, general assembly and business community have all worked together to create ‘explosive growth’ in the state’s captive insurance industry. Julie Mix McPeak explains more
    Newly-appointed chairman of CCIA Michael Maglaras suggests that the future is bright for state’s captive industry
    Asset Servicing Times

    Visit our sister site
    for all the latest asset servicing news and analysis
    Although the Isle of Man is currently focusing on updating its regulatory framework, Solvency II, Brexit and the Asian market all hold big opportunities for the island
    Debbie Walker of the North Carolina Department of Insurance tells Becky Butcher why the state is among 2017’s standout performers
    Experts convene to talk to Becky Butcher about the stability that Guernsey represents in a challenging financial and political environment
    In an era of increasing uncertainty, Tamatoa Jonassen suggests that the Cook Islands can be a bridge to financial security in a captive
    With a dedicated captive plan in place, the Lone Star State is on the rise, says Josh Magden of the Texas Captive Insurance Association
    After 36 years of captive business, Vermont boasts a culture of legislative change, and still has a few tricks up its sleeve. Dan Towle and David Provost explain
    The latest interviews from Captive Insurance Times