The guidelines, applicable to technology relating to the insurance sector of Pakistan, specify guiding principles for adoption of suitable cybersecurity measures for threat reduction, vulnerability reduction, deterrence and other cyber security measures. Effective July 1, 2020. Relevant excerpts appear below:
- The increasing reliance of the insurance sector of Pakistan on the technology, in distribution and in offering other innovative products through usage of technology, makes it imperative that adequate measures must be taken to make its information technology systems, and of its partners and intermediaries, secure and resilient. This also makes it imperative to put regulatory measures in place for threat reduction, vulnerability reduction, deterrence and other cyber security measures. Accordingly, the Securities and Exchange Commission of Pakistan (SECP) is pleased to issue the SEC Guidelines on Cybersecurity Framework for the Insurance Sector, 2020 (the “Guidelines”) specifying guiding principles for adoption of suitable cybersecurity measures. The SECP recognizes that while cybersecurity is necessary for all insurers, there is no one-size-fits-all prescription for insurers, rather it is dependent on the nature, size and complexity of the insurers business.
- These Guidelines will apply to all insurers, including takaful operators registered under the Insurance Ordinance 2000. These Guidelines will become effective from July 1, 2020; However, earlier adaption is encouraged.
- The insurers need to take into account the underlying cyber risk at the time of formulation of risk management policy by the Board of Directors (the “Board”) of the insurer, as part of significant policy as required under the clause (xi) of the Code of Corporate Governance for Insurers, 2016. The Chief Information Security Officer (CISO) and the Risk Management Department (or function) will jointly identify, assess, quantify, monitor, and control the nature, significance and interdependencies of the cyber risks and will be required to develop a cybersecurity strategy and framework to be put in place for mitigation of inherent cyber risk.
- Insurers, as a starting point, shall consider existing core technical standards on cybersecurity such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework, and Information Systems Audit and Control Association (ISACA)’s COBIT (“Control Objectives for Information and Related Technologies”), and the International Organisation for Standardisation (ISO) 27000 series, which consist of a set of standards and best practices to manage cyber risks. In 2017, the Financial Stability Board (FSB) had also published a Stocktake of Publicly Released Cybersecurity Regulations, Guidance and Supervisory Practices to discuss cybersecurity in the financial sector. Further, International Association of Insurance Supervisors (IAIS) has published Application Paper on Supervision of Insurer Cybersecurity, November 2018 which focuses on supervision (i.e. from regulatory perspective) of insurers’ cybersecurity.
- Appointment of CISO: (i) The insurers are encouraged to appoint or designate a senior officer as Chief Information Security Officer (CISO) having adequate qualification and experience, who will be responsible for implementation of overall cybersecurity framework within the organization. The insurer shall carryout, a well-documented and signed assessment of whether a separate CISO is required or not, taking into consideration the risks inherent in the organization with regards to the cybersecurity, and then based on the assessment may appoint/ designate a CISO, within three months of coming into effect of these Guidelines. (ii) The Head of Information Technology Department (HoIT) of Insurer shall preferably not be appointed as CISO. Where the same person is appointed as both HoIT and CISO or a senior person of the Information Technology department is appointed as CISO, it should be ensured that direct reporting lines of that person for both the roles are separate. Further, the CISO should report to the Board at least once a year.