Bermuda Insurers' Cyber-Risk Posture Improving, but More Needed

While the Bermuda insurance industry's cyber-risk posture is improving, the percentage of insurers with controls in place for some cyber risks is lower than expected, according to a recent report from the Bermuda Monetary Authority (BMA).

The report, Bermuda Insurance Sector Operational Cyber Risk Management—2022 Report, is based on enhanced Bermuda Solvency Capital Requirement cyber-filing returns the BMA received in the year-end 2021 filing from insurance managers, commercial insurers, brokers, and agents.

The BMA identified four areas in which fewer insurers have cyber-risk controls in place than would have been expected.

Network security defense in depth controls (a multilayered approach). The BMA notes that network security best practices would include regular firewall rule set reviews, network segregation, regular penetration testing, and regular external vulnerability scanning.

"The 2021 data suggests that some entities would benefit from reviewing their network security risks and the status of their corresponding controls," the BMA report says. "Although this finding was not included in the 2021 report covering 2020 data, the subsequent collection of more detailed data has resulted in this finding."

Third-party cyber-risk management assessment. The report notes that managing third-party cyber risks and risks along the supply chain are important elements of cyber-risk management. Insurers who trust third parties with data or to provide information technology (IT) services should consider having contractual clauses in place to ensure that their cyber-security requirements are met, the BMA says.

"Only 79 percent of entities have reviewed the cyber risk associated with their third-party IT providers in the last 12 months," the BMA report says. "Although this is an improvement over the 60 percent reported in 2020, the overall percentages have room for further improvement."

Data classification. Information should be classified and protected in a manner commensurate with its sensitivity, value, and criticality, the BMA says. Insurers should have an asset inventory in place, detailing all their information assets, according to the report, with information classified in terms of its value, legal requirements, sensitivity, and criticality to the organization.

"Only 66 percent of respondents have completed the classification of their data," the report says. "This is largely unchanged from the 65 percent reported in both 2020 and 2019."

Data loss prevention (DLP) controls. Insurers must perform an assessment of their DLP control requirements and implement controls to prevent data from leaving the enterprise without authorization, the BMA says. The report notes that data breach incidents often lead to financial losses and reputation damage. DLP requirements should be assessed in terms of data criticality and regulatory and contractual requirements, the report says.

"Only 80 percent of entities stated they have DLP controls in place," the BMA says. "Although the trend is up compared to 71 percent in 2019 and 77 percent in 2020, overall percentages are still lower than expected.

The BMA report notes that Bermuda's Insurance Sector Operational Cyber Risk Management Code of Conduct is meant to promote the stable and secure management of regulated entities' IT systems.

"The Authority is not adopting a 'one-size-fits-all' approach," the report says. "It expects cyber-risk controls to be proportional to the organization's nature, scale, and complexity."

The BMA also acknowledges that some companies will use third-party technology service providers or may outsource IT resources to an insurance manager. All third-party and outsourced services should be subject to cyber-risk reviews, the report says.

The report also notes the existence of the Insurance Amendment Act of 2020, which requires that the BMA be notified of "cyber-reporting events."

"It should be noted that only cyber-reporting events resulting in a significant adverse impact on the regulated entity's operations, policyholders, or clients must be reported to the Authority," the report says.

Organizations that experience reportable events must provide an incident report detailing the incident, the root cause, actions taken to minimize the incident's impact, and any adverse impacts to the organization within 14 days of the event.

The BMA says it treats cyber-reporting events in complete confidence and that it analyzes the events, using the information in its cyber-risk profiling efforts as it looks to remain up-to-date with the changing nature of cyber risks and their impact on registered companies and the insurance sector as a whole.

The BMA report describes several key findings emerging from cyber reports filed in 2021. Among them is that cyber attackers frequently have success targeting email.

Data breaches reported included email breaches in which unstructured data—data not arranged in preset schemes and stored in traditional databases—was exfiltrated from the targeted company, the report says. In cases in which attackers gain access to unstructured data, it can be difficult to determine just what data have been exfiltrated, to whom it belongs, and who should be notified under contractual and regulatory requirements.

Another finding from the 2021 reports is that poor security testing practices lead to undetected vulnerabilities, which then are exploited by attackers.

The 2021 reports also showed that third-party IT service providers are experiencing security incidents, the BMA report says. Most common were attacks of IT administrators' administrative accounts to gain access to networks and attacks targeting the weaknesses of Internet-facing systems to gain access to personally identifiable information or financial systems.

Finally, the 2021 cyber reports showed that ransomware remains a threat, the BMA says.