28 April 2021Bermuda analysis

Beware increased cyber risk from third party service providers: BMA

Insurers should be aware that engaging with third party service providers leaves them exposed to heightened cyber risk, and take steps to mitigate this risk, according to the Bermuda Monetary Authority (BMA).

In its Bermuda Insurance Sector Operational Cyber Risk Management 2020 Report, the BMA warned that information should be classified and protected in a manner commensurate with its sensitivity, value and criticality, ensuring it does not fall into the wrong hands.

“An asset inventory should be put in place, detailing all information assets,” the BMA said. “The information must be classified in terms of its value, legal requirements, sensitivity and criticality to the organisation.”

The BMA stressed the importance of managing cyber risk when dealing with third parties and supply chains, which it said is an important part of the risk management process, calling on senior management to take responsibility for cyber safety.

“The board of directors and senior management team must have oversight of cyber risks,” the BMA said. “The board of directors must approve a cyber risk policy document at least annually. The cyber risk may be covered in a standalone cyber risk policy document or as a section in a broader risk policy document.”

It said registrants must perform an assessment of their DLP control requirements, to ensure controls are in place to prevent data leaving the enterprise in an unauthorised manner.

“Registrants must have patch management procedures that define the identification, categorisation and prioritisation of security patches,” it said. “Registrants must pay close attention to a vendor’s end-of-support date as matches may no longer be available after this date.”

It advised insurers who trust third parties with data, or to deliver IT services, to “consider having contractual clauses in place to ensure their security requirements are met.”

The BMA vowed to continue monitoring cyber irsk filing returns, and the evolving cyber risk landscape, and to “keep consulting with the insurance sector in a proactive manner.”