by António Isóo de Azeredo and José Rodrigues
The Macau Monetary Authority (AMCM) recently issued a new Guideline on Cybersecurity for the insurance sector.
This Guideline will be relevant to the majority of Operators in the insurance business, specifically, to authorised insurers, reinsurers, pension fund management companies, insurance brokers and corporate intermediaries. Its primary purpose is tackling increasing threats of cyber-attacks and enhancing defence mechanisms against them. For that aim, this Guideline provides the Macau insurance sector with a set of cybersecurity controls and measures for cyber risk management, which have to be adopted and regularly assessed by the Operators.
It should be noted that the Guideline will focus on eight main domains where the Operators should adopt measures. In general terms, they summarise as follows:
- Governance – Consistent with effective management of other forms of risk faced by the Operators, sound governance is the key to proper cyber risk management. Operators should establish, implement and enhance their approach to managing cyber threats. Therefore, a clear and comprehensive cyber resilience framework should be developed and guided by a cyber resilience strategy, which defines the cyber resilience objective and set out people, process and technology requirements to achieve such goal. It is also important that clear roles and responsibilities of the board and senior management, if any, are established, with a good culture of recognising the importance of cybersecurity.
- Identification – Without a proper understanding of the Operator’s ecosystem, Operators may risk having inadequate coverage when implementing cybersecurity controls. Operators should develop organisational knowledge to identify and classify business processes, systems, people, assets, data, and external dependencies. Understanding the business context, the resources that support critical functions, and the related cyber risks enable Operators to focus and prioritise its efforts and align with its risk management strategy.
- Protection – Without adequate security control on the system and processes, the confidentiality, integrity and availability of data and policy could be compromised. Operators should implement appropriate safeguards to ensure delivery of critical services and to contain the impact of a potential cybersecurity event.
- Detection – Timely detection allows Operators to have proper lead time to deploy countermeasure against cybersecurity events. Operators should define the appropriate activities to identify the occurrence of a cybersecurity event.
- Response and recovery – Operators need to contain and reduce the impact of a cybersecurity incident. Operators should maintain plans for responding to cybersecurity events as well as for resilience and recovery of any services that get impaired during a cybersecurity incident.
- Testing – the elements of the Operators’ cyber resilience framework should be rigorously tested to determine their overall effectiveness. Operators should adopt sound testing mechanisms to identify gaps against stated resilience objectives and to provide credible and meaningful inputs to authorised entities’ management of cyber risks.
- Situational awareness – Keen situational awareness can significantly enhance an authorised entity’s ability to understand and pre-empt cyber events, and to effectively detect, respond to and recover from cyber-attacks that are unprevented. Operators should proactively monitor the cyber threat landscape and participate in the information-sharing initiatives to further enhance authorised entities’ approach in cyber resilience.
- Learning and evolving – As cyber threats quickly evolve, Operators need to have an adaptive cyber resilience framework. Operators should instil a culture of cyber risk awareness and perform ongoing re-evaluation and improvement activities of the cyber resilience posture at every level within the organisation.
These domains are detailed (specifically, in what concerns the measures to be adopted) under the Guideline, and the AMCM expects the Operators to take such actions as soon as practicable. Operators should develop and implement effective cybersecurity management consistent with the Guideline. However, while the Guideline does dictate the means or specific technologies to implement the relevant control, AMCM expects Operators to do so according to the cyber risk profile of each Operator. The following areas should be considered, when evaluating their risk profile: (i) Technologies and Connection Types; (ii) Delivery Channels; (iii) online/Mobile products and Technology Services; (iv) Organizational Characteristics; and (v) External Threats.
In cases of authorised Operators who are branches of overseas Insurance Entities supported by their head/regional offices for cybersecurity management, the same is expected to demonstrate that their approach is capable of fulfilling the requirements of the Guideline.
While there is no time frame established for the adopting of the requirements provided by the Guideline, the AMCM expects Operators to comply with the same as soon as possible.
In light of the above, legal counsel should be obtained to fully understand the requirements imposed on Operators by the Guideline to comply with the same pursuant AMCM expectations.