Blog

The new Guideline on Cybersecurity for the Insurance Sector

February 20,2020

by António Isóo de Azeredo and José Rodrigues

The Macau Monetary Authority (AMCM) recently issued a new Guideline on Cybersecurity for the insurance sector.

This Guideline will be relevant to the majority of Operators in the insurance business, specifically, to authorised insurers, reinsurers, pension fund management companies, insurance brokers and corporate intermediaries. Its primary purpose is tackling increasing threats of cyber-attacks and enhancing defence mechanisms against them. For that aim, this Guideline provides the Macau insurance sector with a set of cybersecurity controls and measures for cyber risk management, which have to be adopted and regularly assessed by the Operators.

It should be noted that the Guideline will focus on eight main domains where the Operators should adopt measures. In general terms, they summarise as follows:

  • Governance – Consistent with effective management of other forms of risk faced by the Operators, sound governance is the key to proper cyber risk management. Operators should establish, implement and enhance their approach to managing cyber threats. Therefore, a clear and comprehensive cyber resilience framework should be developed and guided by a cyber resilience strategy, which defines the cyber resilience objective and set out people, process and technology requirements to achieve such goal. It is also important that clear roles and responsibilities of the board and senior management, if any, are established, with a good culture of recognising the importance of cybersecurity.
  • Identification – Without a proper understanding of the Operator’s ecosystem, Operators may risk having inadequate coverage when implementing cybersecurity controls. Operators should develop organisational knowledge to identify and classify business processes, systems, people, assets, data, and external dependencies. Understanding the business context, the resources that support critical functions, and the related cyber risks enable Operators to focus and prioritise its efforts and align with its risk management strategy.
  • Protection – Without adequate security control on the system and processes, the confidentiality, integrity and availability of data and policy could be compromised. Operators should implement appropriate safeguards to ensure delivery of critical services and to contain the impact of a potential cybersecurity event.
  • Detection – Timely detection allows Operators to have proper lead time to deploy countermeasure against cybersecurity events. Operators should define the appropriate activities to identify the occurrence of a cybersecurity event.
  • Response and recovery – Operators need to contain and reduce the impact of a cybersecurity incident. Operators should maintain plans for responding to cybersecurity events as well as for resilience and recovery of any services that get impaired during a cybersecurity incident.
  • Testing – the elements of the Operators’ cyber resilience framework should be rigorously tested to determine their overall effectiveness. Operators should adopt sound testing mechanisms to identify gaps against stated resilience objectives and to provide credible and meaningful inputs to authorised entities’ management of cyber risks.
  • Situational awareness – Keen situational awareness can significantly enhance an authorised entity’s ability to understand and pre-empt cyber events, and to effectively detect, respond to and recover from cyber-attacks that are unprevented. Operators should proactively monitor the cyber threat landscape and participate in the information-sharing initiatives to further enhance authorised entities’ approach in cyber resilience.
  • Learning and evolving – As cyber threats quickly evolve, Operators need to have an adaptive cyber resilience framework. Operators should instil a culture of cyber risk awareness and perform ongoing re-evaluation and improvement activities of the cyber resilience posture at every level within the organisation.

 

These domains are detailed (specifically, in what concerns the measures to be adopted) under the Guideline, and the AMCM expects the Operators to take such actions as soon as practicable.  Operators should develop and implement effective cybersecurity management consistent with the Guideline. However, while the Guideline does dictate the means or specific technologies to implement the relevant control, AMCM expects Operators to do so according to the cyber risk profile of each Operator. The following areas should be considered, when evaluating their risk profile: (i) Technologies and Connection Types; (ii) Delivery Channels; (iii) online/Mobile products and Technology Services; (iv) Organizational Characteristics; and (v) External Threats.

In cases of authorised Operators who are branches of overseas Insurance Entities supported by their head/regional offices for cybersecurity management, the same is expected to demonstrate that their approach is capable of fulfilling the requirements of the Guideline.

While there is no time frame established for the adopting of the requirements provided by the Guideline, the AMCM expects Operators to comply with the same as soon as possible.

In light of the above, legal counsel should be obtained to fully understand the requirements imposed on Operators by the Guideline to comply with the same pursuant AMCM expectations.

 

António Isóo de Azeredo

Associate Lawyer

isooazeredo@ccadvog.com

José J. Rodrigues

Trainee Lawyer

joserodrigues@ccadvog.com

 

Releated Stories
May 07, 2020 -

Covid-19 | What you should know: Labour Issues I

The Act of God In Macau, there is no justification for a situation of an “Act of God” for dismissal or for undermining the worker’s rights, mostly be...

April 28, 2020 -

Right to the Consumption Subsidy

by Icília Berenguel There have been several questions that have been raised about the “right” to the Consumption Subsidy by holders of a Non-Permanen...

April 21, 2020 -

Covid-19 | What you should know: Contractual Issues

Contractual Issues “Force majeure” events and their implications on contracts With the COVID-19 outbreak, Governments all around the world adopted s...

April 13, 2020 -

Covid-19 | What you should know: Economic Stimulus Package

Economic Stimulus Package Macau’s economy is facing enormous challenges this year due to the Covid-19 pandemic. The effect is felt throughout all sec...

March 04, 2020 -

4th Protocol relating to the Agreement between Mainland China and the Macau Special Administrative Region to avoid double taxation and prevent tax evasion in the area of income taxes

On February 19, 2020, the "4th Protocol relating to the Agreement between Mainland China and the Macau Special Administrative Region to avoid double t...

October 31, 2019 -

Who will be impacted by Macau’s new plastic bag law?

by: João Nogueira Marques and José Rodrigues This Law aims to reduce the negative impact of plastic bags on the environment and will apply to sales b...