Insurance Companies Are Now Required to Protect Customer Data from Cyber Attacks

To prevent the data of insurance companies and policyholders from cyber attacks, Pakistan has placed new safeguards and systems for the insurance sector to mitigate losses or damages from a variety of cyber incidents, including data breaches, business interruptions and network damage.

Securities and Exchange Commission of Pakistan (SECP) issued a directive to all the insurance companies and takaful operators on Thursday.

The purpose of the directive is to protect the data of policyholders as well as insurance companies in Pakistan.

The SECP has directed insurance companies that the cyber risk insurance shall preferably protect the insurers against the claims arising out of at least wrongful acts related to privacy and network security.

The insurer’s cybersecurity framework shall be able to protect the policyholder’s data in the wake of enhanced reliance on business process outsourcing (BPO), technology-based agency arrangements and other strategic partnerships for offering technology-based innovative insurance products and services, said the SECP.

The insurer’s cybersecurity framework should support and promote both its operational security and the protection of policyholder data.

The SECP has further directed the insurance companies that the insurers shall protect network (hardware, firmware and software components) integrity including control of information flow, boundary protection and network segregation, if needed.

The insurer’s cybersecurity framework shall be able to protect the policyholder’s data in the wake of enhanced reliance on business process outsourcing (BPO), technology based agency arrangements and other strategic partnerships for offering technology based innovative insurance products and services.

The primary onus for safety and confidentiality of policyholder data lies on the insurer irrespective of its business arrangements with its agents, vendors, strategic partners, or any other parties. The insurers will adopt and act upon the applicable provisions of the “Prevention of Electronic Crimes Act, 2016” in all its business, agency, or service level agreements with the aforementioned parties while emphasizing on the fair usage of information to which they might get access by virtue of that agreement.

The insurers will make utmost efforts to ensure safety and confidentiality of data of the policyholder. In instances where policyholder data is inevitably shared or collected by external parties, the privacy and fair usage of data clause will necessarily form part of the business agreement between the insurer and the counterparty. The clause will include, among other statements, that the policyholder or beneficiary data will only be used for the purpose of the provision of insurance services to the policyholders and the data will not be shared with any other party except in instances where the applicable regulatory requirements require.

The insurers and all persons associated with the business of insurance in any manner, will collect only that information which is necessary to provide insurance services to the policyholder or potential policyholder through the technology based platforms and not any additional information without the express consent of the policyholder or potential policyholder. Express consent would mean the affirmation to collection of data while having complete knowledge about contents of data which will be collected, the frequency of collection of such contents, the purpose for which that data will be used and whether or not that data will be passed on to any other party any further.

Under SRO 31 (I)/2019, the SECP has warned insurance companies that with the increasing reliance on technology for business operations and expansion of financial technology, the probable impact of cyber risk in recent times can be greater than ever before. The cyber risk means any risks that emanate from the use of electronic data and its transmission, including technology tools such as the internet and telecommunications networks. It also encompasses physical damage that can be caused by cybersecurity incidents, fraud committed by misuse of data, any liability arising from data storage, and the availability, integrity and confidentiality of electronic information be it related to individuals, companies, or governments.

The SECP said that the cyber risk presents an evolving challenge for the insurance sector and overall financial sector due to growing interconnectedness. Insurers gather, store and maintain substantial volumes of confidential personal and organisational information. Because of these reservoirs of data, insurers are potential targets for cyber criminals who seek information that later can be used for financial gain through extortion, identity theft or other illegal activities. In addition, because insurers are significant contributors to the national financial sector, interruptions of insurers’ systems due to cybersecurity incidents may have a far-reaching implication.

The increasing reliance of the insurance sector of Pakistan on the technology, in distribution and in offering other innovative products through the use of technology, makes it imperative that adequate measures must be taken to make its information technology systems, and of its intermediaries, secure and resilient.

The SECP has directed that the insurers shall implement at least annual assessment programmes to help the board and senior management to evaluate and take necessary measures for the adequacy and effectiveness of the insurer’s cybersecurity framework including, where appropriate, through independent compliance programme and audit carried out by qualified individuals to assess the cybersecurity framework and measure implementation.

The insurers will appoint a senior executive as a chief information security officer (CISO) having adequate qualification and experience who will be responsible for implementation of the overall cybersecurity framework within the organisation.

The insurers need to take into account the underlying cyber risk at the time of formulation of risk management policy by the Board of the insurer, as part of significant policy as required under the clause (xi) of the Code of Corporate Governance for Insurers, 2016. The Chief Information Security Officer (CISO) will be consulted for taking input with regards to cyber risk and required cybersecurity strategy and framework to be put in place for the mitigation of inherent cyber risk.