Insurance: which cyber laws and regulations must they comply with?

Insurance companies are affected by cyber risks in two ways. Firstly, as companies that are potential victims of attacks. Because of their business sector, they may also be required to ensure entities against cyber risk.   

A double standard that reinforces the criticality of cyber-attacks. These could lead to severe and persistent damage to policyholders, or even, in the worst case, to a paralysis of the insurance sector as a whole.

Insurers collect, store and manage large volumes of data, some of which are very private and therefore sensitive1. Consequently, they are prime targets for cybercriminals seeking information that can then be used for illegitimate purposes (espionage, harassment, corruption, etc.).  

The average annual cost of cyber-attacks2 in the insurance sector was $15.76 million in 2018 compared to $12.93 million in 2017. This increase goes hand in hand with a growing risk: in July 2020, cyber risk was ranked as the second most important risk for the insurance industry3 in Europe.

In recent years, the insurance industry has experienced high-profile data breaches, particularly in the United States. One of them, which took place in 2015, has remained infamous because of the number of policyholders affected. Nearly 91 million 4 Anthem, Blue Cross Blue Shield customers, and Premera Blue had their data leaked. For Premera Blue alone, the list of stolen personal data reached 11 million. Among this data: clients‘ names, addresses, credit card data, social security numbers, dates of birth, as well as files describing injuries and incidents, the name of their employer(s), and so on.  

In Europe, according to the European Insurance and Occupational Pensions Authority5, the most common vectors of attack against insurers are :  

• phishing e-mails,  

• malicious software (ransomware),  

• data exfiltration and DDoS attacks.  

The impacts of these incidents are most often breaches of asset availability and confidentiality.

Insurance fundamentals do not specifically address cyber risk. They only provide a general basis for regulators to address it. Until recently, the treatment of cyber-risk depended solely on insurers’ goodwill, and the authorities had no power to impose constraints.  

It is quite the opposite in the banking sector, where Regulation 97-02 of the Banking and Financial Regulations Committee, dated February 1997, gave the supervisory authorities a legal basis very early on to ensure the existence within institutions of a system for controlling information systems. The situation has now changed; European regulations and directives dealing with cybersecurity now govern the insurance sector.

Solvency II 

The new legal framework of Solvency II invites insurance organizations to measure more precisely all of their risks. As a reminder, Solvency II is “a set of rules setting out the solvency regime applicable to insurance undertakings in the European Union” (source: Banque de France).  

As is the case in the banking sector, operational risks related to information systems must now be better assessed and more closely managed: organizations must have a risk management system that preserves, in particular, the security, integrity, and confidentiality of information. 

Section 258 of Regulation 2015/356 sets out requirements in terms of IS objectives and security. It forbids insurance undertakings to equip themselves with systems that produce complete, reliable, clear, consistent, relevant, and up-to-date information on the undertaking’s activities, the commitments it assumes, and the risks to which it is exposed. 

The NIS Directive and the GPDR 

In addition to these sector-specific texts, other legal readers that are not specific to Insurance concern the sector. This is the NIS Directive (Network and Information System Security), case adopted on July 6, 2016. This directive, which is implemented in each European Union country, guarantees a common security level for all member countries. 

This is also the case of the General Data Protection Regulation (GDPR). The GDPR regulates the processing of personal data within the territory of the European Union. As insurance companies process sensitive information, particular vigilance is required. To face the risks of loss of integrity or data leakage, the various players in the sector must implement security measures such as, for example, encryption of data when it is sent, in transit, or at rest. 

Because of the negative impact that a service disruption could have on insurers, they must also meet obligations concerning information systems and networks’ security. To the NIS Directive, these obligations relate to four areas: security governance, protection and defense of networks and IS, and business resilience. We find specific rules such as risk analysis, authentication, partitioning, access rights, remote access, and security audits in each area.

Insurance companies handle very sensitive data. One of the first things to do before any compliance work is done would be to conduct a personal data impact assessment. A practice that is not widespread enough. 

An analysis by Ibrahima Sene, Cybersecurity Consultant at Orange Cyberdefense France.

For regulatory compliance support, do not hesitate to contact us.