Top 10 Key Risk Considerations on Insurance Sector Cybersecurity Risk

1. Some pro-active insurers have already performed gap analysis against the draft version of impending GL20 and already highlighted improvement opportunities toward the new control-based requirements. Control requirements of impending GL20 have been drafted with more descriptive statements, which some of them promote the use of more advanced security tooling and establish new control processes. 

2. Threat Intelligence Based Attack Simulation (“TIBAS”) required for medium and high-risk insurer is different from the traditional penetration testing – TIBAS requires end-to-end attack simulation scenarios on top of the penetration testing of a single system or an isolated environment. It requires insurers to tailor scenarios according to threat intelligence analysis and simulate as real-life attacks in production environment conducted by competent adversaries. Insurers that do not often perform simulation exercise (such as red/purple teaming exercise) find that their IT and management team will need some more time to prepare and get ready for the test. 

3. While insurers are empowered to perform their own inherent risk assessment (“IRA”), some insurers have indicated difficulties to collect necessary data and justifications due to the need to involve various stakeholders including business units for addressing criteria related to insurers’ business environment. Insurers may opt to engage with an external consultant to perform IRA in order to get an independent judgement and validate the IRA result. 

4. Insurers are eager to leverage on any completed/planned assessments, audit work, and simulation exercise conducted by themselves or by other business units or group office to address the impending GL20 requirements. While HKIA has explained the suggested ways to leverage other assessments in the impending GL20 (such as scoping, assessment period, assessors’ qualifications, etc), insurers are recommended to further inquire HKIA how to operationalise in view of different scenarios and use cases. 

The banking industry has navigated similar regulatory requirements, providing us the learning opportunity from the assessment process. The deep dives across diverse cybersecurity domains have also offered financial institutions the chance to strengthen their cyber defense and resilience in a meaningful way. The points below illustrate examples as to how certain defense strategies could be enhanced.

5. IT Asset Inventory: Companies may often face challenges in (i) maintaining a complete and up-to-date inventory of their IT assets and (ii) understanding their associated vulnerabilities. Effective IT asset management is crucial for the effective application of security controls to various assets such as software, hardware, network devices, cloud servers, containers, etc. Companies are required to understand the detailed processes for each asset type and category, and evaluate whether their current IT asset inventory process can accommodate various types of assets. To streamline this process, organisations might consider establishing and using integrated asset tracking tools. These can also help maintain proper oversight of IT assets and their vulnerabilities.

6. Patch Management: Patch management is a key aspect of cybersecurity and risk management, posing a complex task for businesses. In an assessment, various processes are required to be evaluated for assessing the effectiveness. The processes include, for example, identifying relevant patches for IT assets, performing risk and impact assessments, testing, and finally, installing the patches. These processes can be quite lengthy and complex. Companies shall also consider to assess if their current patch management processes can handle diverse IT assets (e.g. applications, different types of servers, containers, etc.). Even with robust processes, challenges may remain. An example is that unpatched items that exceed the mitigation timeline can also present significant risks. This emphasizes the necessity of continuous systematic monitoring and oversight to help ensure the security of business operations.

7. Third Party Risk Management: Managing third-party risk is crucial in cybersecurity, posing complex challenges for businesses. To evaluate its effectiveness, businesses must scrutinize numerous processes, including maintaining an up-to-date third-party inventory, identifying and analysing third-party network-connected devices, ensuring ongoing due diligence, implementing continuous monitoring, and executing exit management when necessary. Cloud service providers, for instance, are increasingly important. Organisations should not solely rely on vendors’ assessment reports but also actively review their service quality and performance. In some instances, businesses may need to review the higher-risk IT controls of these vendors. Companies should also consider the potential impact of a third-party failure and the remediation actions.

Read further: Operational Resilience for Banks

8. To manage cyber incidents properly and further uplift an organisation’s incident response capability, it is important to get senior management involvement in the decision-making process and thus their participation in cyber crisis drill. While the establishment of internal incident response handling process and incident playbooks are essential, when it comes to crisis where communication with external stakeholders is required, insurers have emphasised the concern to consult senior management for providing a proper direction for external messaging. 

9. Insurers have expressed concern on their readiness of incident response capability. Before any cyber incidents take place, it is recommended that insurers to establish a program to assess incident response capability from a holistic view. Various incident response initiatives can be studied to enhance the capability, such as conducting cyber crisis exercise, red/blue/purple team exercise, establishing automation process and tooling for initial response, playbooks and incident response plans, and engaging cyber response expertise. 

Read further: KPMG Cyber Incident Management

10. Equipped with AI capability, Microsoft Security Copilot can integrate with various Microsoft Azure security products (e.g. Microsoft Defender, Purview, Sentinel and Intune, etc) to provide real-time analysis and response on cyber incidents. With the use of Microsoft Security Copilot, insurers can be benefited from a more efficient incident response process by reducing the time needed to perform investigation and containment, and the need to engage with an experienced and sophisticated cyber response expert. 

Read further: Key considerations to prepare for Microsoft 365 Copilot

With the impending Guideline on Cybersecurity (“GL20”), all authorised insurer is required to perform an Inherent Risk Assessment (“IRA”), Maturity Assessment (“MA”) and Threat Intelligence Based Attack Simulation (“TIBAS”) for intermediate and advanced insurers. 

An Inherent Risk Assessment (“IRA”) that aims to determine the risk rating of the insurers. 40 indicators are used to comprehensively assess the inherent risk level of the authorised insurers. The indicators will cover “technologies and connection types”; “delivery channels”; “online/ mobile products and technology services”; “organisational characteristics”; and “external threats”.

A Maturity Assessment (“MA”) will follow after completion of the IRA. The Maturity Assessment will be based on a set of control principles, ranging from 90 to 220, which authorised insurers are required to assess themselves according to the expected maturity level determined by the IRA.

Threat Intelligence Based Attack Simulation (“TIBAS”) is required for Medium and High inherent risk authorised insurers to simulate real-life attack scenarios conducted by competent adversaries.