The Central Bank of Ireland (Central Bank) has recently issued a cyber security thematic review information request (Thematic Review) to several Irish life and non-life insurers under its supervision.
The Thematic Review aims to assess a range of cyber security controls, based on responses to a cyber security questionnaire. The Central Bank will continue conducting these Thematic Reviews into 2024 and intends to expand the original scope to include additional insurers across the sector.
The Thematic Review highlights the importance placed on cyber security, both at a domestic and European supervision level. From a European perspective, the EIOPA Guidelines on Information and Communication Technology Security and Governance have been effective since 1 July 2021, to provide clarification on supervisory expectations concerning cyber security, ICT security and governance capabilities. Building on the existing European framework, the Digital Operational Resilience Act (DORA) will take full effect on 17 January 2025. DORA aims to improve operational resilience across EU financial services firms, including (re)insurers, enabling them to withstand ICT-related disruptions and threats, having regard to the increased risk of cyber-attacks.
At a domestic level, the Central Bank’s Cross Industry Guidance on Operational Resilience (Operational Resilience Guidance) takes effect from 1 December 2023 to ensure regulated firms adopt appropriate measures to prepare for, respond to, recover and learn from an operational disruption that affects the delivery of critical or important business services. The Central Bank expects insurers to have in place ICT and cyber resilience strategies which address operational resilience vulnerabilities within their organisations and to be able to demonstrate their actions/plans to apply the Operational Resilience Guidance by 1 December 2023. Given the two-year lead-in period to apply the Operational Resilience Guidance, it seems inevitable that the Central Bank will seek to assess its application by insurers into 2024 and beyond.
As part of its supervisory focus on Operational Resilience, the Central Bank has been increasingly vocal about the emphasis it is placing on cyber security. At the outset of 2023, cyber and IT risks, together with operational risk more broadly, were identified as key priorities for the Central Bank from an insurance supervision perspective. The Central Bank’s Annual Report published in May 2023 again emphasized its supervisory focus on “assessing and managing risks to the financial and operational resilience of firms, including resilience in the event of a cyber-related incident.” In a noteworthy speech in April this year, Mr Domhnall Cullinan, the Central Bank’s Director of Insurance Supervision highlighted the similarities (and differences) between some key DORA requirements and existing Central Bank guidance, including its 2016 Cross-Industry Guidance paper on IT and Cybersecurity Risks. Going back to 2016, the Central Bank was even then clear in its expectation that Boards and senior management of regulated firms “fully recognise their responsibilities in relation to IT and cybersecurity governance and risk management.”
The latest Thematic Review demonstrates that the Central Bank’s focus on cyber security and related risks is likely to continue unabated in the months ahead. While some of the measures introduced by DORA and the Operational Resilience Guidance, for example, will be reasonably familiar to the Irish insurance sector, many of the obligations require careful thought and planning at Board and senior management level to ensure they are effectively embedded into the risk management and operational resilience frameworks of their respective organisations. The management of cyber security risk will form a critical component of this.
Under the ‘Safeguarding’ theme of the Central Bank’s Strategy 2022-2026, the Central Bank has committed to strengthening its ability to maintain the resilience of the Irish financial system and ensuring regulated firms’ cyber resilience is seen as critical to the Central Bank achieving this objective. Undoubtedly, Irish insurers can expect to see a continued sharp focus on cyber security from the Central Bank particularly as the insurance sector’s dependence on technology grows and the associated cyber threats evolve and increase in tandem.
Contributed by Claire O’Connor