News

Analysis of the results of the self-assessment of insurers’ information systems risk management and cyber security published by the Autorité de Contrôle Prudentiel et de Résolution (ACPR).

ACPR’s interest in IT and cyber risks

Since 2015, insurance organizations have been responding to surveys conducted by the ACPR on the subject of IT security and cyber risks. The Supervisor has just published the results of this survey conducted in 2022, which follows the declarations of 239 insurance organizations and representing 88% of the premium income generated in 2021 by insurance and reinsurance companies licensed in France (1).

The shortcomings detected following the insurers’ declarations were also observed by the ACPR during inspections carried out. The results of this survey therefore provide a clear picture of the level of compliance by insurance companies in this area.

This approach complements the supervisory priorities defined each year by the ACPR, including for 2023, the monitoring of IT and cyber risks, as well as information systems strategy (2). In previous years, IT security was already one of the ACPR’s priorities.

A major compliance challenge for insurers

Insurers’ awareness of the need to control information systems security (ISS) and cyber risks is unquestionable, as demonstrated by the results published by the ACPR. This is a major compliance issue for insurance companies.

Logically, the survey shows that management functions seem to be involved in defining and steering ISS strategy. As a result, ISS governance is well established in terms of organization and formalization.

Thus, 95% of entities have a CISO, and plan to increase their number of IS specialists by 59%. However, it should be noted that 10% of small organizations still do not have a CISO.

The survey also revealed that the CISO function is not always independent of management and operational staff.
The SSI policy (PSSI), which represents the organization’s management commitment to SSI, is present in 95% of systems, but is not always translated internally into operational procedures on SSI issues. The advantage of setting up operational procedures lies in the formalization of the internal application of the major security principles defined by management, and the appropriation of these subjects by operational staff.

Internal control shortcomings

The results of the self-assessment show that, although organizations have identified and indicated ISS-related risks in their operational risk mapping, they are not yet automatically associated with operational controls (level 1 controls), particularly in small and medium-sized organizations. Thus, 19% of small and 15% of medium-sized organizations declare that they have not defined any operational SSI controls.

However, when 1st level controls are defined, they are almost systematically implemented.

On the other hand, 2nd level permanent controls do not seem sufficiently relevant, as they do not regularly review the design and effectiveness of 1st level controls, in almost a quarter of cases.

In terms of the frequency of IS security audits, only 28% of organizations carry out audits less than once every 2 years, and 72% every 2 years, regardless of the size of the insurance organization. This result has not changed since 2019, even though the environment has changed due to the increased risk of cyber attacks, the use of telecommuting, outsourcing and the cloud, etc….

Implementing SSI risk control measures

Risk control measures have several facets: risk analysis for all new projects, awareness-raising among stakeholders, insurance coverage for cyber risk, and operational measures such as management of access and clearance profiles, testing, vulnerability and incident management.

The survey reveals that, when IT projects are set up, analysis of the risk of non-security is well developed, but is not systematic in 19% of organizations, including large-scale entities.
Awareness-raising operations are generally well carried out internally, via :

• The introduction of an IS user charter (in 95% of cases), or a cyber-risk liability clause in employment contracts;
• A compulsory awareness-raising session on SSI risk during the induction course for new employees (in 93% of cases, compared with 68% in 2019);
• Awareness campaigns, notably via phishing tests.

However, these awareness-raising operations are not yet being implemented with providers and policyholders.

In addition, 85% of organizations said they had taken out insurance to cover cyber-related losses.

With regard to operational IS risk management measures, organizations have made clear progress in operational security management since 2019 via the regular updating of IS asset inventories (89% in 2022 versus 80% in 2019). This knowledge of IT assets is an essential prerequisite for patch management.

In terms of vulnerability management, systems for identifying and proactively analyzing cyber threats (“threat intelligence”) need to be generalized, as the ACPR has noted that a quarter of organizations do not yet carry out “threat intelligence” type analyses.

With regard to the management of access rights, the survey shows that, while the annual review of authorizations is a practice that seems to have made significant progress, it is not always carried out with the necessary rigor, and does not always cover all perimeters. As a result, 27% of small organizations still do not carry out an annual review of authorizations, and 22% have difficulty in ensuring that access is restricted to what is strictly necessary for the user.

According to our findings, this shortcoming seems to be linked to the need for multi-skilling staff in small organizations, and/or to their lack of human and financial resources in terms of IT/IS profile and internal control.

The ACPR also notes that shadow IT (3) management is highly inadequate, since this risk is not taken into account by almost two-thirds of insurers.

The existence of a security incident management system is widespread, with major security incidents included in the operational incident register in 85% of cases. This means that they are taken into account in their own right in operational risk management, providing an essential source of information for preparing the crisis management framework for major security incidents.

When it comes to security testing, although almost all organizations report that they regularly carry out intrusion tests, the survey shows that these tests are not always relevant, as they are not carried out in line with the SSI risk assessment.

Business continuity approach adopted by all insurance organizations

Most organizations have carried out an inventory of business processes deemed critical in 97% of cases, performed business impact analyses (BIA) in 77%, and set up a business continuity plan (BCP).

The ACPR thus considers that the business continuity approach adopted by the organizations concerned is incomplete and therefore ineffective.

Progress to be made in the area of outsourcing

The ACPR is taking advantage of the publication of the results of this survey to reiterate that insurers remain responsible for carrying out and managing activities outsourced to external service providers, in line with its press release published during the summer of 2021 on this topic (4).
As a result, the insurer must retain control over the outsourced activity, which means contracting with the service provider on the following points:

• Data localization, now carried out by 94% of insurers;
• The obligation to carry out BCP audits and tests with service providers;
• The ability of service providers to carry out security audits. On this point, almost a quarter of smaller organizations do not plan to do so.

In addition, the survey reveals that, while insurers do carry out an inventory of service providers, their knowledge of them remains inadequate, due to gaps in information gathering.

The ACPR notes that insurers have not put in place the appropriate resources, and points to the shortcomings of many organizations in the management of critical service providers, since the supervisor considers that, in the light of the survey results, their systems are insufficiently formalized, particularly with regard to security requirements and indicators. For example, almost a third of organizations do not analyze reversibility, even though this is an essential prerogative when it comes to controlling outsourcing risks.

Finally, the outsourcing of cloud services is not fully integrated into internal processes. According to the results of this study, 9% of insurers have not included this type of service in their incident management system, and 12% have not integrated the risk associated with cloud solutions into their risk management system.

Good, but room for improvement

In conclusion, while the insurance industry has set up an IS system, analysis of the ACPR survey reveals that the level of maturity of this system remains insufficient. Progress needs to be made, particularly in the areas of internal control, analysis and control of risks associated with outsourcing activities, and business continuity, in order to manage risks effectively and prepare for the implementation in 2025 of the Digital Operational Resilience Act (DORA) regulation (5) on the digital operational resilience of financial institutions and their information and communication technology (ICT) providers.