Back Custom print Link Text Only Rich Text Print

  • Role of the Board and Senior Management

    • RM-9.1.1 RM-9.1.1

      The Board of insurance licensees must ensure that the licensee has a robust cyber security risk management framework to comprehensively manage the licensee’s cyber security risk and vulnerabilities. The Board must establish clear ownership, decision-making and management accountability for risks associated with cyber-attacks and related risk management and recovery processes.

      Amended: January 2022
      Added: October 2019

      • RM-9.1.2 RM-9.1.2

        Licensees must ensure that the cyber security risk management framework encompasses, at a minimum, the following components:

        a) Cyber security strategy;
        b) Cyber security policy; and
        c) Cyber security risk management approach, tools and methodology and, an organization-wide security awareness program.
        Amended: January 2022
        Added: October 2019

        • RM-9.1.3

          The cyber security risk management framework must be developed in accordance with the National Institute of Standards and Technology (NIST) Cyber security framework which is summarized in Appendix A – Cyber security Control Guidelines. At the broader level, the Cyber security framework should be consistent with the licensee’s risk management framework.

          Amended: January 2022
          Added: October 2019

        • RM-9.1.4

          Senior management, and where appropriate, the boards, should receive comprehensive reports, covering cyber security issues such as the following:

          a. Key Risk Indicators/ Key Performance Indicators;
          b. Status reports on overall cyber security control maturity levels;
          c. Status of staff Information Security awareness;
          d. Updates on latest internal or relevant external cyber security incidents; and
          e. Results from penetration testing exercises.
          Amended: January 2022
          Added: October 2019

        • RM-9.1.5

          The Board must ensure that the cyber security risk management framework is evaluated for scope of coverage, adequacy and effectiveness every three years or when there are significant changes to the risk environment, taking into account emerging cyber threats and cyber security controls.

          Amended: January 2022
          Added: October 2019

        • RM-9.1.6

          Insurance firms must establish a cyber security risk function, independent of the information technology (IT) department, which must report to an independent risk management function or an equivalent function within the licensee. The cyber security risk management function must monitor and report on the status and maturity of relevant cyber security controls. Other insurance licensees may assign the responsibilities to a qualified Chief Information Security Officer (CISO) reporting to an independent risk management function or incorporate the responsibilities of cyber security risk into the risk management function. Overseas insurance licensees must be governed under a framework of cyber security risk management policies which ensure that an adequate level of oversight is exercised by the regional office or head office.

          Amended: January 2022
          Added: October 2019

        • RM-9.1.7

          Licensees should ensure that appropriate resources are allocated to the cyber security risk management function for implementing the cyber security framework.

          Amended: January 2022
          Added: October 2019

        • RM-9.1.8

          Licensees must ensure that the cyber security risk management function is headed by suitably qualified Chief Information Security Officer (CISO), with appropriate authority to implement the Cyber Security strategy.

          Amended: January 2022
          Added: October 2019

        • RM-9.1.9

          Licensees may establish a cyber security committee that is headed by an independent senior manager from a control function (like CFO / CRO), with appropriate authority to approve policies and frameworks needed to implement the cyber security strategy, and act as a governance committee for the cyber security function. Membership of this committee should include senior management members from business functions, IT, Risk and Compliance.

          Amended: January 2022
          Added: October 2019

        • RM-9.1.10

          The senior management must be responsible for the following activities:

          (a) Create the overall cyber security risk management framework and adequately oversee its implementation;
          (b) Formulate an organisation-wide cyber security strategy and cyber security policy;
          (c) Implement and consistently maintain an integrated, organisation-wide, cyber security risk management framework, and ensure sufficient resource allocation;
          (d) Monitor the effectiveness of the implementation of cyber security risk management practices and coordinate cyber security activities with internal and external risk management entities;
          (e) Ensure that internal management reporting caters to cyber threats and cyber security risk treatment;
          (f) Prepare quarterly or more frequent reports on all cyber incidents (internal and external) and their implications on the licensee; and
          (g) Ensure that processes for identifying the cyber security risk levels across the licensee are in place and annually evaluated.
          Amended: January 2022
          Added: October 2019

        • RM-9.1.11

          The senior management must ensure that:

          (a) The licensee has identified clear internal ownership and classification for all information assets and data;
          (b) The licensee has maintained an inventory of the information assets and data which is reviewed and updated regularly;
          (c) The cyber security staff are adequate to manage the licensee’s cyber security risks and facilitate the performance and continuous improvement of all relevant cyber security controls;
          (d) It provides and requires cyber security staff to attend regular cyber security update and training sessions (for example Security+, CEH, CISSP, CISA, CISM, CCSP) to stay abreast of changing cyber security threats and countermeasures.
          Amended: January 2022
          Added: October 2019

        • RM-9.1.12

          With respect to Subparagraph RM-9.1.11(a), data classification entails analyzing the data the licensee retains, determining its importance and value, and then assigning it to a category. When classifying data, the following aspects of the policy should be determined:

          a) Who has access to the data;
          b) How the data is secured;
          c) How long the data is retained (this includes backups);
          d) What method should be used to dispose of the data;
          e) Whether the data needs to be encrypted; and
          f) What use of the data is appropriate.

          The general guideline for data classification is that the definition of the classification should be clear enough so that it is easy to determine how to classify the data. In other words, there should be little (if any) overlap in the classification definitions. The owner of data (i.e. the relevant business function) should be involved in such classification.

          Amended: January 2022
          Added: October 2019