FANews
FANews
RELATED CATEGORIES
Category Legal Affairs
SUB CATEGORIES General | 

Obligations of insurers related to cybersecurity and outsourcing

12 November 2024 Lenee Green, Partner, Gabi Richards-Smith, Partner & Londiwe Mazibuko, Candidate Attorney at Webber Wentzel
Lenee Green

Lenee Green

Gabi Richards-Smith

Gabi Richards-Smith

The Financial Sector Conduct Authority (FSCA) and Prudential Authority (PA) have announced that Joint Standard 1 of 2024 (Outsourcing by Insurers) and Joint Standard 2 of 2024 (Cybersecurity and Cyber Resilience Requirements), will be effective on 1 December 2024 and 1 June 2025 respectively.

The Financial Sector Conduct Authority (FSCA) and Prudential Authority (PA) have announced that Joint Standard 1 of 2024 (Outsourcing by Insurers) and Joint Standard 2 of 2024 (Cybersecurity and Cyber Resilience Requirements), will be effective on 1 December 2024 and 1 June 2025 respectively.

Joint Standard 2 of 2024 seeks to address the sector's concerns against evolving cyber threats and aims to enhance cyber risk management and resilience. The FSCA is urging financial institutions to cater for and mitigate cyber security risks and threats in line with the nature, size, complexity and risk profile of the financial institution.

Financial institutions, including banks, insurers and their controlling companies have just over six months to establish and maintain a cybersecurity framework, policies, and procedures that meet industry standards and best practices to adequately address cyber-attacks.

To the extent that insurers intend to outsource cyber related functions and/or system controls to maintain adequate cyber security frameworks, Joint Standard 1 of 2024 becomes relevant and the outsourcing of these activities will most likely be material. Insurers must, as part of their board approved outsourcing policies, ensure that they comply with the provisions of Joint Standard 1 of 2024 for any material activity outsourced to a third party.

Joint Standard 2 of 2024 contains several key cybersecurity requirements for financial institutions. These include:
• Establishing and maintaining a cybersecurity strategy and framework to address changes in the cyber threat landscape, manage cyber risks, allocate resources, identify and remediate gaps.
• Identifying and classifying business processes and information assets in terms of criticality and sensitivity, which in turn must inform the prioritisation of protective, detective, response and recovery efforts.
• Carrying out security risk assessments on critical operations and information assets to ensure protection against compromise.
• Ensuring that access to information assets and associated facilities is limited to users, processes, and devices authorised by the financial institution.
• Establishing identity management and access control policies and procedures for effective and consistent user administration, accountability and authentication which accounts for remote user access to information assets.
• Developing comprehensive data loss prevention policies and ensuring that information stored in systems and endpoint devices is encrypted or protected by access control mechanisms commensurate with the exposure of risk faced by the financial institution. Restricting the processing, retrieval, communication, transmission and storage of sensitive information to authorised IT systems, endpoint devices and data storage systems.
• Having agreements between the financial institution and third-party service provider which must provide for the secure return, transfer or deletion of data upon termination of services.
• Conducting a comprehensive cybersecurity awareness training programme at least annually by the governing body and users of the financial institution to raise their awareness of risks associated with the use of technology and enhance understanding of cyber risk management practices. The training programme must be regularly reviewed, considering the financial institution's security policies, prevalent and emerging risks, and the evolving threat landscape.
• Notifying the responsible authority upon classification of a cyber incident or information security compromise as material incident in accordance with the processes and policies established.
• If insurers intend to, or have outsourced activities related to data storage systems, IT related support systems, cyber security frameworks and compliance to third party service providers, they must review these agreements, including sub-outsourcing arrangements, to ensure compliance with the provisions contained in Joint Standard 1 of 2024. Any outsourcing arrangement entered into prior to the standard's effective date have 24 months to comply,

In the event of outsourcing, insurers must ensure that contractual agreements or Service Level Agreements with third-party service providers explicitly require compliance with stringent cybersecurity and cyber resilience standards.

See our previous update on Joint Standard 1 of 2024 here.

Quick Polls

QUESTION

The NHI is steamrollering ahead with a 2028 implementation mooted. How do you feel about the future of medical schemes and private healthcare under this solution?

ANSWER

Anxious about losing comprehensive coverage.
Confident the private sector will adapt.
Concerned about the lack of clarity.
Neutral, waiting to see how it unfolds.
fanews magazine
FAnews November 2024 Get the latest issue of FAnews

This month's headlines

Understanding treaty reinsurance – and the factors that influence it
Insurance brokers: the PI scapegoat
Medical Schemes' average increases for 2025
AI is revolutionising insurance claims processing and fraud detection
Crypto arbitrage: exploring the opportunities and risks
Subscribe now