For example, an insurer will establish real-time, or near real-time continuous monitoring capabilities to detect anomalous activities and events. One practice currently in use to accomplish this is commonly referred to as a Security Operations Centre (SOC). Insurers should consider establishing a SOC or developing similar capability to provide round the clock monitoring and such capabilities should be adaptively maintained and tested.
The SECP said that the insurers will have formal plans for communicating with policyholders, internal and external stakeholders (such as law enforcement, regulators, and other public authorities, as well as shareholders and third-party service providers as appropriate) likely to sustain harm due to a major cyber security incident. Communication plans in accordance with the governing law should be developed through an adaptive process informed by scenario-based planning and analysis as well as prior experience. Because rapid escalation of cyber security incidents may be necessary, insurers should determine decision-making responsibilities for incident response and recovery in advance, and implement clearly defined escalation and decision-making procedures.
The insurer will engage in the timely sharing of reliable, actionable cyber security information with internal and external stakeholders (including entities and public authorities within and outside the financial sector) on threats, vulnerabilities, incidents, and responses to enhance defenses, limit damage, increase situational awareness, and broaden learning. Sharing technical information, such as threat indicators or details on how vulnerabilities were exploited, allows entities to remain up-to-date in their defences and learn about emerging methods used by attackers. Sharing broader insights among entities, between entities and public authorities, and among public authorities deepens collective understanding of how attackers may exploit sector wide vulnerabilities that could potentially disrupt critical economic functions and endanger financial stability, the SECP maintained.
The SECP further said that the insurers will be able to recognise signs of a potential cyber incident, or detect that an actual breach has taken place which is essential to strong cyber security. Early detection provides an insurer with useful lead time to mount appropriate countermeasures against a potential breach and allows proactive containment of actual breaches. In the latter case, early containment can effectively mitigate the impact of the attack, for example by preventing an intruder from gaining access to confidential data or exfiltration of such data.
In view of the stealthy and sophisticated nature of cyber security incidents and multiple entry points through which a compromise can take place, an insurer should maintain effective capabilities to extensively monitor for anomalous activities. An insurer will implement within relevant legal boundaries, measures to capture and analyse anomalous behaviour by persons with access to the corporate network. The insurers will monitor relevant internal and external activities and events, seeking to detect vulnerabilities through a combination of signature monitoring for known vulnerabilities and behaviorally-based detection mechanisms.
Insurers'' detection capabilities will also address misuse of access by third party service providers, policyholders, potential insider threats, and other advanced threat activity. These processes should be informed by and integrated with a strong cyber threat intelligence programme.
As part of the monitoring process, insurers will manage the identities and credentials for physical, logical and remote access to information assets based on principles of least privilege and separation of duties, the SECP added.
The insurers will have the ability to detect an intrusion early, as this capability is critical for swift containment and recovery. Insurers should take a defence-in-depth approach by instituting multi-layered detection controls covering people, processes, and technology with each layer serving as a safety net for preceding layers.
In addition, an effective intrusion detection capability can assist insurers in identifying deficiencies in their protective measures for early remediation. These capabilities would include data loss/leaks prevention and detection, the recording and documentation of audit logs, event data aggregation, correlation, analysis and communication, as well as network, personnel and external dependency activity monitoring.
The insurer will employ monitoring and detection capabilities to facilitate its incident response process and support information collection for the forensic investigation process.
