Insurance regulators propose to harmonize cyber incident reporting

When there’s ‘something strange’ going on in an insurer’s cyber operations, as the song goes, “who you gonna call?”

Well, that depends on the region, how a cyber ‘incident’ is defined, when it happened, how serious it is, and with whom the information is shared.

Welcome to Canada, where each province has its own cyber incident reporting framework.

As governments explore various ways to break down inter-provincial regulatory barriers, Canada’s insurance regulators have published a position paper on harmonizing cyber incident reporting regimes across the country.

A survey of provincial insurance regulators across Canada in June 2023 “showed that fragmentation exists across jurisdictions with respect to the scope of what should be reported for a [cyber] incident; methodologies to measure severity and impact of an incident; timeframes for reporting incidents; and how incident information is used,” the position paper states.

“Some [insurance regulators] perceived their incident reporting regime not to be robust enough or moderately effective, while others see no need to change their approach. [Regulators] also believed that regulatory cooperation in incident reporting can be improved or are open to exploring ways to harmonize with other regulators to make the reporting process simpler for insurers.”

Such fragmentation is wreaking havoc on insurers, which are legally obligated to report cyber incidents that could disrupt operations. The Canadian Council of Insurance Regulators (CCIR) approached Insurance Bureau of Canada to ask them about the current regime for reporting cyber incidents.

“IBC members expressed concerns with the operational burden when dealing with multiple regulators each with different standards, information requirements, modes of notification and different reporting portals,” the CCIR’s position paper reports.

Also in the news: How to advise your clients on trade risk when it changes every day

And so, CCIR is proposing several recommendations to harmonize reporting requirements across the country.

One is for regulators to use a common definition of ‘incident’ in their cyber reporting frameworks.

“A clear definition for the word ‘incident’ is needed that avoids the reporting of incidents that are not relevant for an insurer or an insurance regulator,” the position paper states.

CAIB New Edition 1.0 – a New Standard for Broker Education Image

Insights Paid Content

CAIB New Edition 1.0 – a New Standard for Broker Education

Preparing brokers to navigate an increasingly complex insurance landscape.

By 

Sponsor Image

“For the specific case of the word ‘incident,’ often also called cyber-incident, IT incident, operational incident or information security incident, the definitions used range from high-level definitions, such as ‘an actual or potential compromise of information security,’ or ‘any type of disruption of the provision of services under licensing obligations,’ to more complex and detailed definitions….

“As well, terminology such as operational incidents or cyber incidents is often used interchangeably with a ‘cyber event,’ which is generally associated with ‘any observable occurrence in an information system.’ This may lead to excessive notification and reporting of incidents that can usually be managed by financial institutions without the need to report them.”

In several jurisdictions, insurers have thresholds beyond which they must report a cyber event. Those thresholds can vary across regions.

“The thresholds for reporting incidents vary across jurisdictions and sectors often due to a lack of established methodology to measure impact and severity [of a cyber incident] and can be very low,” CCIR notes. “Recognizing that incidents impact insurers of different size and complexity differently, some [regulatory] authorities expect supervised institutions [such as insurers] to define their own materiality thresholds, furthering differences in the materiality threshold across institutions.”

Once a cyber incident occurs, an insurer must figure out whether it would make a material difference to its operations. The question then becomes when to report it.

CCIR wants reporting of cyber incidents to be timely. But it recognizes early reporting can sometimes get in the way of the insurer trying to manage the incident. It can also lead to incomplete information, since more is often known as the cyber incident unfolds.  

And so, CCIR is recommending regulators “implement incremental reporting requirements in a phased manner, balancing the authority’s need for timely reporting with the affected institution’s primary objective of bringing the incident under control.

“Phased reporting is one way to balance the operational burden on insurers who may not have complete information about an incident at the outset, while ensuring authorities are informed and prepared to respond as early as practicable.”

For CCIR, the ultimate objective of harmonized cyber incident reporting rules is to foster a culture of timely reporting.

“Late reporting of incidents could delay or impede the assessment and responses by authorities and have impacts when there are sector-wide implications,” CCIR’s position paper states. “An incident could escalate into a crisis and require the issuance of media statements to the public to maintain confidence.

“Effective communication can only be achieved when the authority has timely and sufficient information relating to the incident.”

David Gambrill

David has twice served as Canadian Underwriter’s senior editor, both from 2005 to 2012, and again from 2017 to the present.