Articles
>
Mutual insurance, banking, and insurance: how IT compliance has become a systemic issue

Mutual insurance, banking, and insurance: how IT compliance has become a systemic issue

Mutuelle du Mans Assurance (MMA) in July 2020, Mutuelle Nationale des Hôpitaux in February 2021, Axa in May 2021, AssurOne in July 2021, April, Verlingue, Génération and Coverlife in November 2021, Caisse Centrale de Réassurance in July 2022, Emoa Mutuelle du Var in August 2022... The list of cyberattacks against insurers and mutual insurance companies continues to grow.

With the daily management of our personal and medical data, IT security is more than ever a major issue in the functioning of these industries. But what level of IT compliance must these sectors adhere to? And what are the challenges? Our IT compliance expert breaks it down.

March 14, 2023
Table of Contents
Discover how Tenacy structures your cybersecurity
Schedule a demo

Mutual insurance, banking, insurance: a highly regulated industry

Before delving into IT compliance and understanding the issues involved, it is useful to take stock of the standards and regulations that govern the finance, insurance, and mutual insurance sectors.

The origins of prudential rules and the Basel Accords

Following the various financial crises ofthe 20th century, numerous constraints and rules were put in place and then reinforced over the course of history. This mix of legal measures and ethical rules aims to protect citizens against excessive risks associated with their investments in fund companies.

In 1974, following the bankruptcy of the German bank Herstatt, the central banks and banking supervisors of the G10 met to introduce the concept of banking supervision and prudential rules. In 1988, the first Basel Accord was published as a result of this committee's work. It was a founding act in banking regulation to ensure the overall security of financial markets.

Subsequently, scandals resulting from poor stock market investments and a lack of internal controls, as well as the 2008 financial crisis, led to two major revisions. The Basel Accords now ensure the financial soundness of banks, insurance companies, and mutual insurance companies.

Solvency I and II, European regulations governing the insurance and mutual insurance industry

To align with banking regulations, the Solvency Directive 1 (or Solvency) was adopted in 2009 by the European Parliament and the Council of the EU. This regulatory reform specific to the insurance sector addresses the ability of organizations to meet their commitments to their members. The following are subject to this new directive:

  • insurance companies governed by the Insurance Code;
  • mutual insurance companies governed by the Mutual Insurance Code;
  • pension institutions governed by the Social Security Code.

Following the 2008 crisis and in line with the Basel II Accords, Solvency II was adopted with the aim of strengthening European rules based on three pillars:

  1. strengthen the protection of policyholders;
  2. encourage companies to improve their risk management;
  3. ensure harmonized and transparent application of regulations within the European Union.

The objective is clear: to ensure that organizations can meet their obligations, regardless of the situation. Solvency II, which came into force in 2016, therefore strengthens controls and the obligation to justify solvency. This means that internal teams must constantly monitor the sound management of their company, calculate and control risks.

IT compliance: the cornerstone of IT stability

Within a mutual insurance company, an insurance company, or a banking institution, business compliance is of paramount importance.

Baptiste David, PreSales and Delivery Manager at Tenacy, sums it up: " To put it simply, all sectors that have the capacity to manage money are regulated by the Basel Accords. So historically, this sector has realized that ensuring the stability of organizations such as mutual insurance companies, insurance companies, and banks also requires the stability of their information systems. "

The information system must therefore meet requirements, standards, laws, internal policies, or any other reference document. This is what we call IT compliance. Already subject to significant business constraints, mutual insurance companies, insurance companies, and banks have set up compliance teams. These teams manage business rules and standards as well as IT and cybersecurity compliance.

IT compliance for risk and data management

Like any other business, institutions and organizations in the banking, mutual insurance, and insurance sectors are committed to certifying their information systems. The ISO 27001 standard, in particular, addresses security from a risk management perspective and as part of a continuous improvement process. Compliance with this standard requires the implementation of an information security management system (ISMS) to collect, process, and store secure customer data.

Similarly, like any company operating in Europe, the organization must comply with the requirements of the General Data Protection Regulation (GDPR). These are standards and regulations that apply to all organizations. They serve as a basis for IT compliance but are far from sufficient for the mutual insurance, insurance, and banking sectors.

IT compliance related to OSE and OIV statutes

Mutual insurance companies may be designated as operators of essential services in the health sector and operators of vital interest. This means that the organizations concerned must comply with the Network and Information Security (NIS) Directive, the 2016 European directive on cybersecurity, revised in 2022, and the Military Programming Law (LPM), a French legislative text voted for the 2019-2025 program.

Their objective is to strengthen the cybersecurity capabilities of essential businesses whose disruption would have serious consequences for the functioning of society and the state.

As Baptiste David points out, "the military programming law and the NIS 1 and NIS 2 directives both aim to ensure the security of the nation. A country like France needs its banking system, insurance companies, and mutual insurance companies to function properly. As a result, the government and Europe have imposed security standards on these essential companies, which are indispensable to the stability of a country."

Compliance in the banking, mutual insurance, and insurance sectors: specific features

IT compliance in the healthcare sector

Mutual insurance companies and health insurers, which store personal health data, must be HDS certified, i.e., certified as a Health Data Host. Issued by the ANS (Agence du Numérique en Santé), this certification demonstrates the organization's commitment to protecting personal health data.

Baptiste David explains: " It is a French standard with an international scope for companies that want to store French citizens' health data. For example, Microsoft is HDS-certified and can therefore host personal health data. And what makes HDS unique is that to be certified, you must also be ISO 27001-certified. "

IT compliance in the financial sector

An organization that processes payment cardholder data must comply with the international Payment Card Industry Data Security Standard ( PCI DSS ). This is a series of measures designed to reduce fraud and theft on the Internet.

Adopted at the end of November 2022 by the European Council, the Digital Operational Resilience Act (DORA) is the latest regulation on the operational resilience of information systems in the financial sector. This legislation is intended to enable banks and other companies providing financial services to be " resilient in the event of a serious operational disruption , " according to the EU Council's press release. This major European regulation will be transposed into French law in early 2023.

In conclusion

The mutual insurance, insurance, and banking sectors are subject to numerous rules, standards, laws, legal obligations, and security policies. Awareness of cyber risk is higher in this sector than elsewhere. Business compliance management has embedded this culture of risk management for decades.

At the same time, the compliance requirements mentioned above will apply to information systems that are, by definition, constantly changing. The digitization of practices (online applications, paperless reimbursements, digital insurance cards, medical consultations via videoconference or chat, etc.) is multiplying the number of projects, and the challenge for the CISO is to monitor compliance in the daily developments of your information system.

Baptiste David concludes by emphasizing the need for a comprehensive view of the projects to be secured and the concept of security by design: "Every day, Digital Factories and development teams create new elements. For security teams, security in projects means taking on all projects within the company, from changing the color of a wall, which has little impact, to creating a new mobile application. It also means specifying the compliance elements to be applied by the design teams."

But to do so, the CISO must have a shared vision of his organization's projects... And that is undoubtedly where the real challenge lies!

‍

Other articles

You may be interested in

NIS 2: what changes for your organization?
Compliance
NIS 2: Changes to Expect

The NIS Directive is the first European legislative act dedicated to cybersecurity.  Faced with a series of upheavals in the economic and security context of European Union member countries, the current directive is evolving to respond to these new challenges. What does the reform of this new version consist of? How will this directive be transposed into French legislation? Are you affected by the requirements relating to the security of networks and information systems? In this article, we will break down the changes to come.

February 14, 2023
Automate your compliance with Tenacy
Compliance
How to automate compliance with Tenacy?

Monitoring compliance, raising awareness of cyber risks, risk analysis, and day-to-day management... Year after year, CISOs are being given more and more responsibilities—a trend that is unfortunately likely to continue with the upcoming introduction of new regulations.

To the question: how can you manage your work time effectively? The answer may lie in automating certain tasks, particularly those related to compliance.

This raises several questions: Is it possibleto automate certification management? To what extent? How can the Tenacy platform simplify the implementation, maintenance, and assessment of compliance? Let's start at the beginning.

March 13, 2024
Banking, mutual insurance, insurance: compliance at the heart of the challenges
Compliance
Mutual insurance, banking, and insurance: how IT compliance has become a systemic issue

Mutuelle du Mans Assurance (MMA) in July 2020, Mutuelle Nationale des Hôpitaux in February 2021, Axa in May 2021, AssurOne in July 2021, April, Verlingue, Génération and Coverlife in November 2021, Caisse Centrale de Réassurance in July 2022, Emoa Mutuelle du Var in August 2022... The list of cyberattacks against insurers and mutual insurance companies continues to grow.

With the daily management of our personal and medical data, IT security is more than ever a major issue in the functioning of these industries. But what level of IT compliance must these sectors adhere to? And what are the challenges? Our IT compliance expert breaks it down.

March 14, 2023