Mutuelle du Mans Assurance (MMA) in July 2020, Mutuelle Nationale des Hôpitaux in February 2021, Axa in May 2021, AssurOne in July 2021, April, Verlingue, Génération and Coverlife in November 2021, Caisse Centrale de Réassurance in July 2022, Emoa Mutuelle du Var in August 2022... The list of cyber attacks on insurers and mutual insurers continues to grow. With the day-to-day management of our personal and medical data, IT security is more than ever a major issue in the operation of these industries. But just how compliant must these sectors be? And what's at stake? Our IS compliance expert explains.
Mutuals, banking and insurance: a highly regulated industry
Before delving into IT compliance and understanding what's at stake, it's worth taking stock of the standards and regulations that govern the finance, insurance and mutual insurance sectors.
Following the various financial crises of the twentieth century, numerous constraints and rules have been put in place and reinforced over the course of history. The aim of this mix of legal provisions and ethical rules is to protect citizens against excessive risks associated with their investments in fund companies.
In 1974, following the collapse of the German bank Herstatt, the G10 central banks and banking supervisors met to introduce the concept of banking supervision and prudential rules. In 1988, the 1st Basel Accord was published following the work of this committee. This was a founding act in banking regulation to ensure the global security of financial markets.
Subsequently, scandals resulting from bad stock market investments and lack of internal control, as well as the 2008 financial crisis, led to two major revisions. The Basel Accords now ensure the financial soundness of banks, insurance companies and mutual insurers.
To bring it into line with banking regulations, the Solvency 1 Directive (or Solvency) Directive was adopted in 2009 by the European Parliament and the EU Council. This is a prudential regulatory reform specific to the insurance sector, dealing with the ability of insurers to meet their commitments to their policyholders. The following are subject to this new directive:
- Insurance companies governed by the French Insurance Code,
- Mutual societies governed by the French Mutual Code,
- Provident institutions governed by the French Social Security Code.
In the wake of the 2008 crisis and following the example of the Basel 2 agreements, Solvency 2 was adopted, with the aim of reinforcing European rules based on 3 pillars:
- Reinforce policyholder protection,
- Encouraging companies to improve their risk management
- Ensure harmonized and transparent application of regulations across the European Union.
The aim is clear: to ensure that organizations can meet their obligations, whatever the situation. Coming into force in 2016, Solvency 2 therefore strengthens controls and the obligation to justify solvency. This means that in-house teams must constantly monitor the proper management of their business, and calculate and control risks.
IT compliance: the pillar of IS stability
As we have just seen, business compliance is of the utmost importance for mutuals, insurance companies and banks. Baptiste DavidHead of PreSales and Delivery at Tenacy, sums up: " To caricaturize, all sectors that have the capacity to manage money are regulated by the Basel agreements. So, historically, this sector realized that to ensure the stability of organizations such as a mutual, an insurance company or a bank, it also had to ensure the stability of its information system. "
The information system must then comply with requirements, standards, laws, internal policies or any other reference document. This is what we call IT compliance. Already highly constrained from a business point of view, mutuals, insurance companies and banks have set up compliance teams. These teams manage business rules and standards, as well as IT and cybersecurity compliance.
Like all companies, the establishments and organizations in this sector are committed to the information systems certification process. The ISO 27001 standard standard addresses security through risk management as part of a continuous improvement process. Compliance with this standard requires the implementation of an information security management system (ISMS) for the collection, processing and storage of secure customer data.
Similarly, like any company operating in Europe, the organization must comply with the obligations of the General Data Protection Regulation (RGPD). These are standards and regulations common to all organizations. They serve as a basis for IT compliance, but are far from sufficient for the mutual, insurance and banking sectors.
IT compliance related to OSE and OIV status
Mutual societies can be designated as operators of essential services in the health sector and operators of vital interest. This means that the organizations concerned must comply with the Network and Information Security (NIS), the 2016 European directive on cybersecurity, which will be revised in 2022, and the Military Planning Law (LPM), the French legislative text voted for the 2019-2025 program.
Their aim is to strengthen the cybersecurity capabilities of essential companies, whose disruption would have serious consequences for the functioning of society and the State, as Baptiste David reminds us: "The military programming law and the NIS1 and NIS2 directives both aim to ensure the nation's security. The military programming law and the NIS1 and NIS2 directives both aim to ensure the nation's security. A country like France needs its banking, insurance and mutual insurance systems to function properly. For this reason, the State and Europe have imposed security standards on these essential businesses, which are vital to a country's stability. "
Mutual insurance companies and health insurers that host personal health data must be certified HDScertification, which stands for Health Data Hosting. Issued by the ANS (Agence du Numérique en Santé), this certification demonstrates the organization's commitment to protecting personal health data. Baptiste David adds: " It's a French politique with an international vocation for companies wishing to store French people's health data. For example, Microsoft is HDS certified and can therefore host personal health data. And the special feature of HDS is that to be certified, you also have to be ISO 27 001 certified. "
IT compliance in the finance sector
An organization that processes payment cardholder data must comply with the international data security standard PCI DSS (Payment Card Industry Data Security Standard). This is a series of measures designed to reduce fraud and theft on the Internet.
Adopted by the European Council at the end of November 2022, the Digital Operational Resilience Act (DORA) is the brand-new regulation on the operational resilience of information systems in the financial sector. This legislative text should enable banks and other companies providing financial services to be " resilient in the event of serious operational disruption "says the EU Council press release. It's a major European regulation that will be rolled out in French law in early 2023. It applies equally to mutuals, accountants and brokers.
As we have seen throughout this article, the mutual, insurance and banking sectors are subject to numerous rules, standards, laws, legal obligations and security policies. Awareness of cyber risk is higher in this sector than elsewhere. Business compliance management has anchored this culture of risk management culture for decades. In addition, these compliance requirements apply to information systems which, by definition, are constantly changing. The digitalization of uses (online applications, dematerialization of reimbursements, digital insurance cards, videoconferencing or chat medical consultations, provision of medical prescriptions, etc.) multiplies the number of projects, and the CISO's challenge is to ensure compliance with the day-to-day evolution of your information system. Baptiste David concludes with the need for an exhaustive vision of the projects to be secured, and the concept of security by design : "Every day, digital factories and development teams create new elements. For security teams, security by design means taking on every project that takes place in the company, from changing the color of a wall that doesn't have much impact, to creating a new mobile application. And to specify the compliance elements to be applied by the design teams."
But for this to happen, the CISO must have a shared vision of his organization's projects... And this is undoubtedly where the real challenge lies!