Mutuelle du Mans Assurance (MMA) in July 2020, Mutuelle Nationale des Hôpitaux in February 2021, Axa in May 2021, AssurOne in July 2021, April, Verlingue, Génération and Coverlife in November 2021, Caisse Centrale de Réassurance in July 2022, Emoa Mutuelle du Var in August 2022... The list of cyberattacks on insurers and mutual insurance companies continues to grow.
With the day-to-day management of our personal and medical data, IT security is more than ever a major issue in the operation of these industries. But what level of IT compliance do these industries have to deal with? And what are the stakes? Let's take a closer look at it with our IS compliance expert.
Mutuals, banking and insurance: a highly regulated industry
Before delving into IT compliance and understanding what's at stake, it's worth taking stock of the standards and regulations that govern the finance, insurance and mutual insurance sectors.
Following the various financial crises of thetwentieth century, many constraints and rules have been put in place and then reinforced over the course of history. This mix of legal provisions and ethical rules aims to ensure the protection of citizens against excessive risks related to their investments in fund companies.
In 1974, following the bankruptcy of the German bank Herstatt, the central banks and banking supervisors of the G10 met to introduce the concept of banking supervision and prudential rules. Thus, in 1988, the first Basel Accord was published following the work of this committee. It is a founding act in banking regulation to ensure the overall security of financial markets.
Subsequently, the scandals following poor stock market investments and the lack of internal control as well as the financial crisis of 2008 led to two major revisions. The Basel Accords then made it possible to ensure the financial solidity of banks, insurance companies and mutual insurance companies.
To align with banking regulations, the Solvency 1 Directive (or Solvency) was adopted in 2009 by the European Parliament and the Council of the EU. This prudential regulatory reform specific to the insurance sector deals with the ability of organisations to meet their commitments to their members. The following are then subject to this new directive:
- insurance companies governed by the Insurance Code;
- mutual insurance companies governed by the Mutual Insurance Code;
- provident institutions governed by the Social Security Code.
Following the 2008 crisis and following the example of the Basel 2 accords, Solvency 2 was adopted and aims to strengthen European rules according to 3 pillars:
- strengthen the protection of policyholders;
- encourage companies to improve their risk management;
- ensure a harmonised and transparent application of the regulations in the European Union.
The goal is clear: to ensure that organizations can meet their obligations, regardless of the situation. Solvency 2, which came into force in 2016, therefore strengthens controls and the obligation to prove solvency. As a result, internal teams must constantly monitor the proper management of their company, calculate and control risks.
IT compliance: the pillar of IS stability
Within a mutual insurance company, an insurance company or a banking institution, business compliance is of paramount importance.
Baptiste David, Head of PreSales and Delivery at Tenacy, sums it up: "To put it simply, all sectors that have the capacity to manage money are regulated by the Basel Accords. So historically, this sector has realized that to ensure the stability of organizations such as a mutual insurance company, an insurance company or a bank, it also requires the stability of its information system. »
The information system must then meet the requirements, standards, laws, internal policies, or any other reference document. This is what we call IT compliance. Already heavily constrained from a business point of view, mutual insurance companies and banks have set up compliance teams. They manage business rules and standards as well as IT and cybersecurity compliance.
Like any company, institutions and organizations in the banking, mutual insurance and mutual insurance sectors are engaged in a certification process for their information systems. The ISO 27001 standard, in particular, addresses security from the point of view of risk management and as part of a continuous improvement process. Its proper compliance involves the implementation of an information security management system (ISMS) in order to collect, process and store secure customer data.
Similarly, like any company operating in Europe, the organization must follow the obligations of the General Data Protection Regulation (GDPR). These are standards and regulations that are common to all organizations. They serve as the basis for IT compliance but are far from sufficient for the mutual, insurance and banking sector.
IT compliance related to OSE and OIV statuses
Mutual insurance companies can be designated as operators of essential services in the health sector and operators of vital interest. This means that the organizations concerned must comply with the Network and Information Security (NIS) Directive, a 2016 European directive on cybersecurity, revised in 2022, and the Military Programming Law (LPM), the French legislative text voted for the 2019-2025 program.
Their objective is to strengthen the cybersecurity capabilities of essential businesses, the interruption of which would have serious consequences for the functioning of society and the State.
As Baptiste David reminds us, "themilitary programming law and the NIS 1 and NIS 2 directives both aim to ensure the security of the nation. A country like France needs its banking system, insurance and mutual insurance companies to function properly. As a result, the state and Europe have imposed security standards on these essential companies, which are essential to the stability of a country. »
Compliance in the banking, mutual insurance and insurance sector: specificities
Mutual insurance companies and health insurances, which host personal health data, must be HDS certified, i.e. Health Data Hosting. Published by the ANS (Digital Health Agency), this certification demonstrates the organization's commitment to the protection of personal health data.
Baptiste David explains: " CIt's a politique French companies with an international vocation for companies that want to store the health data of French people. For example, Microsoft is HDS certified and can therefore host personal health data. And the particularity of HDS is that to be so, you must also be ISO 27001 certified. »
IT Compliance in the Finance Industry
An organization that processes payment cardholder data must comply with the Payment Card Industry Data Security Standard (PCI DSS). This is a series of measures aimed at reducing fraud and theft on the Internet.
Adopted at the end of November 2022 by the European Council, the Digital Operational Resilience Act(DORA) is the brand new regulation on the operational resilience of financial sector information systems. The legislation is intended to enable banks and other companies providing financial services to be "resilient in the event of a serious operational disruption," the EU Council's press release said. This major European regulation will be implemented into French law in early 2023.
In conclusion
The mutual, insurance and banking sectors are subject to a wide range of rules, standards, laws, legal obligations and security policies. Awareness of cyber risk is higher in this sector than elsewhere. Business compliance management has been the foundation of this risk management culture for decades.
At the same time, the aforementioned compliances will apply to information systems that are by definition in perpetual change. The digitization of uses (online application, dematerialization of reimbursements, digital insurance card, medical consultation by videoconference or chat, etc.) multiplies the number of projects and the challenge of the CISO is to monitor compliance in the daily evolutions of your information system.
Baptiste David concludes with the need for an exhaustive vision of the projects to be secured and the concept of security by design: "Every day, the Digital Factories or development teams create new elements. Project security, for security teams, means taking all the projects that happen in the company, from changing the color of the wall that doesn't have much impact to creating a new mobile app. And to specify the compliance elements to be applied by the design teams. »
But for this to happen, the CISO must have a shared vision of his organization's projects... And that's probably where the real challenge lies!