The Canadian Insurance Services Regulatory Organizations (CISRO) announced the publication of a new reference tool for insurance intermediaries, entitled Cybersecurity Readiness.

“Cyber threats present a continuous and growing risk to the insurance sector as the use of technology to conduct business activities and hold client information has now become an integral part of intermediaries' services. This publication highlights the importance for intermediaries to manage cyber risks and foster a culture where everyone understands the importance of their role,” they write, saying each person in an organization should know how to contribute to an organizations’ cybersecurity readiness. 

“CISRO members encourage intermediaries to review their current cybersecurity practices and implement all measures necessary to achieve cybersecurity readiness.” 

In the document, they continue saying the use of technology comes with the responsibility to safeguard it from unauthorized access.

“Cybersecurity refers to any practice that safeguards the confidentiality, integrity, and availability of business, employee, and customer data using computer systems. Breakdowns in these safeguards are referred to as incidents,” they write. “Being proactive in implementing appropriate measures is key to preventing cyber incidents that could compromise or lead to the theft of client information.” 

The document advises insurance intermediaries to determine what data may be attractive to cybercriminals, along with what systems may be vulnerable to attack. They also suggest reviewing cybersecurity practices and taking appropriate measures to address or mitigate any identified risks. 

It is also recommended that firms engage the assistance of cybersecurity professionals, while also examining security measures with an eye for compliance with applicable privacy legislation.

Controlling access, ensuring safe disposal of computing devices, electronic records and data, information backups, testing for vulnerabilities are also all discussed. The document also provides language for addressing and educating individuals: “Understanding that you are the first line of defense against cyber incidents, therefore always be alert of your actions and potential causes of a cyber incident,” they write “Cyber security is everyone’s responsibility. As such, it is important to be aware of any actions that may cause a cyber incident and do not hesitate to report it immediately.” 

The report concludes, encouraging intermediaries to invest in intrusion detection, develop written incident response plans, appoint a response team and establish a communication protocol in writing to guide the response team. “Test the cyber incident response plan,” they state. The report also discusses elements to include in such plans.