A new position paper from the Canadian Council of Insurance Regulators (CCIR) aims to encourage the harmonization of reporting frameworks across the country for information security and cyber incidents. The paper makes 11 recommendations for the council’s members to consider should they implement or update their incident reporting regimes in their respective jurisdictions.
“Prompt reporting is essential for the orderly management of information security incidents,” says CCIR chair and superintendent, financial institutions with the Autorité des marchés financiers, Patrick Déry. “CCIR members recognize that differences in reporting requirements can create challenges for both the industry and authorities.”
The paper says one of the main goals of the CCIR is to facilitate the harmonization of insurance regulation across Canada to benefit both consumers and the insurance industry. To that end, the CCIR’s fintech working group undertook a review of the Canadian landscape to identify and better understand the current incident reporting frameworks in use across Canadian jurisdictions today.
“The recommendations aim to promote convergence among incident reporting frameworks, while recognizing that a one-size-fits-all approach is not feasible or preferable. Provincial authorities may choose to adopt relevant recommendations where applicable,” they write.
Fragmentation exists across jurisdictions
The researchers add that fragmentation exists across jurisdictions with respect to the scope of what should be reported, methodologies for measuring the severity and impact of an incident, timeframes for reporting and how incident information is used.
Recommendations for insurance regulators include having clearly defined objectives for incident reporting and regular engagement with insurers themselves to raise awareness of the value, the importance and the statutory obligation they have to report incidents. They also encourage regulators to understand possible challenges faced by insurers and identify approaches to overcome them when warranted. “Continuous engagement (workshops, seminars, dialogues) between financial authorities and insurers may help to develop common understanding with regards to the incident reporting framework, including its criteria and objectives,” they suggest.
They also suggest regulators make use of work already completed by standards-setting organizations to develop definitions. “In particular, a clear definition of the word ‘incident’ is needed,” they write. “Each financial authority should establish a clear definition of what is considered an incident for reporting purposes, based on definitions developed by standard-setters.”
Handling of sensitive information
The paper goes on to recommend a single set of data fields that could satisfy the reporting needs of multiple authority stakeholders but warns that complete coverage of all data fields to create a superset of all existing reporting requirements would not be practical or necessary to achieve key benefits. It also contemplates reporting triggers, reporting windows, phased and incremental reporting requirements and discusses the uses and handling of sensitive information across jurisdictions.
Industry stakeholders consulted for the project include the Insurance Bureau of Canada (IBC) and the Canadian Life and Health Insurance Association (CLHIA).
“IBC members expressed concerns with the operational burden when dealing with multiple regulators, each with different standards, information requirements, modes of notification and different reporting portals,” they write. The CLHIA’s members, meanwhile, “confirmed that separate and inconsistent reporting expectations do add a considerable burden. They have heard from their members that information security teams now spend more time on reporting than responding to incidents.”
