Promutuel attacked; Desjardins called to order

By Hubert Roy | December 14 2020 02:06PM


After l'Unique General Insurance, Promutuel Assurance is the latest victim of a cyber attack.

Insurance brokers reported this issue to the Insurance Portal over the weekend of December 12-13. The insurer did not respond to our request for information by press time.

Promutuel’s website, however, mentions that its computer systems are out of order: "Our teams are working hard to resolve the matter as quickly as possible and shed the light on the situation. More details will follow.”

On December 12, at around 6:00 p.m., the insurer published a notice stating that it had been hit by a cyber attack. "As soon as the incident was brought to its attention, the insurer  acted without delay by mandating a team of experts who are currently conducting an in-depth investigation designed to clarify the situation, secure the IT environment and restore the situation as quickly as possible. The regulatory authorities have also been notified," Promutuel explains.

Promutuel adds that at this point in the investigation, it is too early to comment on the nature or extent of the data involved in the incident. "Despite the robustness of Promutuel Assurance's IT systems and security mechanisms, it appears that the organization is another victim of this wave of cyber attacks that is targeting the insurance industry. Promutuel Assurance takes this situation with all the seriousness and rigor necessary and will take all the necessary means to promote a return to normal. It also undertakes to keep its insured members informed of the evolution of the situation and thanks them for their patience and collaboration.”

A temporary telephone line will be set up shortly for insured members who have priority requests, Promutuel says.

AMF orders Desjardins to fulfil its obligations

On the morning of Monday, December 14, the Autorité des marchés financiers called on the Fédération des caisses Desjardins du Québec to put in place "a series of corrective measures and robust internal controls to effectively mitigate the risk of operational incidents, including those related to privacy, and to comply with its legal obligation to apply sound and prudent management practices.”

Under the powers conferred on it by the Act respecting financial services cooperatives, the AMF has issued an order to the Federation setting out numerous findings from its supervisory work on the personal data leak announced in June 2019.

Upon completing its work, the AMF concluded that the Desjardins Group had failed to comply with its legal obligations to follow sound and prudent management practices, which increased the odds of such an incident. It thus ordered the Federation to implement a series of corrective measures aimed at addressing the failures identified and to provide a detailed report to its governance bodies and the AMF.

"The AMF has taken note of the various measures implemented by Desjardins Group following the incident in order to take the required corrective actions and increase its overall level of information security and privacy maturity. While these measures are an undeniable improvement and demonstrate Desjardins Group’s desire to maintain the trust of its members and customers," the regulatory body continues.

The AMF believes that further measures are needed in order for the Group to fully meet its requirements and apply best practices observed in systemically important financial institutions. "At the AMF’s request, Desjardins Group has therefore developed plans to strengthen its management and sound governance practices and properly manage information security and privacy risks," the regulator said.

The Act does not provide for the possibility of attaching monetary to the order rendered. However, the Federation is subject to a monetary penalty of $10,000 for each day of non-compliance.

The Insurance Portal will be following these two stories closely in the days to come.

Related topics …