Blog

The new Guideline on Cybersecurity for the Insurance Sector

February 20,2020

by António Isóo de Azeredo and José Rodrigues

The Macau Monetary Authority (AMCM) recently issued a new Guideline on Cybersecurity for the insurance sector.

This Guideline will be relevant to the majority of Operators in the insurance business, specifically, to authorised insurers, reinsurers, pension fund management companies, insurance brokers and corporate intermediaries. Its primary purpose is tackling increasing threats of cyber-attacks and enhancing defence mechanisms against them. For that aim, this Guideline provides the Macau insurance sector with a set of cybersecurity controls and measures for cyber risk management, which have to be adopted and regularly assessed by the Operators.

It should be noted that the Guideline will focus on eight main domains where the Operators should adopt measures. In general terms, they summarise as follows:

  • Governance – Consistent with effective management of other forms of risk faced by the Operators, sound governance is the key to proper cyber risk management. Operators should establish, implement and enhance their approach to managing cyber threats. Therefore, a clear and comprehensive cyber resilience framework should be developed and guided by a cyber resilience strategy, which defines the cyber resilience objective and set out people, process and technology requirements to achieve such goal. It is also important that clear roles and responsibilities of the board and senior management, if any, are established, with a good culture of recognising the importance of cybersecurity.
  • Identification – Without a proper understanding of the Operator’s ecosystem, Operators may risk having inadequate coverage when implementing cybersecurity controls. Operators should develop organisational knowledge to identify and classify business processes, systems, people, assets, data, and external dependencies. Understanding the business context, the resources that support critical functions, and the related cyber risks enable Operators to focus and prioritise its efforts and align with its risk management strategy.
  • Protection – Without adequate security control on the system and processes, the confidentiality, integrity and availability of data and policy could be compromised. Operators should implement appropriate safeguards to ensure delivery of critical services and to contain the impact of a potential cybersecurity event.
  • Detection – Timely detection allows Operators to have proper lead time to deploy countermeasure against cybersecurity events. Operators should define the appropriate activities to identify the occurrence of a cybersecurity event.
  • Response and recovery – Operators need to contain and reduce the impact of a cybersecurity incident. Operators should maintain plans for responding to cybersecurity events as well as for resilience and recovery of any services that get impaired during a cybersecurity incident.
  • Testing – the elements of the Operators’ cyber resilience framework should be rigorously tested to determine their overall effectiveness. Operators should adopt sound testing mechanisms to identify gaps against stated resilience objectives and to provide credible and meaningful inputs to authorised entities’ management of cyber risks.
  • Situational awareness – Keen situational awareness can significantly enhance an authorised entity’s ability to understand and pre-empt cyber events, and to effectively detect, respond to and recover from cyber-attacks that are unprevented. Operators should proactively monitor the cyber threat landscape and participate in the information-sharing initiatives to further enhance authorised entities’ approach in cyber resilience.
  • Learning and evolving – As cyber threats quickly evolve, Operators need to have an adaptive cyber resilience framework. Operators should instil a culture of cyber risk awareness and perform ongoing re-evaluation and improvement activities of the cyber resilience posture at every level within the organisation.

 

These domains are detailed (specifically, in what concerns the measures to be adopted) under the Guideline, and the AMCM expects the Operators to take such actions as soon as practicable.  Operators should develop and implement effective cybersecurity management consistent with the Guideline. However, while the Guideline does dictate the means or specific technologies to implement the relevant control, AMCM expects Operators to do so according to the cyber risk profile of each Operator. The following areas should be considered, when evaluating their risk profile: (i) Technologies and Connection Types; (ii) Delivery Channels; (iii) online/Mobile products and Technology Services; (iv) Organizational Characteristics; and (v) External Threats.

In cases of authorised Operators who are branches of overseas Insurance Entities supported by their head/regional offices for cybersecurity management, the same is expected to demonstrate that their approach is capable of fulfilling the requirements of the Guideline.

While there is no time frame established for the adopting of the requirements provided by the Guideline, the AMCM expects Operators to comply with the same as soon as possible.

In light of the above, legal counsel should be obtained to fully understand the requirements imposed on Operators by the Guideline to comply with the same pursuant AMCM expectations.

 

António Isóo de Azeredo

Associate Lawyer

isooazeredo@ccadvog.com

José J. Rodrigues

Trainee Lawyer

joserodrigues@ccadvog.com

 

Notícias Relacionadas
August 15, 2024 -

C&C Escreve Capítulo sobre Fusões e Aquisições Corporativas para o Guia de Práticas Globais da Chambers and Partners

A C&C contribuiu recentemente para o capítulo de Corporate M&A da Chambers and Partners, com a coautoria de Nuno Sardinha da Mata, Elvis Ng e ...

June 02, 2023 -

C&C e AllBright de Qingdao assinaram um acordo de cooperação estratégica sobre serviços jurídicos !

  A C&C Advogados e a AllBright chegaram a um acordo de cooperação estratégica para reforçar a cooperação entre Qingdao e Macau, construir...

May 22, 2023 -

Apresentação do Dr. Nuno Sardinha da Mata no Seminário do Dia de advogado 2023

Na sexta-feira passada (19 de Maio de 2023) marcou o Dia Anual dos Advogados organizado pela Associação dos Advogados de Macau (AAM)! Temos o praze...

May 22, 2023 -

C&C e IPSOL na conferência INTA 2023 realizada em Cingapura!

Temos o prazer de compartilhar que a C&C Lawyers e a IPSOL, nossa empresa irmã de propriedade intelectual, tiveram o privilégio de ser representad...

May 17, 2023 -

Visita à Exposição sobre a Educação da Segurança Nacional 2023

Liderados pelos nossos sócios Dr. Rui Cunha, Dr. Nuno Sardinha da Mata, Dr. Lu Zhao e Director Sr. Rui Pedro Cunha, o nosso escritório visitou ontem a...

May 12, 2023 -

C&C participou no Pitch Roadshow para Empresas de Tecnologia Científica do Brasil e Portugal na BEYOND EXPO 2023

O nosso Director Rui Pedro Cunha participou no Pitch Roadshow para Empresas de Tecnologia Científica do Brasil e Portugal na BEYOND EXPO 2023. O event...