Cyber supply chain risk and the insurance sector

The Capita cyber attack in March 2023 and possible resulting data breach has highlighted again the potential vulnerability of firms to cyber risk via their third party suppliers. The incident was particularly high profile given the scale of Capita’s operations, including supplying services to Government as well as firms operating in the financial services sector. Both the pensions regulator and the FCA wrote to firms who could have been affected by the incident, in the FCA’s case “to ensure they are fully engaged in understanding the extent of any data compromise”. This included a number of insurance sector firms.

Cyber attacks can, among other things, cause disruption to firm’s important business services. Regulated firms are subject to the PRA and FCA’s operational resilience requirements, which had to be implemented by 31 March 2022 and must be fully complied with by 31 March 2025. By now firms should have, among other things:

• identified their important business services which, if disrupted, could cause intolerable harm to consumers, cause a risk to market integrity, threaten the viability of firms, or cause instability in the financial system; and
• set impact tolerances for the maximum tolerable disruption to these services.

For outsourcing and third party arrangements, firms are expected to gain assurance that such arrangements would not create a vulnerability in meeting the firm’s impact tolerances. In its supervisory statement on outsourcing and third party risk management, the PRA outlines in detail the steps it expects authorised firms to take to reduce the risks arising from third party arrangements, including in relation to data security. These regulatory obligations overlay the responsibilities of all firms under UK GDPR, including notification obligations to the ICO in the event of a data breach.

Governmental initiatives

Although there is an onus on firms to put systems in place to protect themselves, UK Government and the regulators are also taking steps to address the risk to the financial system which could be posed by critical service providers. These initiatives include the following:

• the Financial Services and Markets Bill includes powers for HM Treasury to designate certain third parties to firms as “critical third parties” (CTPs) (in consultation with the regulators) and for the regulators to make rules for, and gather information from, designated CTPs in connection with the provision of services to regulated firms;
• the FCA plans to consult on requirements in relation to CTPs in 2023, following its 2022 discussion paper produced jointly with the PRA and Bank of England. These requirements may include minimum resilience standards for CTPs as well as participation in a range of resilience tests and sector-wide exercises; and
• at EU level, the new Digital Operational Resilience Regulation will impose obligations from January 2025 on actors in the financial sector, including insurance and reinsurance companies, insurance and reinsurance intermediaries, ancillary insurance intermediaries and IT service providers employed by these entities.

There are also initiatives outside the financial sector which may be relevant. For example, the UK’s National Cyber Security Centre has recently published guidance on supply chain management and the Government is planning to amend the Network and Information Systems (NIS) Regulations 2018 to improve the UK’s cyber resilience by bringing “managed services” related to the provision of IT services (such as systems, infrastructure, networks and/or security) in scope. See our blog for more information. 

Practical steps

Our Cyber Group regularly advises financial sector clients on a range of cyber issues including third party supply chains and ransomware attacks. Preparedness is key and it is vital that a firm’s cyber risk management framework and contingency planning enable them to act within their risk appetite and meet regulatory expectations. There are a number of steps which firms can take to minimise the threat of a cyber attack. These include:

• putting in place clear cyber incident response plans and regularly practicing and updating those plans – this should include planning for particular high-risk areas such as ransomware threats;
• considering how those plans work across the group (e.g. does the group have the right level of oversight over businesses which are run “independently”), the firm’s supply chain (e.g. is supply chain risk being monitored and managed) and when new businesses are acquired;
• identifying key digital assets, mapping the group’s data (e.g. what information is stored in which system) and understanding how back-ups would work in practice;
• ensuring appropriate third party advisers (forensic IT, legal etc.) are onboarded and jointly trained with the firm; and
• identifying legal, regulatory and contractual notification obligations and ensuring that there is a joint up approach when liaising with different regulators, including the ICO, PRA and FCA.

This item first appeared in Slaughter and May's June Insurance Newsletter.