Backups of data are created, protected, maintained, and tested
A formal cybersecurity strategy and objectives are established and periodically updated. Updates on the achievement of cybersecurity objectives are periodically communicated and reviewed by the board, including resources and budgetary considerations to support the cybersecurity strategy.
An incident response plan is established, documented, maintained, and periodically tested to ensure an effective response to cybersecurity incidents.
The undertaking should perform an Own Risk and Solvency Assessment (ORSA) regularly and at least annually. The ORSA should be an integral part of the business strategy and should be taken into account in the strategic decisions of the undertaking.
Business continuity and disaster recovery plans addressing cybersecurity scenarios are established, maintained, and tested to ensure the recovery of critical business processes and systems.
A cybersecurity risk assessment is performed and documented periodically to identify, analyze, and evaluate cybersecurity risks, including emerging threats.
Cybersecurity policies, standards, and procedures are established, approved, communicated, and periodically reviewed to ensure they remain relevant and effective.
Performance and risks are monitored continuously throughout the third-party lifecycle to ensure compliance with contractual agreements and service level agreements (SLAs).
The board should monitor the company’s risk management and internal control systems and, at least annually, carry out a review of their effectiveness. The monitoring and review should cover all material controls, including financial, operational and compliance controls. The board should provide in the annual report: a description of how the board has monitored and reviewed the effectiveness of the framework; a declaration of effectiveness of the material controls as at the balance sheet date; and a description of any material controls which have not operated effectively as at the balance sheet date, the action taken, or proposed, to improve them and any action taken to address previously identified material control issues.