Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties
The system of governance should include an adequate transparent organisational structure with a clear allocation and appropriate segregation of responsibilities.
The undertaking should take into account the respective duties allocated to individual members to ensure appropriate diversity of qualifications, knowledge and relevant experience.
The board should include an appropriate combination of executive and non-executive (and, in particular, independent non-executive) directors, such that no one individual or small group of individuals dominates the board’s decision-making. There should be a clear division of responsibilities between the leadership of the board and the executive leadership of the company’s business.
Adequate resources are allocated commensurate with the cybersecurity risk strategy, roles, responsibilities, and policies
Insurers should not open an account or commence a business relationship, or perform a transaction for a customer if they are unable to verify the identity of the customer or beneficial owner.
The undertaking should have a written agreement with the service provider which clearly defines the respective rights and obligations of the undertaking and the service provider.
The chair should be independent on appointment when assessed against the circumstances set out in Provision 10. The roles of chair and chief executive should not be exercised by the same individual. A chief executive should not become chair of the same company. If, exceptionally, this is proposed by the board, major shareholders should be consulted ahead of appointment. The board should set out its reasons to all shareholders at the time of the appointment and also publish these on the company website.
Roles and responsibilities regarding cybersecurity are clearly defined and communicated across the organization, including the board, senior management, and the three lines model.
Business relationships with Politically Exposed Persons (“PEPs”) may present higher risks. Insurers must define and identify PEPs, including their family members and close associates, and apply appropriate risk management systems.