Regulators highlight insurance intermediary best practices to support improved cybersecurity

Published October 18, 2023

The Canadian regulatory authorities for insurance intermediaries–including the Insurance Council of BC–have collaborated to produce a publication on cybersecurity preparedness to support insurance professionals to improve cybersecurity practices and safeguard confidential client information. Released by the Canadian Insurance Services Regulatory Organizations (CISRO) in September 2023, the publication titled “Cybersecurity Readiness”  highlights the importance for intermediaries to prioritize cybersecurity and build awareness of their role and responsibilities in achieving cybersecurity readiness.

Cybersecurity refers to any practice that safeguards the confidentiality, integrity, and availability of business, employee, and customer data using computer systems. Breakdowns in these safeguards are referred to as incidents. Cyber threats present a continuous and growing risk, particularly with the increased use of technology in conducting insurance business activities.

Cyber threats may be the result of a human error, a system not working properly, or a deliberate and calculated intrusion such as a cyber attack. Being proactive in implementing appropriate measures against cyber threats is key to preventing cyber incidents that could compromise or lead to the theft of client information and mitigating impacts on both the intermediaries and their clients.

 Some of the key measures noted in the CISRO publication include:

  • Understanding and complying with the agency’s policies and procedures on cybersecurity;

  • Reviewing cybersecurity practices and implementing appropriate measures to address or mitigate any identified risks; and

  • Establishing a cybersecurity incident response plan to protect client information (see ‘Elements to include in a Cyber Incident Response Plan,’ page 7 in the publication).

Licensees are encouraged to familiarize themselves with the practices outlined in the CISRO publication to achieve cybersecurity readiness. 

As a reminder, licensees have a responsibility to:

  • Safeguard clients’ personal information in the licensee’s possession, which includes protecting personal information from unauthorized access, accumulation, storage, and disposal.

  • Obtain express authority from a client to use or disclose their personal information for the purpose for which the information was intended.

  • Have policies and procedures in place that govern the handling of personal information and cybersecurity.

More information on licensee responsibilities can be found in the Insurance Council’s Code of Conduct, Appendix B – Client Confidentiality Guidelines and ICN 17-004 – Reminder of Licensee Responsibilities Related to Disclosure or Transfer of Client Information.

The Insurance Council’s position and requirements on client privacy and confidentiality do not override the requirements under existing legislation. Licensees must also follow the Personal Information Protection Act (PIPA), to ensure adequate client protection is in place. For more information on the PIPA requirements, please refer to the Office of the Information and Privacy Commissioner's "A Guide to B.C.’s Personal Information Protection Act for Businesses and Organizations."