PINS S6.5 Risk management policy — technology risk

An insurer's risk management policy for technology risk should include:

(a) information technology policies and procedures to identify, assess, monitor and manage technology risks;
(b) arrangements for adequate information technology infrastructure that:
(i) meet its current and projected business requirements (both under normal circumstances and in periods of stress);
(ii) ensure data and system integrity, security and availability; and


The IT infrastructure is able to keep secure, and protect, personal information and data (including financial and medical data) in accordance with the requirements under the Data Protection Regulations 2005 and any other relevant laws.
(iii) support integrated and comprehensive risk management;
(c) the use of appropriate technology to manage adequately the financial, medical and personal information held by an insurer;
(d) procedures and controls on data security to enable it:
(i) to report, in a timely manner, security breaches to affected customers and to the Regulatory Authority; and
(ii) to meet other reporting requirements;
(e) processes to assess the risks associated with major breaches in data security and to mitigate the effects of such breaches on its resources, operations, environment and operations;
(f) as part of business continuity planning, measures to be taken in case of breaches of data security; and
(g) measures that ensure that group structures are not used to circumvent prohibitions on the sharing of personal information.
Inserted by QFCRA RM/2013-1 (as from 1st January 2015).