Page 31 - Annual Report 2019
P. 31

28  ANNUAL REPORT 2019                                                                                                  SUPERVISION AND AUTHORISATION







            Supervision and Authorisation

            The Supervision and Authorisation division consists of six   framework, with firms self-assessing their capabilities.    Insurers also have a more indirect way of covering
            departments: Authorisation, Supervision (comprising the Bank   The analysis of firms’ responses indicated a number of   cyberattacks for policyholders, known as “non-
            Supervision, Insurance Supervision and Investment Management   common themes. The Regulatory Authority’s assessment   affirmative cyber risk” or “silent coverage”. In this
            Supervision departments), Anti-Money Laundering/Combatting the   of the banking, insurance and investment management   instance, policies associated with cyber risk are not
            Financing of Terrorism (AML/CFT), and Macroprudential Analysis.  sectors in Qatar provided positive results with firms allocating   explicitly included in insurance policies, yet clients
                                                                  adequate funds and resources to defend against cyberattacks.   could place an insurance claim on issues caused directly
            In 2019, the division focused on thematic reviews to assess                                            by an attack. This may include a loss of computer
            corporate governance and the management of data protection   The majority of firms identified governance as the most   hardware or even instances of general liability.
            and cybersecurity in regulated firms, created and implemented   prevalent area for improvement and incident management
            an enhanced supervisory programme for high-risk firms, updated   as a top concern. Some firms highlighted areas of   In its response to regulated insurance firms, the
            the Regulatory Authority’s AML/CFT rules in accordance with Law   weakness in terms of third-party management and the   Regulatory Authority highlighted that firms should
            No. 20 of 2019 on combatting money laundering and terrorism   need to strengthen data loss prevention measures.   manage any affirmative and non-affirmative
            financing in the State of Qatar, finalised its leverage ratio framework,                               cyber insurance risk according to the firm’s own
            and provided valuable insights on macroeconomic and finance   The survey results for the banking sector indicated that   risk appetite, pricing and underwriting strategy,
            stability to the Regulatory Authority staff through macroprudential   appropriate cyber security and resilience frameworks were   and technical cyber insurance expertise.
            analysis of the Qatari economy and the energy and finance sectors.   largely in place across the firms, with varying degrees of
                                                                  sophistication. However, the survey indicated that at some   In communicating the findings of the review to
            A division-wide focus on cybersecurity                firms, the level of understanding of the implications of   regulated firms, the Regulatory Authority stated
                                                                  cyber risk at senior management levels was not sufficient.   expectations that the governing bodies of each firm
            Qatar was ranked the 17th safest country in the world for measures                                     would fully recognise their responsibilities in relation
            taken against cyberattacks in 2018, according to the Global   The 21 regulated insurers and insurance intermediaries   to information technology-related risks, governance
            Cybersecurity Index published the same year by the United Nation’s   identified organisational structure and resources as the   and risk management. Supervisors asked firms to
            International Telecommunication Union. The index also placed   areas where they had the strongest capabilities. However,   place remediation of any identified deficiencies
            Qatar as the third most cyber-safe Arab nation in the world. Along   similar to banks, insurers identified governance and   among their top priorities. In particular, the Regulatory
            with this impressive ranking, the Regulatory Authority continued   cyber incident management as their vulnerabilities.    Authority urged each firm to fully implement
            to uphold the level of security by conducting a cybersecurity                                          its proposed action plan to address deficiencies
            assessment of the regulated financial firms in the QFC.   Some insurers reported that they had underwritten cyber   identified as part of the review as soon as possible.
                                                                  risk insurance policies for clients that covered cyberattacks,
            The 2019 assessment was conducted via a series of surveys as   also known as “affirmative cyber risk”. Cyber risk insurance
            well as on-site visits to regulated banks, insurers and investment   policies currently fall under “first-party” and “third-party”
            management companies. The surveys were designed to ascertain   coverages. The former includes a loss of business income
            firms’ preparedness for cyberattacks or cybersecurity breaches.   as a direct result of an attack, while third-party pertains
            The surveys focused on internal governance, delivery of change   to the business and legal costs incurred, for example, the
            management, and understanding of third-party risks, and   failure to prevent a leak of confidential client data.
            evaluated cyber defences. The survey was aligned to the ISO 27000
   26   27   28   29   30   31   32   33   34   35   36