In recent years, regulators have consistently urged insurers to adopt holistic strategies that extend far beyond traditional disaster recovery—embedding resilience throughout business operations and the entire software development lifecycle.

This paper aims to offer a comprehensive perspective on resilience, bringing together operational continuity, cyber defence, and third-party risk management. It can serve as a strategic guide for CxOs, outlining how to identify the Minimum Viable Company (MVC), market insights into sector-wide impact tolerance, and anticipate the evolving landscape of regulatory and cyber resilience through 2030.

Minimum Viable Company (MVC) framework

The FCA’s Operational Resilience Policy Statement (PS21/3) challenges insurers to pinpoint their Important Business Services (IBS) and develop strategies for maintaining these during severe disruptions. Though MVC is not named explicitly in PS21/3 (FCA’s Policy Statement on Building Operational Resilience, published in March 2021) organizations are advised to define their “minimum operational footprint,” closely aligning with MVC principles.

Think of the MVC as your organisation’s lifeline: those indispensable services, processes, technologies, and teams that maintain trust and financial stability, even when everything else must be paused.

Most organizations keep their MVC lean, just 15–17% of total business activity, backed by robust lists of mission-critical applications, core infrastructure, key data, and vital third-party relationships. This isn’t just compliance: it’s about identifying a modular, scalable foundation that lets your business isolate issues, recover fast, and keep delivering during systemic risks.

Informed by our extensive work with top UK and global insurance organisations, an indicative list of Core Services typically is:

Further examination of trends in impact tolerance, detailing standard timeframes observed and strategic rationale for core services identified within MVC.

Note: The following ranges are intended as guidance, reflecting our market study and regulatory advisory. Actual tolerances may vary based on factors such as the jurisdictions involved, the organization’s risk profile, and its financial capacity.

Regulatory trends: 2025–2030 outlook

As the insurance industry navigates evolving operational demands, it is equally crucial to anticipate the shifting regulatory landscape that will define the coming years. The following outlook highlights the major regulatory trends projected for 2025 through 2030, outlining key compliance requirements and anticipated changes that will shape the UK insurance sector’s risk management and reporting frameworks.

It is important to recognise that as regulations in this area continue to develop, UK regulators such as the FCA and PRA are moving towards greater alignment with major European frameworks, including the EU Digital Operational Resilience Act (DORA) and the Network and Information Security (NIS) Directive.

This alignment reflects a recognition of the interconnectedness of financial markets and critical services across borders, and the need for consistent, elevated standards of operational and cyber resilience.

The FCA and PRA have issued consultations and guidance signalling their intent to integrate core DORA and NIS principles—such as enhanced third-party risk management, harmonised incident reporting obligations, and sector-wide resilience testing—into the UK’s regulatory regime. This convergence ensures that UK financial institutions, insurers, and service providers are prepared not only for domestic regulatory expectations but also for the demands of operating within a global and digitally integrated market.

Boardroom resilience checklist

In light of these forthcoming regulatory changes and strategic reforms, it is essential for boardrooms to evaluate and reinforce their organisational resilience frameworks. The following checklist is designed to guide leadership teams in proactively assessing their preparedness, ensuring robust governance, and embedding resilience into core decision-making processes.

• MVC coverage: Is your Minimum Viable Company (MVC) clearly defined, mapped, and stress-tested across operations to maintain delivery of essential services
• Impact tolerance benchmarking: Have you validated realistic impact tolerances through scenario analysis, and benchmarked them against peer institutions and regulatory frameworks
• Third-Party risk visibility: Do you maintain real-time insight into key external dependencies, supported by contingency planning and contractual resilience provisions
• Integrated resilience functions: Are your operational resilience, cyber security, third-party risk, and enterprise risk teams aligned in strategy, decision-making, and board reporting to support a cohesive resilience posture
• Incident Response preparedness: Do you have robust mechanisms for multi-channel incident reporting (internal and external) and active regulator engagement, supported by rehearsed playbooks
• Cyber insurance alignment: Is your cyber insurance coverage tailored to your specific risk landscape, and tested against evolving threat scenarios across business-critical assets
• Board accountability: Have board members been trained in resilience and security oversight, and do they receive regular briefings from integrated risk functions to ensure informed governance
• Resilience culture: Is a resilience-aware culture embedded across the organization —from executive leadership to operational teams — fostering proactive risk ownership and continuous improvement
• Regulatory awareness & horizon scanning: Are we tracking global and local regulatory developments (e.g. EU DORA, FCA SS1/21, SEC cyber rules), and ensuring readiness and board-level awareness of compliance obligations

The UK insurance and reinsurance sector is well-capitalised, digitally evolving, and strategically positioned for growth. But resilience (operational, cyber, and third-party) remains the defining factor for long-term success. 

By thoughtfully harmonizing operational resilience strategies across function with leading global standards, organizations can elevate their industry standing and secure enduring stakeholder confidence. This proactive approach not only ensures compliance with a rapidly evolving regulatory landscape but also fortifies the ability to mitigate cross-border risks and respond decisively to unforeseen disruptions. In a world where digital threats and supply chain vulnerabilities transcend geographic boundaries, developing internationally recognised resilience is both a regulatory imperative and a cornerstone of successful, forward-looking business strategy.

In conclusion, executives must embed robust, integrated resilience frameworks for sustained growth and stability. By cultivating a culture of proactive risk management and regulatory awareness, institutions can position themselves at the forefront of operational excellence, prepared not just to withstand challenges, but to transform them into opportunities for long-term success.

Cet article Resilience by design: strategic imperatives for UK General & Reinsurance Insurers (2025 – 2030) est apparu en premier sur RiskInsight.

This regulatory challenge extends well beyond China’s borders, raising fundamental questions about how to comply with divergent local regulations in the context of centralised global information systems.

In this article, we explore technological measures to address the concerns of many CIOs about the PIPL law.

1/ PIPL raises broader risks than just compliance risks, highlighting a trend towards decoupling operations

The PIPL is part of China’s digital sovereignty strategy and raises cross-functional issues that go far beyond IT and cyber security. We note that “80% of French companies operating in China have had to adapt their global operations by decoupling certain processes in China[1]“. At the root of this trend are risks such as espionage, compromise of intellectual property or regulatory non-compliance.

A decoupled business process must be accompanied by IT decoupling. IT decoupling is the act of separating a part of an IS to make it more flexible and modular. This allows the decoupled components to operate independently of the central system.

Before starting work to comply with the PIPL law, companies need to ask themselves 3 essential questions:

• Should we maintain a presence in China? A decision at Executive Committee level needs to be made in the light of a strategic analysis assessing the cost/benefit ratio in relation to the current risks. For example, some suppliers refuse to expand their activities in China to avoid losing control of their source code.
• If so, should I decouple my IT architecture to mitigate the risks? It is essential to highlight this study in relation to potential changes in the regulatory landscape to ensure long-term compliance.
• How do I operate and secure a decentralised system? IT and cyber restructuring should be planned according to the different architectural choices made: how should IAM be managed? How can SOC supervision be set up on a decentralised system?

2/ Putting in place a “privacy-by-design” IS architecture

The varied nature of the rules governing the storage and processing of personal data raises a question: is it possible to adapt an IS to facilitate compliance work? Is a “privacy-by-design” architecture realistic?

There are 3 possible scenarios, depending on the company’s risk appetite and strategic positioning:

• First, we have our centralised IS (the one we all know). By pooling resources, we can deliver the same service on the same scale and achieve economies of scale. However, Chinese data must be subject to a specific transfer, approved by the CAC (Cyberspace Administration of China). To control and monitor this transfer, all data flows in and out of China could pass through a single gateway (also facilitating emergency isolation, such as Red Buttons). The risk of regulatory non-compliance is controlled at the time of implementation, but can easily drift over time (operational change, application change, new Chinese amendment, etc.).
• Then we have a partially decentralised IS (where the Chinese application instance is decoupled). Data is stored and processed in China using a specific Cloud tenant or an on-premise infrastructure. Application links persist between China and the rest of the world, and data may be transferred from time to time (depending on the regulatory constraints in force). Chinese data is kept separate from the rest, making it easier to ensure the security and confidentiality of personal data.
• Finally, we have a decoupled IS, with an independent local authority. This option is certainly the most advanced, ensuring the highest level of compliance. However, it drastically increases operating costs (local teams, local infrastructure, etc.): this position is difficult to maintain if the company is committed to reducing IT and/or cyber costs. This architecture also provides significant resilience in the event of geopolitical crises, making it easier to execute an exit plan. Recent examples of geopolitical tensions include the Russian[2] [3] subsidiaries Carlsberg and Danone, which were nationalised by Russia, and the war in Ukraine, which led to numerous carve-outs, such as that of Heineken[4].

Should I choose a Cloud Service Provider (CSP) in China?

Alibaba Cloud has long been the preferred Cloud Provider because of the variety of services it offers compared with non-Chinese CSPs. Although this difference between Chinese and non-Chinese CSPs is tending to disappear, Alibaba Cloud could remain the preferred choice: as a Chinese provider, this CSP would be well advised to adapt quickly to any new Chinese regulatory requirements.

How should data transfer be managed?

In a centralised and partially decentralised architecture, data continues to be transferred. Depending on the sensitivity of the data transferred, we can implement data anonymisation or use confidential computing, an increasingly mature technology that guarantees data confidentiality during processing.

However, some cases do not necessarily require data to be transferred. This is the case with certain decentralised learning methods for AI that are “privacy-by-design” (e.g. bagging, federated learning, etc.): the systems are trained locally, and only the learning is transferred.

3/ What can we do in this climate of uncertainty, both in the short and long term?

Short term: a pragmatic risk-based approach  

The compliance strategy must be the result of a pragmatic, risk-based approach, in order to minimise the impact on operations. The main steps are as follows:

1. Make an inventory of all the data affected: what data and how is it used? How is the data stored, transferred, and processed? How are data access rights managed? Are there any external dependencies with suppliers?
2. Assess the risks associated with the data and its use. The format and content of the study must comply with CAC standards.
3. Arbitrate a compliance strategy: draw up a compliance strategy based on the 3 scenarios detailed in the previous sections, depending on the sensitivity and criticality of the application data in question.
4. Implement technical measures: implement security and confidentiality measures (decoupling, encryption, pseudonymisation, anonymisation, access controls, etc.).
5. Monitor and maintain compliance: establish a regular monitoring process to maintain compliance with the PIPL.

Long term: should I be preparing to decouple my IS in China?

PIPL compliance strategy should consider long-term trends, current geopolitical tensions and China’s increasing emphasis on data protection and sovereignty (and uncertainty of current laws).

The cybersecurity regulatory landscape has become denser and more complex in recent years, recalling one of the futures envisaged by the Cyber Campus[5]. Ultra-regulation, linked to the tightening of regulations with the aim of restoring digital confidence, could lead to regulatory incompatibilities and numerous non-compliances or fines.

Fortunately, we are not yet at this stage. However, we must anticipate this trend: PIPL compliance must be a case study forming part of an in-depth reflection on decoupling (with varying levels of separation depending on the situation). This trend towards decoupling could become essential on a wider scale in the next ten years.

[1] CCI France CHINE : Enquête sur les entreprises en Chine, Printemps 2022 https://www.ccifrance-international.org/le-kiosque/n/enquete-sur-les-entreprises-francaises-en-chine-printemps-2022.html#:~:text=Enqu%C3%AAte%20sur%20les%20entreprises%20fran%C3%A7aises%20en%20Chine%20%2D%20Printemps%202022,-25%20mai%202022&text=Avec%20p.

[2] Le Monde, 26/07/2023, « Danone : comment le piège russe s’est refermé sur le géant français des produits laitiers » https://www.lemonde.fr/economie/article/2023/07/26/danone-comment-le-piege-russe-s-est-referme-sur-le-geant-francais-des-produits-laitiers_6183438_3234.html

[3] Le Temps, 19 juillet 2023, « Après Danone et Carlsberg, la Russie se dirige vers la nationalisation d’autres filiales de groupes étrangers » https://www.letemps.ch/economie/apres-danone-et-carlsberg-la-russie-se-dirige-vers-la-nationalisation-d-autres-filiales-de-groupes-etrangers

[4] Les Echos, 25 août 2023, « Heineken se retire définitivement de Russie » https://www.lesechos.fr/industrie-services/conso-distribution/heineken-se-retire-definitivement-de-russie-1972549

[5] Horizon Cyber 2030 : perspectives et défis, Campus Cyber https://campuscyber.fr/resources/anticipation-des-evolutions-de-la-menace-a-venir/

Cet article PIPL: is information system decoupling necessary to comply with protectionist local laws? est apparu en premier sur RiskInsight.

THE RISE OF INITIAL ACCESS BROKERS

As seen in the underground economy edition, the cybercriminal economy relies on the professionalization and specialization of its system. Among the main actors of this ecosystem, such as the Bullet Proof Hoster or the RaaS, the Initial Access Brokers (IAB) have become more and more crucial these last years. 

What is the IAB’s role in the underground economy?  

They are providers of victims’ access. They scan the web for vulnerabilities, send phishing e-mails or try to use brute force to get hold of the passwords of company employees, or even create persistent access in the victim’s network. Those ready-made ‘access’ are sold on the dark market: depending on its level of quality, prices can range from $1K to $100K. The average selling price of initial access to a network is $7,100. Price is based on the organization’s revenue, type of access sold, and number of devices accessible. For example, Access to an Australian company with 500 million USD in revenue that enables an attacker with “admin” level of privileges has been offered for 12 BTC, and access to a Mexican government body for 100,000 USD. 

The market of corporate initial access grew by almost 16% in H2 2020–H1 2021, from $6,189,388 to $7,165,387. The number of offers to sell access to companies almost tripled over the review period: from 362 to 1,099.  The geography of initial access brokers’ operations has also expanded: if the US-based companies are the most popular victims (30% in 2021), the European companies access sold was multiplied by three between 2019 and 2021. French companies were the most popular lot for sellers of access to compromised networks – they accounted for 20% of all victim companies in 2021 in Europe, followed by the UK (18%). 

Finding and selecting access opportunities represent an essential but very time-consuming piece of the current “ransomware business model”. By monetizing this activity, the IABs are offering a huge advantage of time and energy for the buyers, who can select from a menu of options, picking victims based on their revenue, country, and sector, as well as the type of remote access being offered. 

What kind of access are we talking about? 

One of the main trends of the IAB market is the diversification of access Grows. If RDP and VPN are still the most common offer, new attack vectors such as access to VMWare’s ESXi servers have become quite popular. 

According to several types of research, the kind of access mostly sold are   

• Active Directory credentials: domain administrator access is one of the most valuable access since it allows the attacker to distribute malware all over the network immediately.  
• Initial Network Access (RDP, VPN, SSH): : is one the most common access sold since it is a very popular protocol among remote workers to access their corporate resources. One of the methods used by the IAB is to launch massive scans for RDP servers all around the internet and try to brute force it. 
• Web shell access: some IABs set up web shells on compromised web servers and sell access to it. 
• Admin account on CMS (WordPress, PHP): they provide access to web hosting content (including payment solutions and credit card details)  
• Admin account on virtualization machines and root access on Linux servers: the sale of root access to VMware ESXi increased significantly and some attacker’s group contains code that specifically targets those systems. 
• Remote Monitoring and Management access: offer elevated permissions into several machines of the network, making it interesting data for IABs to sell. 

According to the IAB, the services can include more stolen data, such as information on the financial health of the targeted victim, to help the attacker set the highest realistic price for the ransom.  

What does that mean for me? 

The rise of the IABs activity is, among other things, a direct consequence of the mass shift to remote work and an increase of exposed remote services, (RDP, SSH…) and of the adoption of cloud applications increase. As seen; the main kinds of access sold relies on several vulnerabilities that can be corrected with standard cybersecurity measures: utilize strong passwords, enable 2FA when possible, admins and user awareness, frequent account review… 

Besides, the IABs have become a keystone of the current cybercriminal system. Which means they are an interesting indicator to look at to monitor the criminal activity and the risk to become a target. Especially in the case of a mature actor, setting up monitoring programs across surface-, deep-, and dark-web forums and marketplaces, to detect IABs offering can provide relevant information to prioritize defense actions and prepare against potential attacks.

CERT-W: FROM THE FRONT LINE

The First Responder Word

READING OF THE MONTH

We recommend the Cisco Almanac for 2022:  

“2022 Cybersecurity Almanac: 100 Facts, Figures, Predictions and Statistics” 

2022 Cybersecurity Almanac 

 

UPDATE ON THE UK NATIONAL CYBER STRATEGY

The UK’s National Cyber Strategy transmits a more ‘proactive’ stance to cyber power with a commitment to a ‘whole of society’ approach. The new strategy is supported by £2.6 billion investment seeing a 26.9% percent increase in comparison to previous strategy.

It is structured in five pillars: UK Cyber Ecosystem, Cyber Resilience, Technology advantage, Global leadership and finally Countering threats with 53 action plans. The plans aim to improve intel sharing platforms to truly ‘defend as one’ with a new Govt Cyber Coordination Centre (GCCC). Supporting industrial partners and strengthening business regulations through govt levers and enhance the nation’s cyber structure and skills.

Access the summary from the UK office here!

SEE YOU NEXT MONTH!!

Cet article CDT Watch – February 2022 est apparu en premier sur RiskInsight.