Determining drivers of information security for insurance institutions within Malta, and the perceived benefits of certification to standards

Abstract

Rigorous regulations and standards have emerged from the world of cyber-risk, its ever-changing nature resulting in continuous updates and changes made to better facilitate said regulation. The ever-changing world of cyber risk has resulted in many regulations and standards that require continuous changes. Insurance institutions are especially at risk as they handle both sensitive and non-sensitive information for their clients. As a result, these institutions must comply with a number of regulations, but not all comply with the same regulation. There are also standards that these institutions may follow or be officially certified against to mitigate the attacks that may occur. This study examined insurance institutions’ information security management approaches, focusing on the drivers of their decisions and the impact of certification standards, the factors behind this approach, and effectiveness of the approach in complying with regulation. Objectives of the study. The objectives of this study were to assess the perceptions of employees about their own information security management approach, determine the reasoning behind this approach and ascertain how effective these approaches are. Methods: This was an inductive, qualitative, cross-sectional study which included participants from a variety of sections within the insurance industry. A semi-structured interview schedule was used to collect the data. Data collection ended when data saturation was reached. Thematic analysis was applied. Results: Findings showed that employees within the insurance industry have knowledge of their information security management approach and can specify details about it. The main factor for adopting the approach was necessity, both from a regulatory perspective and from “a need to conduct business” perspective. The main reason for non-certification was cost, and the main regulations adopted were Solvency II and DORA. Conclusion: The insurance industry is highly regulated, with multiple approaches that may be adopted for information security. Although participants were aware of some regulation, all cited DORA as the main regulation that was adopted, and they feel that they are soon to be ready for when it comes into effect.