← Frameworks / Insurance Market

Lloyd's Minimum Standards — Cyber and IT Security

Mandatory minimum standards for all managing agents operating in the Lloyd's market. Covers IT governance and strategy, information security policy, risk assessment, access control, application security, change management, business continuity and disaster recovery, network security, data protection and classification, incident management, third-party and outsourcing risk, and security monitoring. Compliance assessed through Lloyd's annual oversight process.

Clauses: 32

Avg Coverage: 69.3%

Publisher: Lloyd's of London Version: 2024

Lloyd's Minimum Standards → SP 800-53 SP 800-53 → Lloyd's Minimum Standards Coverage Analysis

Clause	Title	SP 800-53 Controls
BP2.1	Blueprint Two — Digital Platform Requirements	SA-03 SA-04 SA-08 SA-11 SA-17 SC-08 SC-12 SC-13 SC-23 IA-08 IA-12 AC-24
BP2.2	Blueprint Two — Data Standards and Crystal Messaging	AC-04 CM-13 SC-08 SC-16 SI-10 SI-12 SA-09
CRM.1	Lloyd's Cyber Risk Management — Cyber Governance	PM-01 PM-02 PM-09 PM-29 PL-09 PS-09 AT-03
CRM.2	Lloyd's Cyber Risk Management — Threat Assessment and Intelligence	PM-16 RA-03 RA-05 RA-10 SI-05 PM-15
CRM.3	Lloyd's Cyber Risk Management — Incident Response and Recovery	IR-01 IR-02 IR-03 IR-04 IR-06 IR-08 CP-02 CP-04 CP-10
GOV.1	Board Oversight and Senior Management Accountability	PM-01 PM-02 PM-29 PS-09 PM-09 PL-09
MS1.1	Underwriting Systems and Data Quality	CM-08 CM-12 CM-13 SA-03 SA-08 SI-01 SI-10 SI-12 AC-03 AC-06
MS2.1	Claims Systems and Fraud Detection	AC-03 AC-05 AU-02 AU-06 AU-12 CM-12 SI-04 SI-10 SI-12 PM-12
MS5.1	Financial Systems and Reporting Integrity	AC-03 AC-05 AC-06 AU-02 AU-06 AU-10 CM-03 CM-05 SI-10 SI-12
MS6.1	Reinsurance Systems and Data Exchange	AC-03 AC-04 AC-20 CM-12 CM-13 SA-09 SC-08 SC-16 SI-10 SI-12
MS7.1	Regulatory Compliance and Data Protection	PT-01 PT-02 PT-03 PT-04 PT-05 PT-06 PT-07 PT-08 PM-18 PM-20 PM-25 PM-26 SI-12 AC-16
MS8.1	IT Governance and Strategy	PM-01 PM-02 PM-09 PM-29 PL-01 PL-02 PL-09 SA-02 PS-09
MS8.2	Information Security Policy and Standards	AC-01 AT-01 AU-01 CA-01 CM-01 CP-01 IA-01 IR-01 MA-01 MP-01 PE-01 PL-01 PM-01 PS-01 PT-01 RA-01 SA-01 SC-01 SI-01 SR-01
MS8.3	Access Management and Identity Controls	AC-02 AC-03 AC-05 AC-06 AC-07 AC-08 AC-10 AC-11 AC-12 AC-14 AC-17 AC-19 AC-20 AC-24 AC-25 IA-01 IA-02 IA-04 IA-05 IA-08 IA-12 PS-04 PS-05
MS8.4	Change Management	CM-02 CM-03 CM-04 CM-05 CM-06 CM-07 CM-08 CM-09 CM-10 CM-11 CM-14 SA-10 SA-11 SI-02 SI-07
MS8.5	Incident Management and Cyber Response	IR-01 IR-02 IR-03 IR-04 IR-05 IR-06 IR-07 IR-08 IR-09 AU-06 SI-04 SI-05
MS8.6	Business Continuity and Disaster Recovery	CP-01 CP-02 CP-03 CP-04 CP-06 CP-07 CP-08 CP-09 CP-10 CP-12 CP-13 SC-24 SI-17
MS8.7	Data Management and Quality	CM-12 CM-13 MP-02 MP-03 MP-04 MP-05 MP-06 SI-12 AC-16 PT-03 PT-04 PT-05
MS8.8	Third Party and Outsourcing Management	SA-04 SA-09 SR-04 SA-21 SR-01 SR-02 SR-03 SR-05 SR-06 SR-08 SR-10 PS-07
MS8.9	Cyber Security — Network and Perimeter Defence	AC-04 AC-17 AC-18 CA-03 SC-05 SC-07 SC-08 SC-20 SC-21 SC-22 SC-46 SC-47
MS8.10	Cyber Security — Endpoint and Malware Protection	SC-18 SI-03 SI-04 SI-07 SI-08 SI-16 CM-07 CM-11 SC-44
MS8.11	Cyber Security — Vulnerability Management and Patching	RA-03 RA-05 RA-07 SI-02 SI-05 SA-11 CA-08
MS8.12	Cyber Security — Security Monitoring and Logging	AU-02 AU-03 AU-04 AU-05 AU-06 AU-07 AU-08 AU-09 AU-10 AU-11 AU-12 AU-13 AU-14 CA-07 SI-04
MS8.13	Cyber Security — Awareness and Training	AT-01 AT-02 AT-03 AT-04 AT-05 AT-06 PL-04 PM-13 PM-14
MS9.1	Operational Resilience — Important Business Services	PM-08 PM-11 CP-02 CM-12 CM-13 RA-09
MS9.2	Operational Resilience — Scenario Testing and Exercising	CP-04 IR-03 PM-14 CA-08 CP-03
MS9.3	Operational Resilience — Third Party Dependencies and Concentration Risk	SA-09 SR-01 SR-02 SR-03 RA-09 CM-08
MS10.1	Enterprise Risk Management Framework	PM-01 PM-09 PM-28 PM-29 PM-30 PM-31 PM-32 RA-01 RA-03 RA-07
MS10.2	Operational Risk Management — IT Risk	PM-09 RA-01 RA-02 RA-03 RA-05 RA-07 RA-09 RA-10 CA-02 CA-07
MS13.1	Delegated Authority — MGA Oversight and System Integration	AC-20 CA-03 SA-04 SA-09 SR-01 SR-02 SR-06 SR-08 CM-12 CM-13 PS-07
MS13.2	Delegated Authority — Data Flows and Reporting	AC-04 CM-13 SC-08 SI-10 SI-12 AU-02 AU-11
PHYS.1	Physical Security and Environmental Controls	PE-01 PE-02 PE-03 PE-04 PE-05 PE-06 PE-08 PE-09 PE-10 PE-11 PE-12 PE-13 PE-14 PE-15 PE-16 PE-17 PE-18 PE-19 PE-20 PE-21 PE-22 PE-23