What are the EU guidelines on IT security insurance?
by Anastasios Arampatzis
On 12 October 2020, the European Insurance and Occupational Pensions Authority (EIOPA) issued its Guidelines on Information and Communication Technology Security and Governance (“the Guidelines”). The Guidelines will come into force on 1 July 2021 and shall apply to both individual undertakings and mutatis mutandis at the group level.
The increasing complexity of ICT and frequency of incidents such as cyber-attacks means that management of ICT issues needs to be integrated into the governance and risk-management measures of insurance and reinsurance undertakings. The increased reliance of insurance services and undertakings on ICT, coupled with increased levels of digitalization during the COVID-19 pandemic, have left the insurance sector more exposed to information security incidents and cyberattacks.
The Solvency II Directive (2009/138/EC) requires that insurers and reinsurers have in place effective systems of governance. This includes systems in respect of IT security. EIOPA has developed its guidance on information and communication technology (ICT) security as part of the European Commission’s FinTech Action Plan and in accordance with Article 16 of Regulation (EU) No 1094/2010.
Objective of the Guidelines
These guidelines shall provide guidance to national supervisory authorities and market participants on how regulation regarding operational risks is applied in the case of ICT security and governance, considering as well EIOPA’s Guidelines on System of Governance.
The objective of the guidelines is to promote the increase of the operational resilience of the digital operations of insurance and reinsurance undertakings against the risks they face. Operational resilience is key to protect insurance and reinsurance undertakings’ digital assets, including their systems and data from policyholders and beneficiaries. In particular, the guidelines:
- Provide clear requirements of minimum expected information security practices.
- Provide compliance guidance.
- Harmonize the ICT security requirements in relation to supervisory governance processes.
Overview of the Guidelines
The EIOPA Guidelines cover 25 topics, each containing a set of specific requirements, which can be grouped in seven areas:
- Governance and strategy – establish governance to effectively support the ICT strategy.
- ICT and security risk management – ensure ICT and security risks are identified and addressed appropriately.
- ICT operations management – implement efficient and controlled ICT operations processes.
- Information security – protect the confidentiality, integrity and availability of business and customer data.
- ICT project and change management – manage projects and changes effectively to meet business and security objectives.
- Business continuity management – sustain business operations and processes even under unforeseen circumstances (i.e., cyber-attacks).
- Outsourcing – protect outsourced IT services adequately.
An ICT strategy should be set as part of the overall governance system of the business. A written information security policy should outline high-level principles and rules. An information security function should be established within the business. The guidelines set out requirements for logical, physical and operational security as well as measures to ensure that security is reviewed and monitored regularly. The guidelines require that insurers and reinsurers establish an ICT incident and problem management process to help ensure that critical business functions can be maintained (or resumed) after security incidents.
The Guidelines address the following key aspects:
- Mitigation and management of ICT risks: Undertakings should establish expectations on the mitigation and management of ICT security and governance risks.
- Principle of proportionality: Undertakings should apply the Guidelines in a manner that is proportionate to the nature, scale and complexity of the risks inherent in their business.
- Rely on adapted standards and leading best practices: In implementing the Guidelines, undertakings can refer to the most adapted standards and leading best practices.
- Responsibilities of the management body and risk management: The Guidelines focus on the responsibilities of the administrative, management or supervisory body and risk management.
- To be read in conjunction with other directives/regulations/guidelines: The Guidelines should be read in conjunction with the Solvency II Directive, the Delegated Regulation, EIOPA’s Guidelines on System of Governance and EIOPA’s Guidelines on Outsourcing to Cloud Service Providers.
Implementation of the Guidelines
Implementing the Guidelines will ensure that insurance services and undertakings are prepared and capable of preventing and handling these threats through managing their ICT-and governance-related risks.
Under the Guidelines, boards of insurance and reinsurance companies should ensure that systems of governance adequately manage undertakings’ ICT and security risks. The board should ensure that there are sufficiently well-qualified staff to manage ICT risks and should allocate adequate resources to fulfilling these obligations.
Competent authorities and undertakings are required to comply with the Guidelines and the respective recommendations. Consequently, undertakings should incorporate the Guidelines into their regulatory framework, while competent authorities should implement the Guidelines into their supervisory framework.
Competent authorities will be obliged to inform EIOPA of their compliance status within two months of the translated versions’ issuance. In the event of non-compliance, competent authorities must provide a reasoning to EIOPA within the same timeframe. If EIOPA has not received any communication from the competent authorities by this deadline, they will consider these authorities as non-compliant and will take further action.
Although insurance and reinsurance companies can undertake a self-assessment to evaluate their compliance readiness, it is recommended to seek the assistance of experts in GRC and Assurance. ADACOM has established its own approach to information resilience, supported by a relevant implementation framework.
We follow a holistic approach towards protecting all types of sensitive information, in all phases of the information lifecycle throughout all business verticals, regardless of the underlying business and technology ecosystem.
Our aim is to maximize the resilience of critical business information and keep information trustworthy even when the organization is under stress.
ADACOM has established its own GRC & Assurance Services portfolio based on Information Resilience, which goes beyond the traditional Information & Digital Security models. We have adopted a holistic approach towards protecting all types of sensitive information, in all phases of the information life cycle, regardless the underline business and technology ecosystem, and regardless the business vertical.
To learn how we can help you, contact our experts.