Insurers and reinsurers need to ready themselves for implementation of EIOPA guidelines on information and communication technology security and governance
Reading time: 4 mins
The European Insurance and Occupational Pensions Authority (‘EIOPA’) has published its finalised “Guidelines on Information and Communication Technology Security and Governance” (12 Oct 2020).
Addressed to the supervisory authorities, the Guidelines provide direction on how insurance and reinsurance undertakings should apply the type of information and communication technology security and governance requirements envisaged under Solvency II.
The publication of the Guidelines follows the completion of a stakeholder consultation process that concluded in March 2020. The new Guidelines will apply from 1 July 2021.
The publication consists of 25 core guidelines which, according to EIOPA, aim to “promote the increase of operational resilience of the digital operations of insurance and reinsurance undertakings against the risks they face”.
In the midst of a global pandemic, we are witnessing an increased dependence on ICT systems, across all industries. It is clear that the insurance sector (and indeed wider society) is experiencing digitalisation at an intensified pace and this is mirrored by a steady increase in ICT related incidents, such as cyber-attacks. The accelerated adoption of technology has also increased the rate of development of firms within InsurTech. The adoption of the EIOPA guidelines aim to provide for a uniform and consistent approach towards ICT security and governance requirements by insurers.
According to EIOPA, the Guidelines will:
- Provide clarification and transparency to market participants on the minimum expected information and cyber security capabilities, i.e. security baseline;
- Avoid potential regulatory arbitrage;
- Foster supervisory convergence regarding the expectations and processes applicable in relation to ICT security and governance, as a key to proper ICT and security risk management.
Under Guideline 2, the Board and Management of an insurer will be responsible for ensuring that the system of governance adequately manages the firm’s ICT and security risks. The Guidelines also require that the Board and Management ensure that there is a sufficient level of staff and also that staff are qualified to manage ICT risks and to assess ICT operational needs. The Guidelines require that the Board and Management be supported by an information security function, with the responsibilities assigned to a designated person.
The importance of a firm’s ICT strategy is also highlighted in the Guidelines - Guideline 3 requires that insurance and reinsurance companies have a written ICT strategy in place, as part of their overall risk management system, which aligns with the firm’s overall business strategy. It is the responsibility of each firm to ensure that the ICT strategy is adopted, implemented and reviewed on a regular basis.
Under the Guideline 6, firms will be expected to establish a written information security policy which clearly sets out the main roles and responsibilities for information security management and sets out the requirements for staff. It is expected that the information security policy will inform staff that they have individual responsibility in maintaining the information security of the firm.
Guideline 7 requires that, subject to the proportionality principle, firms will be required to establish an information security function, with the responsibilities assigned to a designated person. According to the Guidelines, this function should be segregated from ICT development and operations processes.
Guidelines (8 to 10) specifically deal with “logical security”, “physical security”, “ICT operations security” and outline protection requirements and procedures in respect of each. Pursuant to Guideline 11, firms will be required to undertake ongoing security monitoring as well as information security reviews, assessment and testing.
Guideline 14 requires that insurance and re-insurance companies will be required to ensure that their data and ICT system backups are stored in one or more locations, outside the sphere of their primary site. Under Guideline 15, firms will be required to establish an incident and problem management process to monitor and record any adverse events and enable timely recovery.
There is a requirement under Guideline 18 that any changes to a firm’s ICT systems be recorded, assessed, tested, approved, authorised and implemented in a controlled manner. Guideline 20 requires that, as part of a sound business continuity management, firms should conduct a business impact analysis to assess the level of exposure to severe business disruptions and their potential impact, quantitatively and qualitatively, using internal and/or external data and scenario analysis. There is also a requirement (under Guideline 21) that the overall Business Continuity Plans (“BCPs”) of firms should consider material risks that could adversely impact ICT systems and ICT services.
Guideline 22 introduces a requirement for firms to develop response and recovery plans that specify the actions to be taken to ensure the integrity, availability, continuity and recovery of, at a minimum, the firm’s critical ICT systems, ICT services and data. Firms are required, under Guideline 23, to test their BCPs, and ensure that the operation of their critical business processes and activities, and ICT assets are regularly tested. The Guidelines also require that the BCPs be updated regularly, based on testing results, current threat intelligence and lessons learned from previous events.
Finally, it should be noted that under the Guidelines, where a firm decides to outsource their ICT services and ICT systems, the firm itself is obliged to ensure that there is full compliance with the relevant requirements. Guideline 25 also requires that in circumstances where the performance of a critical or important function has been outsourced, firms should ensure that contractual obligations of the service provider address certain matters that are spelled out in the Guidelines.
Helpfully, for smaller firms, EIOPA has requested that when competent authorities are supervising compliance with the Guidelines, that they take into account the principle of proportionality, such that governance arrangements (including those related to ICT security and governance) are proportionate to the nature, scale and complexity of the corresponding risks those firms may face.
Insurers and reinsurers now have several months to ready themselves so as to be fully complaint with the EIOPA Guidelines by July 2021. Once the Guidelines become effective, firms can expect that, as part of its supervisory activities, the Central Bank of Ireland will be assessing the extent to which insurers are achieving compliance.
A copy of the EIOPA Guidelines are available at this link: