The European Insurance and Occupational Pensions Authority (EIOPA) has published guidance on information and communication technology security governance.
The Solvency II Directive (2009/138/EC) requires that insurers and reinsurers have in place effective systems of governance. This includes systems in respect of IT security. EIOPA has developed its guidance on information and communication technology (ICT) security as part of the European Commission’s FinTech Action Plan. The increasing complexity of ICT and frequency of incidents such as cyber-attacks means that management of ICT issues needs to be integrated into the governance and risk-management measures of insurance and reinsurance undertakings.
In publishing these guidelines, EIOPA seeks to provide clarification to insurers and reinsurers on the minimum requirements for information and cyber security, avoid potential regulatory arbitrage in the field of risk-management and foster supervisory convergence in relation to ICT security and governance.
Under the guidelines, boards of insurance and reinsurance companies should ensure that systems of governance adequately manage undertakings’ ICT and security risks. The board should ensure that there are sufficiently well-qualified staff to manage ICT risks and should allocate adequate resources to fulfilling these obligations.
An ICT strategy should be set as part of the overall governance system of the business. A written information security policy should outline high-level principles and rules. An information security function should be established within the business. The guidelines set out requirements for logical, physical and operational security as well as measures to ensure that security is reviewed and monitored regularly. The guidelines require that insurers and reinsurers establish an ICT incident and problem management process to help ensure that critical business functions can be maintained (or resumed) after security incidents.