On 9 October 2018, Insurance Europe (the European federation of insurers), FERMA (the European federation of risk managers) together with BIPAR have prepared a brochure called Preparing for Cyber Insurance creating awareness on the risk management and the possible insurance solutions for cyber risks. More on the subject here.
Background
In September 2017 the Commission adopted a cyber security package containing a series of initiatives to further improve EU cyber-resilience, deterrence and defence. The package included the creation of an EU Cybersecurity Agency based on the existing European Agency for Network and Information Security (ENISA) and the implementation of a voluntary EU-wide certification scheme to ensure that products and services are cyber secure.
Mariya Gabriel, Commissioner for the Digital Economy and Society, said: "We need to build on the trust of our citizens and businesses in the digital world, especially at a time when large-scale cyber-attacks are becoming more and more common. I want high cyber security standards to become the new competitive advantage of our companies."
EU Cybersecurity Act & EU Cybersecurity Agency
The European Commission, the European Parliament and the Council of the EU reached an agreement on the final text of this Regulation in early 2019. The Regulation was published in the Official Journal of the EU and has started to apply.
The Regulation sets up European cybersecurity certification schemes for specific ICT (Information and Communication Technology) processes, products, and services and it upgrades the current ENISA into a permanent EU Agency for Cybersecurity. European cybersecurity certification schemes are intended to help harmonise cybersecurity practices within the Union in order to increase security against cyber threats. In particular:
Furthermore, ENISA will be a centre of expertise on cybersecurity and will have more human and financial resources. It will support EU policy on cybersecurity and play a central role in the establishment and maintenance of certification schemes with the expert assistance and close cooperation of national certification authorities and industry. ENISA will set up a website providing information on certificates and will organise regular EU-level cybersecurity exercises, including a large-scale comprehensive exercise once every two years.
Other Cybersecurity Initiatives
ENISA's tasks will be complemented by the new European Cybersecurity Industrial, Technology and Research Centre the activities of which should not duplicate those of ENISA. The Commission’s proposal adopted in September 2018 provides that the aim of this Centre will be to establish a top knowledge base for cybersecurity. Its task will be to enhance the coordination of research and innovation in the field of cybersecurity. It will also be the EU's main instrument to pool investment in cybersecurity research, technology and industrial development.The Centre will be established for the period of 1 January 2021 to 31 December 2029. After that date, it will be wound up, unless decided otherwise.
As a further step of reinforcing EU cybersecurity capability, the establishment of a Network of Cybersecurity Competence Centres is envisaged. This network will consist of National Coordination Centres designated by Member States. The national Centres will either possess or have access to technological expertise in cybersecurity, for example, in areas such as cryptography, intrusion detection or human aspects of security.
A third structure will be also created, the Cybersecurity Competence Community, which will bring together the main stakeholders (including, among others, industry, academic and non-profit research organisations and public entities) to enhance and spread cybersecurity expertise across the EU.
ESAs Advice on the costs and benefits of a coherent cyber resilience testing framework
As a follow-up to the European Commission in its March 2018 FinTech Action Plan, the ESAs published in April 2019 a Joint Advice on the costs and benefits of a coherent cyber resilience testing framework for significant market participants and infrastructures within the EU financial sector.
The ESAs see clear benefits of such a framework. However, the ESAs assessment demonstrated the existence of fragmentation in the scope, granularity and specificity of ICT and security/cyber security provisions across the EU financial services legislation. In the short term, the ESAs advised the Commission to focus on achieving a minimum level of cyber-resilience across the sectors, proportionate to the needs and characteristics of the relevant entities. Furthermore, the ESAs propose to establish on a voluntary basis an EU wide coherent testing framework together with other relevant authorities, taking into account existing initiatives, and with a focus on Threat Led Penetration Testing. In the long term, the ESAs aim to ensure a sufficient cyber maturity level of identified cross-sector entities.
Commission consultation on digital resilience for financial services and crypto-assets
On 19 December 2019, the European Commission launched two public consultations:
Considering that the financial sector is the largest user of information and communications technology (ICT) in the world and that this dependence will further increase with the growing use of emerging models, concepts or technologies, the operational resilience -and the cyber resilience- of the sector hinges to a large extent on ICT, as it may become vulnerable to cyber-attacks. Furthermore, crypto-assets are one of the major applications of blockchain for finance. Crypto-assets are commonly defined as a type of private assets that depend primarily on cryptography and distributed ledger technology as part of their inherent value.
The aim of the consultation on digital operational resilience, to which BIPAR contributed, is to inform the Commission on the development of a potential EU cross-sectoral digital operational resilience framework in the area of financial services. The Commission is now working to present a legislative proposal in Q3 2020, to strengthen the digital operational resilience of the EU financial sector entities. The Commission’s intentions is to streamline and upgrade existing rules and bringing in new requirements where there are gaps.
The consultation on crypto-assets aims to inform the Commission’s ongoing work in this respect: (i) for crypto-assets that are covered by EU rules by virtue of qualifying as financial instruments under the MiFID II - or as electronic money/e-money under the Electronic Money Directive, the Commission will assess where the EU legislation can be effectively applied, ii) for crypto-assets that are currently not covered by the EU legislation, the Commission is considering a possible proportionate common regulatory approach at EU level.
BIPAR also participated to the webinar organised by the Commission (DG FISMA) on 19 May 2020 in the context of the consultation on digital operational resilience for financial services and of the Digital Finance Strategy in general.
Cyber Insurance & EIOPA
EIOPA published in August 2018 its Report "Understanding Cyber Insurance - A Structured Dialogue with Insurance Companies". The Report provides insights -based on a survey among (re)insurance groups- on the functioning, growth potential, challenges and risks of cyber insurance in Europe in the context of the expected growing importance of cyber insurance in the portfolios of (re)insurers. EIOPA explains that cyber risk is a growing concern for institutions, individuals, and financial markets. The increasing number of cyber incidents, the continued digital transformation and new regulatory initiatives in the European Union are expected to raise awareness and to boost the demand for cyber insurance. In short, the Report found that:
As a follow up to the dialogue with the insurance industry which resulted in this EIOPA Report, EIOPA organised a workshop on cyber insurance in April 2019 in which BIPAR participated. More than 100 representatives from the industry, consumers, regulators, think tanks and other stakeholders also participated. The key messages resulted from the discussion are:
Furthermore, in September 2019 EIOPA published its Report on "Cyber Risk for Insurers – Challenges and Opportunities". The Report states that insurers play a key role in enabling transformation to the digital economy. Increased use of big data and cloud computing make insurers increasingly susceptible to cyber threats, considering the amount of confidential policyholder information insurers are possessing. The report further identified the most common cyber threats faced by insurers and concluded that a common set of definitions on cyber risks would enhance the cyber resilience of the insurance sector. Further actions could be streamlining of the cyber incident reporting frameworks by creating an EU-wide database.
BIPAR is monitoring developments related to cyber security and cyber insurance at EU level. The increased digitalisation in our sector increases the extent of cyber-attacks and their impact, and the fact that small and medium-sized businesses are increasingly exposed to cyber risks, dictates the need for good cyber security practices. Insurance intermediaries have an important role to play in this respect.
In October 2018 BIPAR prepared together with Insurance Europe (the European federation of insurers) and FERMA (the European federation of risk managers) the brochure “Preparing for cyber insurance” with the aim of creating awareness on risk management and possible insurance solutions for cyber risks.
- Published on June 2020 -