Cyber security

On 9 October 2018, Insurance Europe (the European federation of insurers), FERMA (the European federation of risk managers) together with BIPAR have prepared a brochure called Preparing for Cyber Insurance creating awareness on the risk management and the possible insurance solutions for cyber risks. More on the subject here.

Cyber security

Cyber security was identified in the Commission's digital single market mid-term review of May 2017, as one of the key areas for further work in the years to come. On 13 September 2017 the Commission adopted a cyber security package which builds upon existing instruments, but also presents new initiatives to improve EU cyber resilience and response.

The strategy announced is based on three pillars:

1. Resilience with, firstly, the creation of an EU Cyber security Agency based on the existing European Agency for Network and Information Security (ENISA). The Agency will “be given a permanent mandate to assist Member States in effectively preventing and responding to cyber-attacks. It will help implement the Directive on the Security of Network and Information Systems (NIS Directive) which contains reporting obligations to national authorities in case of serious incidents”. Secondly, the initiative includes the implementation of an EU-wide certification scheme (Cyber security Act) to ensure that products and services are cyber secure.
2. Deterrence with the creation in 2018 of a European Cyber security Research and Competence Centre and of new procedures to help the EU and Member States to respond quickly.
3. Defence with a criminal law response with a proposal for a Directive aimed at combatting fraud and the counterfeiting of non-cash means of payment, and a proposal regarding the cross-border access to electronic evidence.

The NIS Directive lays down security obligations for operators of “essential services” (in critical sectors such as energy, transport, health and banking) and for digital service providers (online marketplaces, search engines and cloud services), including obligation to adopt risk management practices and to report significant cyber incidents. Each EU country will also be required to designate one or more national authorities and to establish a strategy for dealing with cyber threats.

( source: http://www.consilium.europa.eu/en/policies/cyber-security/ )

Member states had until May 2018 to transpose the cyber security strategy into national law and by December 2018 they should identify operators of essential services.

The European Parliament and the Council of the EU have adopted their position on the Commission’s proposal for an EU-wide cyber security certification scheme and an EU cyber security Agency and they will enter into negotiations to agree on the final text under the trilogue procedure.

The proposed rules provide for an EU cybersecurity scheme that will certify that an ICT (Information and Communication Technology) product, process or service has no known vulnerabilities at the time of the certification’s release and that it complies with international standards and technical specifications. Further, the proposed rules opt for a larger budget, more staff and a permanent mandate to the existing European Agency for Network and Information Security (ENISA), with its headquarters in Heraklion and offices in Athens. ENISA will become the reference point on the cybersecurity certification scheme.

BIPAR’s views and actions

BIPAR is monitoring the developments related to cyber security at EU level. The increased digitalisation in our sector increases the extent of cyber-attacks and their impact, and the fact that small and medium-sized businesses are increasingly exposed to cyber risks dictates the need for good cyber security practices. Insurance intermediaries have an important role to play in this in this respect.

BIPAR has informed its members on a number of initiatives on cyber security and cyber insurance taken by some national associations to increase cyber resilience as well as a guide prepared by ENISA for those organisations seeking to enhance their cyber security culture.

BIPAR will also continue to closely monitor the EU legislative procedure on cyber security.

Free flow of data

In its digital single market mid-term review of May 2017, the Commission also announced its work on the free flow of non-personal data as a prerequisite for a competitive data economy. On 13 September 2017, the Commission published a legislative proposal on the free flow of non-personal data in the European Union. This proposal completes the General Data Protection Regulation (GDPR) which provides for the free movement of personal data (i.e. any information relating to an identified or identifiable natural person). In particular, the proposal develops tools regarding:

• The principle of free flow of non-personal data across borders: Member States cannot oblige organisations to locate the storage and/or processing of data within their borders unless there is a public security reason.
• The principle of data availability for regulatory control: competent authorities will be able to exercise their rights of access to data wherever it is stored or processed in the EU.
• The development of EU codes of conduct to remove obstacles to switching between service providers of cloud storage and to porting data back to users' own IT systems.

The two EU co-legislators, the EP and the Council, have entered into discussions to agree on the final text under the trilogue procedure.