Cyber security

On 9 October 2018, Insurance Europe (the European federation of insurers), FERMA (the European federation of risk managers) together with BIPAR have prepared a brochure called Preparing for Cyber Insurance creating awareness on the risk management and the possible insurance solutions for cyber risks. More on the subject here.

Background

In September 2017 the Commission adopted a cyber security package containing a series of initiatives to further improve EU cyber-resilience, deterrence and defence. The package included the creation of an EU Cybersecurity Agency based on the existing European Agency for Network and Information Security (ENISA) and the implementation of a voluntary EU-wide certification scheme to ensure that products and services are cyber secure.

Mariya Gabriel, Commissioner for the Digital Economy and Society, said: "We need to build on the trust of our citizens and businesses in the digital world, especially at a time when large-scale cyber-attacks are becoming more and more common. I want high cyber security standards to become the new competitive advantage of our companies."

EU Cybersecurity Act & EU Cybersecurity Agency

The European Commission, the European Parliament and the Council of the EU reached an agreement on the final text of this Regulation in early 2019. The Regulation was published in the Official Journal of the EU and has started to apply.

The Regulation sets up European cybersecurity certification schemes for specific ICT (Information and Communication Technology) processes, products, and services and it upgrades the current ENISA into a permanent EU Agency for Cybersecurity. European cybersecurity certification schemes are intended to help harmonise cybersecurity practices within the Union in order to increase security against cyber threats. In particular:

  • The EU certification schemes will be adopted by the Commission and implemented and supervised by national cybersecurity certification authorities. Certification will be voluntary unless otherwise specified in EU law or Member States' law.
  • Certificates issued under the schemes will attest that a given ICT product/service/process has been evaluated for compliance with specific security requirements and they will be valid in all EU countries. The actual certification schemes will be built on what already exists at international, European and national level.
  • Each European cybersecurity certificate might refer to one of the three different assurance levels: “basic”, “substantial” and “high”. The assurance levels would provide the corresponding rigour and depth of the evaluation of the ICT product/service/process (the level of evaluation, not the security of product concerned) and would be characterised by reference to technical specifications and standards the purpose of which is to mitigate or prevent cyber incidents.
  • Manufacturers or service providers are allowed to carry out conformity assessment themselves, but the EU statement of conformity (instead of a certificate) can only refer to the “basic” assurance level.

Furthermore, ENISA will be a centre of expertise on cybersecurity and will have more human and financial resources. It will support EU policy on cybersecurity and play a central role in the establishment and maintenance of certification schemes with the expert assistance and close cooperation of national certification authorities and industry. ENISA will set up a website providing information on certificates and will organise regular EU-level cybersecurity exercises, including a large-scale comprehensive exercise once every two years.

Other Cybersecurity Initiatives

ENISA's tasks will be complemented by the new European Cybersecurity Industrial, Technology and Research Centre the activities of which should not duplicate those of ENISA. The Commission’s proposal adopted in September 2018 provides that the aim of this Centre will be to establish a top knowledge base for cybersecurity. Its task will be to enhance the coordination of research and innovation in the field of cybersecurity. It will also be the EU's main instrument to pool investment in cybersecurity research, technology and industrial development.The Centre will be established for the period of 1 January 2021 to 31 December 2029. After that date, it will be wound up, unless decided otherwise.

As a further step of reinforcing EU cybersecurity capability, the establishment of a Network of Cybersecurity Competence Centres is envisaged. This network will consist of National Coordination Centres designated by Member States. The national Centres will either possess or have access to technological expertise in cybersecurity, for example, in areas such as cryptography, intrusion detection or human aspects of security.

A third structure will be also created, the Cybersecurity Competence Community, which will bring together the main stakeholders (including, among others, industry, academic and non-profit research organisations and public entities) to enhance and spread cybersecurity expertise across the EU.

ESAs Advice on the costs and benefits of a coherent cyber resilience testing framework

As a follow-up to the European Commission in its March 2018 FinTech Action Plan, the ESAs published in April 2019 a Joint Advice on the costs and benefits of a coherent cyber resilience testing framework for significant market participants and infrastructures within the EU financial sector.

The ESAs see clear benefits of such a framework. However, the ESAs assessment demonstrated the existence of fragmentation in the scope, granularity and specificity of ICT and security/cyber security provisions across the EU financial services legislation. In the short term, the ESAs advised the Commission to focus on achieving a minimum level of cyber-resilience across the sectors, proportionate to the needs and characteristics of the relevant entities. Furthermore, the ESAs propose to establish on a voluntary basis an EU wide coherent testing framework together with other relevant authorities, taking into account existing initiatives, and with a focus on Threat Led Penetration Testing. In the long term, the ESAs aim to ensure a sufficient cyber maturity level of identified cross-sector entities.

Commission consultation on digital resilience for financial services and crypto-assets

On 19 December 2019, the European Commission launched two public consultations:

  1. on the digital operational resilience in the area of financial services; and
  2. on an EU framework for markets in crypto-assets.

Considering that the financial sector is the largest user of information and communications technology (ICT) in the world and that this dependence will further increase with the growing use of emerging models, concepts or technologies, the operational resilience -and the cyber resilience- of the sector hinges to a large extent on ICT, as it may become vulnerable to cyber-attacks. Furthermore, crypto-assets are one of the major applications of blockchain for finance. Crypto-assets are commonly defined as a type of private assets that depend primarily on cryptography and distributed ledger technology as part of their inherent value.

The aim of the consultation on digital operational resilience, to which BIPAR contributed, is to inform the Commission on the development of a potential EU cross-sectoral digital operational resilience framework in the area of financial services. The Commission is now working to present a legislative proposal in Q3 2020, to strengthen the digital operational resilience of the EU financial sector entities. The Commission’s intentions is to streamline and upgrade existing rules and bringing in new requirements where there are gaps.

The consultation on crypto-assets aims to inform the Commission’s ongoing work in this respect: (i) for crypto-assets that are covered by EU rules by virtue of qualifying as financial instruments under the MiFID II - or as electronic money/e-money under the Electronic Money Directive, the Commission will assess where the EU legislation can be effectively applied, ii) for crypto-assets that are currently not covered by the EU legislation, the Commission is considering a possible proportionate common regulatory approach at EU level.

BIPAR also participated to the webinar organised by the Commission (DG FISMA) on 19 May 2020 in the context of the consultation on digital operational resilience for financial services and of the Digital Finance Strategy in general.

Cyber Insurance & EIOPA

EIOPA published in August 2018 its Report "Understanding Cyber Insurance - A Structured Dialogue with Insurance Companies". The Report provides insights -based on a survey among (re)insurance groups- on the functioning, growth potential, challenges and risks of cyber insurance in Europe in the context of the expected growing importance of cyber insurance in the portfolios of (re)insurers. EIOPA explains that cyber risk is a growing concern for in­stitutions, individuals, and financial mar­kets. The increasing number of cyber incidents, the continued digital transfor­mation and new regulatory initiatives in the European Union are expected to raise awareness and to boost the demand for cyber insurance. In short, the Report found that:

  • There is a clear need for a deeper understanding of cyber risk, both on the supply and demand side, in order for the European cyber insurance industry to develop further. This relates not only to the assessment and treatment of risks in new cyber insurance propositions, but also to the understanding of clients’ own needs.
  • In terms of products and services, coverage is mainly focused on commercial business. However, interest in providing cyber insurance for individuals is increasing as technology such as the Internet of Things (IoT) develops and consumers are increasingly exposed to infringement of digital services.
  • Lack of specialised underwriters, data and quantitative tools are key obstacles to the development of the industry and the provision to the economy of proper coverage.
  • Regulation may be welcomed by the industry in a moderate fashion, as it could help to address some of the identified challenges notwithstanding the need for compliance with the Solvency II Directive.
  • There is a clear need to address silent cyber risk in traditional policies and remove contractual uncertainty.
  • Regulators could act as enablers by setting clear standards on cyber security and cyber risk aligned with the needs of SMEs and help raise awareness.
  • A “Cyber” database with anonymised data on cyber incidents, based on common definitions to facilitate data collection and data sharing, should be considered.

As a follow up to the dialogue with the insurance industry which resulted in this EIOPA Report, EIOPA organised a workshop on cyber insurance in April 2019 in which BIPAR participated. More than 100 representatives from the industry, consumers, regulators, think tanks and other stakeholders also participated. The key messages resulted from the discussion are:

Furthermore, in September 2019 EIOPA published its Report on "Cyber Risk for Insurers – Challenges and Opportunities". The Report states that insurers play a key role in enabling transformation to the digital economy. Increased use of big data and cloud computing make insurers increasingly susceptible to cyber threats, considering the amount of confidential policyholder information insurers are possessing. The report further identified the most common cyber threats faced by insurers and concluded that a common set of definitions on cyber risks would enhance the cyber resilience of the insurance sector. Further actions could be streamlining of the cyber incident reporting frameworks by creating an EU-wide database.

BIPAR is monitoring developments related to cyber security and cyber insurance at EU level. The increased digitalisation in our sector increases the extent of cyber-attacks and their impact, and the fact that small and medium-sized businesses are increasingly exposed to cyber risks, dictates the need for good cyber security practices. Insurance intermediaries have an important role to play in this respect.

In October 2018 BIPAR prepared together with Insurance Europe (the European federation of insurers) and FERMA (the European federation of risk managers) the brochure “Preparing for cyber insurance” with the aim of creating awareness on risk management and possible insurance solutions for cyber risks.

- Published on June 2020 -

Looking for an insurance intermediary near your home or business?Find one