On 9 October 2018, Insurance Europe (the European federation of insurers), FERMA (the European federation of risk managers) together with BIPAR have prepared a brochure called Preparing for Cyber Insurance creating awareness on the risk management and the possible insurance solutions for cyber risks. More on the subject here.
Cyber security was identified in the Commission's digital single market mid-term review of May 2017, as one of the key areas for further work in the years to come. On 13 September 2017 the Commission adopted a cyber security package which builds upon existing instruments, but also presents new initiatives to improve EU cyber resilience and response.
The strategy announced is based on three pillars:
The NIS Directive lays down security obligations for operators of “essential services” (in critical sectors such as energy, transport, health and banking) and for digital service providers (online marketplaces, search engines and cloud services), including obligation to adopt risk management practices and to report significant cyber incidents. Each EU country will also be required to designate one or more national authorities and to establish a strategy for dealing with cyber threats.
Member states had until May 2018 to transpose the cyber security strategy into national law and by December 2018 they should identify operators of essential services.
The European Parliament and the Council of the EU have adopted their position on the Commission’s proposal for an EU-wide cyber security certification scheme and an EU cyber security Agency and they will enter into negotiations to agree on the final text under the trilogue procedure.
The proposed rules provide for an EU cybersecurity scheme that will certify that an ICT (Information and Communication Technology) product, process or service has no known vulnerabilities at the time of the certification’s release and that it complies with international standards and technical specifications. Further, the proposed rules opt for a larger budget, more staff and a permanent mandate to the existing European Agency for Network and Information Security (ENISA), with its headquarters in Heraklion and offices in Athens. ENISA will become the reference point on the cybersecurity certification scheme.
BIPAR’s views and actions
BIPAR is monitoring the developments related to cyber security at EU level. The increased digitalisation in our sector increases the extent of cyber-attacks and their impact, and the fact that small and medium-sized businesses are increasingly exposed to cyber risks dictates the need for good cyber security practices. Insurance intermediaries have an important role to play in this in this respect.
BIPAR has informed its members on a number of initiatives on cyber security and cyber insurance taken by some national associations to increase cyber resilience as well as a guide prepared by ENISA for those organisations seeking to enhance their cyber security culture.
BIPAR will also continue to closely monitor the EU legislative procedure on cyber security.
Free flow of data
In its digital single market mid-term review of May 2017, the Commission also announced its work on the free flow of non-personal data as a prerequisite for a competitive data economy. On 13 September 2017, the Commission published a legislative proposal on the free flow of non-personal data in the European Union. This proposal completes the General Data Protection Regulation (GDPR) which provides for the free movement of personal data (i.e. any information relating to an identified or identifiable natural person). In particular, the proposal develops tools regarding:
The two EU co-legislators, the EP and the Council, have entered into discussions to agree on the final text under the trilogue procedure.