Today, the European Insurance and Occupational Pensions Authority (EIOPA) finalised the Guidelines on Information and Communication Technology (ICT) Security and Governance.
These guidelines shall provide guidance to national supervisory authorities and market participants on how regulation regarding operational risks set forth in Directive 2009/138/EC and in the Commission's Delegated Regulation 2015/35 is applied in the case of ICT security and governance, considering as well EIOPA's Guidelines on System of Governance.
The objective of the guidelines is to promote the increase of the operational resilience of the digital operations of insurance and reinsurance undertakings against the risks they face. Operational resilience is key to protect insurance and reinsurance undertakings’ digital assets, including their systems and data from policyholders and beneficiaries. In particular, the guidelines:
- provide clarification and transparency to market participants on the minimum expected information and cyber security capabilities, i.e. security baseline;
- avoid potential regulatory arbitrage;
- foster supervisory convergence regarding the expectations and processes applicable in relation to ICT security and governance as a key to proper ICT and security risk management.
EIOPA consulted on the guidelines between December 2019 and March 2020 and took into account the views of stakeholders wherever possible.
National supervisory authorities are expected to apply these guidelines from 1 July 2021.
- Publication date
- 12 October 2020