Question ID: 1662
Regulation Reference: (EU) No 2015/35 - supplementing Dir 2009/138/EC - taking up & pursuit of the business of Insurance and Reinsurance (SII)
Article: 274
Status: Final
Date of submission: 27 Nov 2018
Question
"A stakeholder, who is a supplier of Cyber Security Services indicated that in negotiating the supply of such services for it, to an Insurer, the issue is whether Article 274 of the Commission Delegated Regulation 2015/35 applies. And, If Article 274 does apply to a Cyber Security Services supply agreement, then Article 274.4 (b) and (c) are so vaguely drafted, that they are capable of many interpretations".
EIOPA answer
Finally, according to Guideline 60 of the EIOPA Guidelines on system of governance, the decision whether a function or activity is critical or important should be made on the basis of whether this function or activity is essential to the operation of the undertaking as it would be unable to deliver its services to policyholders without the function or activity.
Within the "EIOPA Final Report on Public Consultation No. 14/017 on Guidelines on the System of Governance" in the explanatory text for Guideline 60 (paragraph 2.291), there is a list of examples of critical or important functions or activities which would include cyber security services (those fit within the on-going, day-to-day systems maintenance or support) if those are not one-off services (such as advisory services or projects (e.g. penetration tests).