On 12 October 2020, the European Insurance and Occupational Pensions Authority (EIOPA) issued its Guidelines on Information and Communication Technology Security and Governance (“the Guidelines”) in accordance with Article 16 of Regulation (EU) No 1094/20104 harmonizing the European Commission's FinTech Action Plan (COM/2018/0109 final) and EIOPA’s Supervisory Convergence Plan 2018–2019.
The Guidelines provide guidance on the sound information and communication technology (ICT) governance and security practices that insurance and reinsurance undertakings should implement to mitigate their technological risks appropriately.
The EIOPA Guidelines cover 25 topics, each containing a set of specific requirements. The self-assessment checklist provided in the article summarizes those 25 topics, allowing to determine the readiness level of ICT security and governance management processes and to identify any potential gaps before the Guidelines come into force.
Establish governance to effectively support the ICT strategy
Ensure ICT and security risks are identified and addressed appropriately
Implement efficient and controlled ICT operations processes
Protect the confidentiality, integrity and availability of customer and business data
Manage projects and changes effectively to meet business and security objectives
Maintain the business function under unforeseen circumstances
Protect outsourced IT services appropriately
The Guidelines represent a key step for the insurance sector to align with the European Commission’s aim to improve and harmonize the digital operational resilience of the EU’s financial services (as envisioned by the legislative proposal for a Digital Operational Resilience Act).