EIOPA has introduced new guidelines for the security and management of information and communications technology for (re)insurers and pension funds. What impact do these new guidelines have on risk management within your organization? And what are the differences with the current, Dutch DNB Good Practice Information Security?
Written by Maurice Koetsier
The digital transformation in the financial sector is in full swing. Information and communication technology (ICT) is becoming increasingly important, in terms of customer service, quality and efficiency. ICT is also becoming increasingly complex; not only is the number of ICT-related incidents, including cyber incidents, growing, but also their impact. Therefore, financial institutions are placing increasing emphasis on managing ICT risks.
Various regulators want to increase the resilience of financial institutions in the area of ICT and cybersecurity. For that reason, they have introduced national laws and regulations, mostly in the form of circulars and good practices. At the European level, there are now guidelines for banks, insurers and pension funds. This sets the stage for further centralization of EU supervision of the financial sector.
At the end of 2019, the European Banking Authority (EBA) published the "Guidelines on ICT and security risk management. Following this, the European Insurance and Occupational Pensions Authority (EIOPA) published new guidelines on security and management of information and communications technology last fall. While both guidelines are similar in substance, the EIOPA guidelines apply specifically to (re)insurers and pension funds.
The EIOPA guidelines (effective July 1, 2021) offer (re)insurers and pension funds more guidance on ICT governance and security.
In the Netherlands, (re)insurers and pension funds already have guidelines they must comply with with the Good Practice Information Security (2019) from the DNB.
1. ICT strategy in line with business strategy
The new EIOPA guidelines require you to establish a documented ICT strategy. With an important requirement that this strategy aligns with and supports the business strategy. In addition, organizations should establish a process to monitor and act on the effectiveness of the implemented ICT strategy. The DNB Good Practice IB requires that the ICT risk framework is aligned with the overall risk framework, but does not prescribe anything in terms of ICT strategy.
2. ICT project management added as topic
A new topic in the EIOPA guidelines compared to the DNB Good Practice IB is the implementation of an ICT project methodology. The ICT project methodology should contribute to the effective implementation of the ICT strategy. In addition, organizations should adequately identify, monitor and mitigate project risks.
3. Acquisition ICT systems based on risk analysis
The DNB Good Practice IB pays attention to monitoring external parties under control measure 16.3. Organizations should form an opinion about the internal control measures at their service providers and any subcontractors. On this topic, the EIOPA guidelines prescribe more explicitly that organizations establish a risk-based process that includes the acquisition, development and maintenance of systems. This process also applies to applications that the business (outside ICT) develops and manages; such as end-user computing applications.
Are you as a (re)insurer or pension fund planning to purchase new ICT systems? Then the EIOPA guidelines prescribe that you first define functional, non-functional (including information security) and technical objectives.
4. Audit by specialists
Managing ICT and security risks requires periodic review. The EIOPA guidelines explicitly prescribe that this topic be part of your audit plan, where an auditor with sufficient knowledge and experience in ICT and security risks assesses your governance, systems and processes in that area. This is an important addition compared to the DNB Good Practice IB, which does not explicitly include this requirement.
DNB has announced that it will include the new EIOPA guidelines in its examinations starting next year. It is therefore expected that DNB will update the Good Practice on the topics mentioned above.
All supervised (re)insurers and pension funds must comply with the new guidelines. That requirement can be challenging for smaller organizations in particular. First, they have outsourced many components, requiring them to make additional arrangements. In addition, the additions mean that these organizations need to apply more knowledge and resources to adequately monitor the guidelines. Furthermore, this change also impacts IT service providers who work on behalf of financial institutions. They will also have to comply with the new requirements.
More articles from BDO
