19. The reference in Article 41 (4) to business continuity and contingency plans should also be
considered in this context as EIOPA agrees that operational resilience goes beyond effective risk
management, as ICT failures, or breaches, caused by people or processes are inevitable and it
aims to ensure the financial insurance and reinsurance undertakings preparedness to ensure
they are able to continue services through disruptions and to minimise the impact on others.
20. Under Solvency II the Own Risk and Solvency Assessment (ORSA) at Article 45 plays an important
role. The role of the ORSA in the assessment by the undertaking of the material risks it is exposed
to, is crucial for any risk but particularly for ICT risks (including cybersecurity risk) as part of the
undertaking’s operational risk. In fact, it is known that the standard formula for operational risk
calculation is not as sensitive to the risks as the other risk modules. As such, under the ORSA it
is expected that undertakings assess if the standard formula reflects its operational risk profile.
It is also expected that considering the global consensus in identifying ICT risk as possibly one of
the top emergent risks for the insurance market that the ORSA of each undertakings shall
include an assessment of these risks, if these are assessed as material by the undertaking.
21. The Commission Delegated Regulation 2015/35 (Article 258) addresses the establishment of
information systems which produce complete, reliable, clear, consistent, timely and relevant
information concerning the business activities. These requirements refer to the information
systems used (letter h), and require undertakings to maintain adequate and orderly records of
the undertaking's business and internal organisation (letter i) and safeguard the security,
integrity and confidentiality of information (letter j) as well as establishing, implanting and
maintaining a business continuity policy (paragraph 3).
22. The analysis of the current ‘EIOPA Guidelines on System of Governance’ and taking the analysis
of the performed survey into account, it appears that the above mentioned Guidelines do not
cover ICT security and governance requirements in detail and that, from a ‘local’ perspective,
the regulatory landscape appears fragmented throughout Europe.
23. These Guidelines do not properly reflect the importance of taking care of ICT risks (including
cybersecurity risks) as stressed e.g. by the FinTech Action plan. There is no guidance regarding
vital elements that are generally acknowledge as being part of proper ICT security and
governance requirements. To better reflect these elements and to achieve convergence within
the EEA, EIOPA proposes to develop Guidelines regarding ICT security and governance
requirements. In Annex B1 an overview of ruling may be found.
24. 22 out of the 28 countries that have submitted the EIOPA survey on current ruling (see annex B)
have defined local rules for ICT-security and governance requirements. Even if those
requirements are quite similar, this still leads to a scattered picture. In addition, the supervisory
practices vary from ‘no specific supervision’ to ‘strong supervision’ (including ‘off-site-
inspections’ and ‘on-site inspections’). In Annex B3 overall results of the stock take exercise may
be found.