Insurers are processing more and more data. Good information security is crucial. The Association supports its members to take security to the next level.
For example, we help insurers by organising theme days and publications to stay informed of important developments in data security. In addition, we facilitate cooperation between members on non-competitive aspects. For example, by sharing threat information or with a tool to map the cyber risk of IT suppliers. Finally, we are in discussions with regulators and legislators about new rules and laws regarding cyber risk. For example, in consultation with members, we respond to consultations with regulators.
The Financial Supervision Act (Section 3:17) states that institutions must have adequate procedures and measures in place to manage IT risks. This article is elaborated in guidelines issued by regulators. The most important of these is DNB's Good Practice Information Security , which contains 58 controls.
In addition, effective January 16, 2023, the Digital Operational Resilience Act (DORA), will be in effect on January 16, 2023 and will enter into force on January 17, 2025. Because DORA is a regulation, it does not have to be transposed into Dutch law, but is immediately effective. However, under the law, various Regulatory Technical Standards still have to be drawn up by the European Supervisory Agencies. Although it is not yet entirely clear what the substantive difference is between the current and future situation, it is already clear that the requirements are enforceable in this new law.
So we can expect that, in the coming years, as with the GDPR, judges will start to consider details. And that case law will determine the exact obligations for insurers. As a result, information security is no longer something that is 'only' the responsibility of the IT department (if it was at all), but also something that lawyers deal with. In this way, rulings by judges from other European member states will also have consequences for Dutch companies. And vice versa.
For the time being, the main regulator of information security in the insurance sector is DNB.
The Computer Emergency Response Teams (i-CERT) makes an operational contribution to the cyber security of the insurance sector. This team falls under the Centre for Combating Insurance Crime (CBV) of the Association and, in addition to employees of the CBV, consists of a pool of specialists from large insurers. The i-CERT informs and advises insurers as quickly as possible about current cyber threats and coordinates collective actions where necessary. This is done in close collaboration with CERTs in other industries and cyber security bodies such as the Digital Trust Center (DTC).
In addition to the i-CERT described above, there is a platform for Chief Information Security Officers (CISOs) of insurers. The Insurance Information Sharing and Analysis Centre (Insurance-ISAC) drives knowledge sharing at a more tactical, policy and strategic level and thus contributes to digitally secure business operations. While the i-CERT facilitates and shapes operational cooperation, the Insurance-ISAC also contributes to policy development and advocacy for the sector.
The platform plans to work on two themes in the coming years: insight into the cyber risk of third parties (suppliers) and ransomware readiness. The first point is addressed by standardising the questionnaires with which insurers map out the cyber risk of these parties. We promote ransomware readiness by practising together, but also by seeing if the Association can support members in the event of a hack, for example by concluding a contract with a party that can be called in such a case.
Click here for the tools: