Skip to Content
The content on this page has been translated automatically.  Go to the original page.
Informatiebeveiliging LR Shutterstock 2139978403

Insurers are processing more and more data. Good information security is crucial. The Association supports its members to take security to the next level.

For example, we help insurers by organising theme days and publications to stay informed of important developments in data security. In addition, we facilitate cooperation between members on non-competitive aspects. For example, by sharing threat information or with a tool to map the cyber risk of IT suppliers. Finally, we are in discussions with regulators and legislators about new rules and laws regarding cyber risk. For example, in consultation with members, we respond to consultations with regulators.

Legislation and supervision

Guidelines

The Financial Supervision Act (Section 3:17) states that institutions must have adequate procedures and measures in place to manage IT risks. This article is elaborated in guidelines issued by regulators. The most important of these is DNB's Good Practice Information Security , which contains 58 controls.

DORA

In addition, effective January 16, 2023, the Digital Operational Resilience Act (DORA), will be in effect on January 16, 2023 and will enter into force on January 17, 2025. Because DORA is a regulation, it does not have to be transposed into Dutch law, but is immediately effective. However, under the law, various Regulatory Technical Standards still have to be drawn up by the European Supervisory Agencies. Although it is not yet entirely clear what the substantive difference is between the current and future situation, it is already clear that the requirements are enforceable in this new law.

So we can expect that, in the coming years, as with the GDPR, judges will start to consider details. And that case law will determine the exact obligations for insurers. As a result, information security is no longer something that is 'only' the responsibility of the IT department (if it was at all), but also something that lawyers deal with. In this way, rulings by judges from other European member states will also have consequences for Dutch companies. And vice versa.

Supervision

For the time being, the main regulator of information security in the insurance sector is DNB.

i-CERT

The Computer Emergency Response Teams (i-CERT) makes an operational contribution to the cyber security of the insurance sector. This team falls under the Centre for Combating Insurance Crime (CBV) of the Association and, in addition to employees of the CBV, consists of a pool of specialists from large insurers. The i-CERT informs and advises insurers as quickly as possible about current cyber threats and coordinates collective actions where necessary. This is done in close collaboration with CERTs in other industries and cyber security bodies such as the Digital Trust Center (DTC).

Insurance-ISAC

In addition to the i-CERT described above, there is a platform for Chief Information Security Officers (CISOs) of insurers. The Insurance Information Sharing and Analysis Centre (Insurance-ISAC) drives knowledge sharing at a more tactical, policy and strategic level and thus contributes to digitally secure business operations. While the i-CERT facilitates and shapes operational cooperation, the Insurance-ISAC also contributes to policy development and advocacy for the sector.

The platform plans to work on two themes in the coming years: insight into the cyber risk of third parties (suppliers) and ransomware readiness. The first point is addressed by standardising the questionnaires with which insurers map out the cyber risk of these parties. We promote ransomware readiness by practising together, but also by seeing if the Association can support members in the event of a hack, for example by concluding a contract with a party that can be called in such a case.

Tools & Support

  • Responsible Disclosure | The Association and the National Cyber Security Centre (NCSC) have drawn up a guide for the introduction of a Responsible Disclosure policy by insurers. This provides so-called ethical hackers with clear rules on how to find and report ICT vulnerabilities to insurers in a responsible manner.
  • Information Security Vendor Selection Questionnaire | The list is primarily intended for insurers who are considering a particular vendor and want to make an initial assessment of security maturity. In addition, the list is intended for suppliers who want to know what the most important requirements insurers have in terms of information security, so that they can check at once whether they comply with this set and then provide well-founded answers to various insurers.
    Word version and pdf version
  • Webinars & Meetings | The Association regularly organises meetings and webinars on developments in information security that are relevant to insurers. In recent years, for example, it has focused on best practices regarding cyber security awareness, dealing with questions from regulators and new European laws and regulations.
  • Third party risk management | In 2023, the Association developed a checklist for assurance statements. In 2024, the Association published a first overview of the most important aspects of security awareness training.
  • Exercises | At the end of 2022, the Insurance Information Sharing and Analysis Centre (Insurance-ISAC), in close consultation with DNB, carried out an initial table top exercise at a supplier that many insurers work with.
  • Gathering Threat Intelligence | Through the i-CERT, the Association works closely with government agencies and other parties that have up-to-date and specific threat information. The aim of this cooperation is for insurers to receive this type of information as quickly as possible in order to be able to take timely, adequate measures.

Click here for the tools: