Guidelines

The Financial Supervision Act (Art. 3:17) states that institutions must have adequate procedures and measures in place to manage IT risks. That article is elaborated in guidelines of regulators. The most important of these is DNB's Good practice information security , which contains 58 controls.

DORA

In addition, as of 16 January 2023, the Digital Operational Resilience Act (DORA) will come into force on 16 January 2023 and will enter into force on 17 January 2025. Because DORA is a regulation, it does not have to be transposed into Dutch legislation, but is directly effective. However, under the law, various Regulatory Technical Standards must still be made by the European Supervisory Agencies. Although it is not yet entirely clear what the substantive difference is between the current and future situation, it is already clear that the requirements are enforceable in this new law.

So in the coming years, we can expect that, as with the GDPR, judges will look into details. And that case law will determine the exact obligations for insurers. This makes information security something that is no longer 'only' of the IT department (if it was already), but also something that lawyers are concerned with. In this way, rulings by judges from other European member states will also have consequences for Dutch companies. And vice versa.

Supervision

For the time being, the main supervisor of information security in the insurance sector is DNB.

The Computer Emergency Response Teams (i-CERT) makes an operational contribution to the cyber security of the insurance sector. This team falls under the Centre for Combating Insurance Crime (CBV) of the Association and consists, in addition to employees of the CBV, of a pool of specialists from large insurers. The i-CERT informs and advises insurers as quickly as possible about current cyber threats and coordinates collective actions where necessary. This involves working closely with CERTs in other industries and cyber security agencies such as the Digital Trust Center (DTC).

In addition to the i-CERT described above, there is a platform for Chief Information Security Officers (CISOs) of insurers. The Insurance Information Sharing and Analysis Centre (Insurance-ISAC) encourages knowledge sharing at a more tactical, policy and strategic level and thus contributes to digitally secure business operations. Where the i-CERT facilitates and shapes operational cooperation, the Insurance-ISAC also contributes to policy development and advocacy for the sector.

The platform plans to work on two themes in the coming years: insight into the cyber risk of third parties (suppliers) and ransomware readiness. The first point is addressed by standardizing the questionnaires with which insurers map the cyber risk of these parties. We promote ransomware readiness by practicing together, but also by seeing if the Covenant can support members in the event of a hack, for example by concluding a contract with a party that can be called in such a case.

• Responsible Disclosure | The Association and the National Cyber Security Centre (NCSC) have drawn up a guide for the introduction of a Responsible Disclosure policy by insurers. This gives so-called ethical hackers clear rules about finding and reporting ICT vulnerabilities to insurers in a responsible manner.
• Webinars and meetings | The Association regularly organises meetings and webinars on developments in information security that are relevant to insurers. In recent years, for example, it has focused on best practices regarding cyber security awareness, dealing with questions from regulators and new European laws and regulations.
• Third party risk management | In 2023, the Association developed a checklist for assurance statements. A joint questionnaire will also be developed this year, with which the cyber risk of suppliers can be assessed.
• Exercises | At the end of 2022, the Insurance Information Sharing and Analysis Centre (Insurance-ISAC), in close consultation with DNB, carried out a first table top exercise at a supplier with which many insurers work.
• Collect threat intelligence | Through the i-CERT, the Association works closely with government agencies and other parties that have up-to-date and specific threat information. The aim of this cooperation is that insurers receive this type of information as soon as possible in order to be able to take timely, adequate measures.