Insurance Europe

Cyber

Insurers’ key role in increasing cyber resilience

Although increased digitalisation has obvious benefits for society, it also brings risks. The potential for serious economic and commercial repercussions, illustrated by events such as the WannaCry ransomware attack, means that increasing the cyber resilience of businesses and society is vital. The COVID-19 pandemic has also demonstrated the importance of digitalisation for societies to be able to operate and the need for this environment to be safe.

The insurance industry has a key role to play, not only in providing insurance cover, but also in helping their clients avoid cyber risks and mitigate their impact when they materialise. Insurers’ advice on prevention and mitigation builds on many years of insuring other large and multifaceted events, such as natural catastrophes.

Cyber protection gap extract from:
Report — “Global protection gaps and recommendations for bridging them”

March 2023

Munich Re’s
Joachim Wenning on
growing cyber threats

Annual Report article, June 2022

Insurers’ own cybersecurity

As insurers embrace the digital transformation, they too must make sure that they do so in a safe way. To support the cyber resilience of the industry, Insurance Europe calls for a risk-based set of rules that insurers can tailor to the risks to which they are exposed and the systems and services that need to be protected and maintained. In the same way that insurers’ use of information and communications technology (ICT) is proportionate to their needs, so too must be the rules addressing its security.

National insurance association initiatives

Beyond their core role of risk transfer, insurers are also active in prevention, awareness-raising and mitigating the effects of cyber attacks.

Data breach notification template

To facilitate the development of the EU cyber-insurance market, insurers should have access to anonymised data collected under the EU’s General Data Protection Regulation (GDPR) and Network Information Security Directive.

Insurance Europe has developed a template for breach notifications under the GDPR. It is easy to use and allows the information to be compared across sectors. The data gathered would be anonymised but sufficiently granular to be of use to insurers.

One obligation under the GDPR is for companies to notify (personal) data breaches to their supervisory authority.

Insurance Europe has developed a template that could make it easier and quicker to report breaches. And the standardised format could enable supervisors to share incident data across borders and to better detect trends in cyber threats.

The template is set up in such a way that the information can be shared without the need to be anonymised or aggregated, as it will not be possible to identify the company through the information submitted.

Currently, the lack of available information on cyber events hampers efforts to defend against cyber attacks. For example, lack of data limits insurers’ ability to offer cyber-risk cover and related services. This could change if insurers were granted access to the (anonymised) data gathered by supervisory authorities.

How it works

The template has three sections:

Personal details and information on the affected company (not to be shared with third parties).
Details on the data breach incident to be sent to the national supervisory authority, where feasible, within 72 hours (as per Article 33 of the GDPR).
A section to be completed following the 72-hour period when more information is available on the data breach.

The multiple choice answers or numerical fields in sections 2 and 3 aid comparison of the information between companies and sectors, and ensure anonymity.

Document