These guidelines shall provide guidance to national supervisory authorities and market participants on how regulation regarding operational risks set forth in Directive 2009/138/EC and in the Commission’s Delegated Regulation 2015/35 is applied in the case of ICT security and governance, considering as well EIOPA’s Guidelines on System of Governance.

These guidelines will start to apply from 1 July 2021 and their objective is to:

• provide clarification and transparency to market participants on the minimum expected information and cyber security capabilities, i.e. security baseline;

• provide clarification and transparency to market participants on the minimum expected information and cyber security capabilities, i.e. security baseline;

• provide clarification and transparency to market participants on the minimum expected information and cyber security capabilities, i.e. security baseline;

Undertakings should apply these guidelines in a manner which is proportionate to the nature, scale and complexity of the risks inherent in their business. It is up to the administrative, management or supervisory body (“AMSB”) to ensure that the undertakings’ system of governance adequately manage its ICT and security risks. In order for this to be done, the AMSB should ensure that the allocated are appropriate to fulfill such requirements. It is also the AMSB’s overall responsibility for setting and approving the undertakings’ written ICT strategy as part of their overall strategy.

A written information security policy should also be established by the undertakings and approved by the AMSB, defining the high-level principles and rules to protect the confidentiality, integrity and availability of undertakings’ information in order to support the implementation of ICT strategy. Moreover, undertakings should establish an information security function within their system of governance, with the responsibilities assigned to a designated person. The information security function must be independent and impartial from the undertaking.

Undertakings should also define, document and implement procedures for logical access control or logical security, which are in accordance with the protection requirements. The same should be done for physical security measures in order to protects their premises, data centres and sensitive areas from unauthorized access from environmental hazard. Procedures and processes should also be implemented to continuously monitor activities that impact the undertakings’ information security, in order to cover things such as potential internal and external threats. The staff and AMSB should also be given the necessary training by the undertakings, by establishing information security training programmes, in order to ensure that they are trained to perform their duties and responsibilities to reduce human error, theft, fraud, misuse or loss. 

With the implementation of these Guidelines, they would provide the necessary guidance on how these undertakings would be able to apply the governance requirements as indicated in the Solvency II Directive and in the Delegated Regulation.

News update by Legal Trainee Mr Steve Vella.

For more information or assistance please contact  Dr Ian Gauci and Dr Terence Cassar.

Disclaimer: This article is not intended to impart legal advice and readers are asked to seek verification of statements made before acting on them.