The European Supervisory Authorities EBA, Esma and Eiopa have published two opinions in response to requests made by the European Commission in its Fintech Action Plan.
In one of them, they urge to introduce legislative improvements to carry out a correct management of ICT risks in the financial field. Which includes the insurer. In particular, the objective is for all entities to be subject to clear general requirements regarding the governance of ICTs, including cybersecurity. It is to ensure the safe provision of regulated services.
The three authorities remind that the notification of incidents is very important for the management of the risks of the ICT. So it asks that the entities and competent authorities be allowed to register, supervise, analyze and respond to the operational, security and safety incidents of fraud. In this regard, they request the rationalization of incident notification frameworks throughout the financial sector. In addition, they suggest that a legislative solution be considered for an adequate supervisory framework that allows controlling the activities of critical third-party service providers.
In the other opinion, they pronounce on the costs and benefits of implementing a coherent testing framework to boost cyber resilience by the emergence of Fintech and Insurtech. They consider that such a framework would clearly be beneficial. Without good, they warn that it should be taken into account that the financial sector is very broad and that not all actors have the same level of maturity in terms of cybersecurity.
In the short term, the three authorities advise that we should focus on achieving a minimum level of cyber resistance throughout the financial sector, proportional to the needs and characteristics of the entities. In addition, they propose to establish on a voluntary basis a coherent testing framework in the EU, taking into account existing initiatives.