As part of the Czech EU Presidency, our media noticed that the EU has a digital strategy and published one brief report on it. But the whole topic deserves more attention, because the EU’s digital strategy will affect our lives in the near future – from financial institutions and insurance companies to EU citizens. What should insurers prepare for?
The EU Digital Strategy has three pillars:
- technology for the benefit of people
- A fair and competitive digital economy
- an open, democratic and sustainable society
These pillars may strike some as abstract, others may get the impression that we have a great future ahead of us. In any case, the digital strategy is designed in such a way that it would be a huge shame and a missed opportunity to try to avoid its objectives. We simply cannot stop digitalisation (even in the insurance industry).
The European Commission has earmarked the period from 1. 1. 2021 to 31. 12. €7.5 billion in 2027 to achieve the five objectives. The first round of grants was awarded in the fall of 2021, the second in the spring of 2022, and the third will be announced this fall. If you have an idea that is in line with one of these five objectives, you can also apply for a grant (at this link for the EU level, and at this link for the Czech Republic).
How will the EU distribute €7.5 billion?▼
- High-performance computing (€2.2 billion):
○ readily available high-end exascale (next-generation computing systems capable of 10-18 floating operations per second), supercomputing and data infrastructure
○ EU-wide ecosystem of high-performance computing
○ post-exascale infrastructure (including integration with quantum computing technologies and computer science research infrastructures), supporting the necessary hardware and software development
- Artificial Intelligence (AI) (€2.06 billion):
○ Basic capacity
○ Testing and experimental equipment
- Cybersecurity and trust (€1.6 billion):
○ Advanced equipment
○ Knowledge, capacity, skills for cybersecurity
○ Resilience, risk awareness, civil-defence coordination
- Advanced digital skills (€0.57 billion):
○ Increase the number of talent in the EU
○ Bridging the digital divide, promoting professionalism in cloud, big data analytics, cybersecurity, blockchain, quantum technologies, robotics and artificial intelligence
- Deployment and best use of digital capabilities and interoperability (€1.07 billion):
○ Deployment of state-of-the-art digital technologies (e.g. HPC, AI) and cybersecurity for public sector entities (health, education, justice, customs, transport, mobility, energy, environment, cultural and creative industries)
○ Easy access to (pilot) testing of digital technologies for the EU public sector and industry (especially SMEs)
○ Ensuring continued capacity at EU level, digital development, monitoring, analysing and adapting to rapidly evolving digital trends, sharing best practices
○ Building a European ecosystem for trusted data sharing and digital infrastructure
EIOPA and current trends in digitalisation
If you do not apply for a grant, you will still feel the current trends in digitalisation in the insurance sector. One of the reasons is DORA (which we wrote about here), then we have NIS2 (on the basis of which DORA was created and with which it is complementary) and the position of EIOPA and the CNB is also important.
What is EIOPA already doing and what will it continue to do?▼
1. Monitors risks (including cyber) related to IT security and governance.
2. It is working on a system for sharing information on cyber security and attacks between national supervisory authorities.
3. Contributes to the fine-tuning of DORA, for which it is preparing its implementing technical standards. It focuses mainly on cyber incident reporting and cybersecurity resilience testing.
4. It monitors the implementation of its guidelines (i.e. guidelines), particularly in the field of ICT (information and communication technologies). The aim is to identify specific reasonable aspects of implementation (which will use the preparation of technical standards for DORA).
5. Harmonises ICT risk management tools, methods, processes and policies and the content of the policies, procedures and plans envisaged in the Regulation (e.g.: ICT security policies and procedures, ICT business continuity policy, BCP and DRP plans).
6. EIOPA has developed a data management framework for local supervisory authorities. Data quality is essential for control processes. The framework is intended to provide a minimum quality standard that will be required of all local supervisory authorities.
7. The Expert Group on Artificial Intelligence will establish a framework for ethical and trustworthy AI in the European insurance industry (so far, it has issued six governance principles, including guidelines for their implementation in the insurance industry). In the future, EIOPA will further take into account the legislative developments of the Artificial Intelligence Act.
8. EIOPA wants to reach a consensus on the approach to the regulation of innovative products, services and business models. In general, it wants to strengthen the coordination of fintech regulation.
9. It is developing a procedural framework for cross-border testing to facilitate the spread of innovation across the EU, simplify competition, facilitate cross-border communication between local supervisors and increase transparency regarding cross-border testing within the regulatory sandbox.
10. Develop supervisory convergence tools to support local supervisors in conducting business model analysis in the context of the digital insurance market. Business model assessments are intended to give supervisors the opportunity to better understand the factors that create opportunities and vulnerabilities in insurers’ businesses and, as a result, they should be able to develop a more personalised supervisory plan for individual insurers.
11. Establish a technical standard (specific template) for cyber risk reporting. It is monitoring the impact of DORA in this area and wants to focus on tacit underwriting.
12. It will focus on outsourcing to third-party providers. It has already issued its guidelines for outsourcing to the cloud and in the future will also focus on outsourcing of claims handling and UW to third countries.
Impact on the insurance industry in the Czech Republic
Based on the CNB’s supervisory strategy and recent articles or interviews provided by the Czech National Bank, it can be concluded that supervision in the Czech Republic will continue to focus on financial market stability and evergreens such as consumer protection (also in light of IDD), AML & CTF, SII revision and PRIIPS versus MiFID revision.
The CNB’s new focus will be on cyber and ICT risks, which have been growing in importance for some time (not least as a result of the war in Ukraine). Cyber and ICT risks will therefore become an integral part of the risk management systems of financial institutions (banks, insurance companies, securities dealers, etc.).
For this reason, the CNB and NUCIB signed 31. may 2022 a Memorandum of Cooperation under which they will cooperate closely on surveillance. According to the CNB’s supervisory strategy, surveillance should be ongoing:
- depending on the significance and riskiness of the insurer (significance: long-term liabilities to retail clientele, riskiness: long-term propensity to under-premium & pressure on profitability and hence insufficient reserves),
- based on the response to strong negative signals for small (small & single sector) insurers.
Therefore, the CNB can be expected to take a deeper interest in cybersecurity resilience and ICT risks during its supervision: which ICT risks insurance companies are exposed to, how they manage these risks, what ICT risk governance model insurance companies have set up and how they have set up their IT security model.
As far as fintech is concerned, the CNB will not introduce a regulatory sandbox like the Austrian FMA. However, it has prepared a communication channel for relevant questions about financial innovations and holds regular meetings with the FinTech community in the form of roundtables. The last one took place on 7. June 2022 on Gamification and other foreign trends and their potential risks.
What’s next for us? That remains to be seen. However, we can expect regulations from the EU in addition to the already mentioned DORA and NIS2, for example:
- Data Governance Act
- Digital Markets Act
- Artificial Intelligence Act
- Data Act
- Cyber Resilience Act
We can also look forward to the upcoming EUCC certification from ENISA. But more on that next time.