What awaits Czech insurance companies (including from the CNB) under the EU digital strategy?

EU Digital Strategy and Czech Insurance Companies | ORBIT

As part of the Czech EU Presidency, our media noticed the existence of the EU Digital Strategy and published one short report on it. However, the whole topic deserves more attention because the EU Digital Strategy will affect our lives in the near future - from financial institutions and insurance companies to EU citizens. What should insurers prepare for?

Dana Yussupova

Pillars of the digital strategy

The EU Digital Strategy has three pillars:

  • technology for the benefit of people
  • A fair and competitive digital economy
  • an open, democratic and sustainable society

These pillars may strike some as abstract, others may get the impression that we have a great future ahead of us. In any case, the digital strategy is designed in such a way that it would be a great shame and a missed opportunity to try to avoid its objectives. We can't stop digitalisation (not even in the insurance industry).

The European Commission has earmarked an amount for the period from 1 January 2021 to 31 December 2027 EUR 7.5 billion to achieve the five objectives. The first round of grant awards took place in the fall of 2021, the second in the spring of 2022, and the third will be announced this autumn. If you have an idea that is aligned with one of the five objectives of the EU Digital Strategy, you can also apply for a grant (at this link at EU level, on this then at the level of the Czech Republic).

How will the EU distribute €7.5 billion?

 

  •  High-performance computing (€2.2 billion):

○ readily available high-end exascale (next-generation computing systems capable of 10-18 floating operations per second), supercomputing and data infrastructure

○ EU-wide ecosystem of high-performance computing

○ post-exascale infrastructure (including integration with quantum computing technologies and computer science research infrastructures), supporting the necessary hardware and software development

  • Artificial Intelligence (AI) (€2.06 billion):

○ Basic capacity

○ Testing and experimental equipment

  •  Cybersecurity and trust (€1.6 billion):

○ Advanced equipment

○ Knowledge, capacity, skills for cybersecurity

○ NIS2

○ Resilience, risk awareness, coordination between civil and defence

  • Advanced digital skills (€0.57 billion):

○ Increase the number of talent in the EU

○ Bridging the digital divide, promoting professionalism in cloud, big data analytics, cybersecurity, blockchain, quantum technologies, robotics and artificial intelligence

  • Deployment and best use of digital capabilities and interoperability (€1.07 billion):

○ Deployment of state-of-the-art digital technologies (e.g. HPC, AI) and cybersecurity for public sector entities (health, education, justice, customs, transport, mobility, energy, environment, cultural and creative industries)

○ Easy access to (pilot) testing of digital technologies for the EU public sector and industry (especially SMEs)

○ Ensuring continued capacity at EU level, digital development, monitoring, analysing and adapting to rapidly evolving digital trends, sharing best practices

○ Building a European ecosystem for trusted data sharing and digital infrastructure

EIOPA and current trends in digitalisation

If you do not apply for a grant, you will still feel the current trends in digitalisation in the insurance sector. One of the reasons is DORA (which we wrote about in here), then there is NIS2 (on the basis of which DORA was created and with which it is complementary) and the position of EIOPA and the CNB is also important.

What is EIOPA already doing and what will it continue to do?

 

1. monitors risks (including cyber) related to IT security and governance.

2. It is working on a system for sharing information on cyber security and attacks between national supervisory authorities.

3. Contributes to the fine-tuning of DORA, for which it is preparing its implementing technical standards. It focuses in particular on cyber incident reporting and cybersecurity resilience testing.

4. Monitor the implementation of its guidelines (i.e. guidelines), particularly in the area of ICT (information and communication technologies). The aim is to identify specific appropriate aspects of implementation (which it will use topreparation of technical standards for DORA).

5. Harmonises ICT risk management tools, methods, processes and policies and the content of the policies, procedures and plans foreseen in the Regulation (e.g.: ICT security policies and procedures, ICT business continuity policy, BCP and DRP plans).

6. EIOPA has developed a data management framework for local supervisory authorities. Data quality is essential for governance processes. The framework is intended to provide a minimum quality standard that will be required of all LSAs.

7. the Expert Group on Artificial Intelligence will set a framework for ethical and trustworthy AI in the European insurance sector (so far it has issued six governance principles, including guidance on their implementation in the insurance sector). EIOPA will take further account of future legislative developments on AI.

8. EIOPA wants to reach a consensus on the approach to the regulation of innovative products, services and business models. In general, it wants to strengthen the coordination of fintech regulation.

9. It is preparing a procedural framework for cross-border testing to facilitate the spread of innovation across the EU, simplify competition, facilitate cross-border communication between local supervisors and increase transparency regarding cross-border testing within the regulatory sandbox.

10. Develop supervisory convergence tools to support local supervisors in conducting business model analysis in the context of the digital insurance market. The business model assessment should give supervisors the opportunity to better understand the factors that create opportunities and vulnerabilities in the business of insurance companies and, as a result, they should be able to develop a more personalised supervisory plan for individual insurance companies.

11. Introduce a technical standard (specific template) for reporting on cyber risk underwriting. Monitor the impact of DORA in this area and intend to focus on tacit underwriting.

12. It will focus on outsourcing to third-party providers. It has already issued its guidelines for outsourcing to the cloud and will in future also focus on outsourcing of claims handling and UW to third countries.

Impact of the EU Digital Strategy on the Czech Insurance Sector

Based on the CNB's supervisory strategy and recent articles or interviews provided by the Czech National Bank, we can conclude that supervision in the Czech Republic will continue to focus on financial market stability and evergreens such as consumer protection (also in light of IDD), AML & CTF, SII revision and PRIIPS versus MiFID revision.

The CNB will focus in particular on cyber and ICT riskswhich have been growing in importance for some time (not only as a result of the war in Ukraine). Cyber and ICT risks will therefore become an integral part of the risk management systems of financial institutions (banks, insurance companies, securities dealers, etc.).

For this reason, the CNB signed a contract with NUCIB on 31 May 2022 Memorandum of Cooperation, under which the two institutions will cooperate closely on surveillance. According to the CNB's supervisory strategy, the surveillance should be ongoing:

  • depending on the importance and riskiness of the insurer (importance: long-term liabilities to retail clients, riskiness: long-term propensity to under-premium & pressure on profitability and hence insufficient reserves),
  • based on the response to strong negative signals for small (small & single sector) insurers.

In short...

Therefore, the CNB can be expected to take a deeper interest in cybersecurity resilience and ICT risks during its supervision: which ICT risks insurance companies are exposed to, how they manage these risks, what ICT risk governance model insurance companies have set up and how they have set up their IT security model.

As far as fintech is concerned, the CNB will not introduce a regulatory sandbox like the Austrian FMA. But it has prepared communication channel for relevant questions to financial innovation and holds regular meetings with the FinTech community in the form of roundtables. The last one was held on 7 June 2022 on the topic of Gamification and other foreign trends and their possible risks.

What's next for us? That remains to be seen. However, we can expect regulations from the EU as part of the implementation of the Digital Strategy, for example:

  • Data Governance Act
  • Digital Markets Act
  • Artificial Intelligence Act
  • Data Act
  • Cyber Resilience Act

We can also look forward to the upcoming EUCC certification from ENISA. But more on that next time.

About the author
Dana Yussupova
Dana Yussupova

Compliance consultant | LinkedIn

Dana has long been involved in compliance and control functions (audit, risk management) in the financial sector. She focuses in particular on regulations related to IT risks, cloud and outsourcing, both within the EU and at (non)national level and in India.