Actions required
Next steps

In a letter dated December 29 2017, IVASS (the Italian insurance regulator) provided details of an investigation that it had undertaken on July 25 2017 into (re)insurance intermediaries' general understanding of cybersecurity-related issues and the remedies that they have implemented to protect their businesses and clients against the adverse effects of possible cyberattacks.


The investigation found the following:

  • While the general understanding of cyber-related issues and risks is widespread among agents and brokers, few insurers actually periodically test their systems against cyberattacks. Approximately 78% of the agents and 50% of the brokers that took part in the survey did not have appropriate software in place to detect non-authorised access to their systems.
  • Less than 20% of the intermediaries that took part in the survey stated that they had implemented a written policy on cyber risks, while only 50% had duly informed their employees and collaborators of the modalities for reducing the risk of cyberattacks.
  • Insufficient attention has been paid to the new EU General Data Protection Regulation, which will come into effect on May 25 2018.
  • The use of insurance policies to protect against cyberattacks is still generally low: only 40% of the large brokers surveyed stated that they are covered by insurance.
  • Approximately 15% of the intermediaries that took part in the survey and 50% of the large brokers confirmed that they had recently suffered cyberattacks.

Actions required

In light of the above, IVASS recommended that intermediaries implement the following protection and prevention measures:

  • As of 2018, no less than 20% of the time spent by intermediaries in mandatory training must be dedicated to information technologies.
  • Security measures and monitoring tests must be reinforced, data backup must be made on a daily basis and crisis management plans must be implemented.
  • Gap analysis regarding the business organisation's potential weakness to cyberattacks must be conducted on a regular basis.
  • Cyber insurance is recommended.

Next steps

IVASS will conduct another survey in 2019 to check that insurance intermediaries have complied with the proposed measures.

For further information on this topic please contact David Maria Marino at DLA Piper Italy by telephone (+39 02 80 61 81) or email ([email protected]). The DLA Piper Italy website can be accessed at