With a letter to the market dated 29 December 2017, IVASS (the Italian Insurance Regulator) published the outcome of its investigation carried out in July 2017 concerning the level of awareness of insurance agents and brokers on the risks involved in the use of technologies and sophisticated computer systems, also providing suggested measures that may be adopted in order to increase cyber security protection. The outcome of the investigation revealed that while the general level of awareness about cyber risk is widespread and data protection systems have been adopted by more than 80% of the interviewees, less comforting is the general understanding of the importance to periodically test systems to intercept malware and unauthorized accesses.
In its investigation IVASS found a lack of written internal policies on cyber risk policies (only 20% of the intermediaries have implemented them) and a generally low level of employee training on the modalities to reduce cyber risk. Insufficient attention has been paid to data protection pursuant to EU Regulation no. 2016/679 with only 30% of agents, 50% of brokers and 70% of the major brokers taking such issues into consideration). In fact, only 40% of the major brokers use cyber risk insurance policies to protect against cyber attacks and 15% of intermediaries and 50% of major brokers have suffered at least one cyber attack.
In order to improve protection and prevention, IVASS suggests companies:
- to adopt cyber risk policies and to verify the compliance of business operations with the provisions of the adopted policy at least once every six months;
- starting from 2018, 20% of the biennial hours provided for professional training to staff and employees should be dedicated to information technology matters;
- to increase monitoring systems, backups and tests to prevent unauthorized accesses;
- to regularly update the analysis of the business vulnerabilities;
- to make greater use of cyber insurance policies.
Before 2019 IVASS will carry out the same investigation once again in order to see if intermediaries have complied with the suggested measures.