IVASS has just published a letter to the market addressed to Italian and EU insurance intermediaries and undertakings addressing the level of awareness of traditional intermediaries about the risks involved in the use of new technologies and the prevention and protection measures adopted to face these risks. The letter is a follow up to the investigation launched on 25 July 2017.
In general, IVASS highlighted that the measures and processes adopted by intermediaries for the acquisition and protection of data and information and storage in their systems, although demonstrating an encouraging level of awareness, are still insufficient in order to prevent potential malware and unauthorized accesses to said data. Improvements are also expected in relation to a written IT risk management policy as well as to the limited insurance coverage to protect IT risk and potential losses following a cyber attack.
With this aim, IVASS recommended that insurance intermediaries adopt the following measures:
- specific cyber risk policies, also on the basis of guidelines defined with the respective category associations. These policies should identify appropriate measures to improve cyber security and should be shared with colleagues and employees and be subject to revision at least every two years;
- verification, at least every semester and possibly through external advisors, of compliance of business operations with the adopted policy;
- in order to improve IT knowledge of the same intermediaries and their staff and employees, 20% of the hours provided for mandatory professional training should be dedicated to IT security from 2018;
- in order to provide an adequate level of efficiency against IT attacks, intermediaries should increase the security of the implemented systems and improve the monitoring system and the use of tests to prevent unauthorized accesses;
- considering the continuous evolution of cyber risk, intermediaries should constantly update the analysis of business vulnerability and the identification of elements subject to potential attack or intrusion;
- extend the scope of their insurance policies in order to cover cyber risk in light of the awareness that such risk may be reduced but not cancelled.
By 2019 IVASS will carry out another investigation to evaluate compliance with the suggested measures and the evolution in the IT security sector. Click here to download the letter to the market (available in Italian only).