IT-Security Regulatory Update | July 2022

Focus: on-site supervision of outsourcing for insurance companies

Highlight from July 2022

Insurance supervision in outsourcing under scrutiny

EIOPA recognizes potential for optimization in the supervision of outsourcing as a result of a peer review with various national supervisory authorities from the EU.

“Stay up to date with our monthly regulatory update on IT Security Management!”

Insurance supervision in the context of outsourcing with potential for adjustment

EIOPA has conducted a peer review of the Member States’ supervisory practices on outsourcing, identifying different levels of regulatory maturity. It attributes this to the fact that outsourcing is used to varying degrees within the EU. In general, EIOPA observed that fines and adjustments in contracts are rarely used as a supervisory tool by competent authorities. According to the report, an exit from the outsourcing agreement is also rarely requested. On-site audits are seen as the most effective tool. They are time-consuming and costly but purposeful for examining the overall governance structure related to outsourcing and for determining whether the company is able to meet Solvency II requirements related to the outsourced activities.

In this context, some supervisory authorities conduct specific on-site inspections of both the institution and the service provider, including the Federal Financial Supervisory Authority (BaFin). However, most do not perform specific audits on outsourcing, but only review it in the context of the general audit.

Man sitting at a desk with his arms crossed. In front of him is a paper report and a pen, and next to him is a coffee cup. He looks thoughtful.

In addition to the general points, however, EIOPA also addresses specific adjustment and optimization potentials of the individual supervisory authorities. EIOPA had the following comments on BaFin’s supervisory practices:

1. Outsourcing notification: The structure of the requirements for the notification obligation should be defined and communicated more precisely. Notifications made by insurance companies should be reviewed for compliance and a proactive approach should be taken by the authority to address any concerns or need for change.

2. Ousourcing register: Similar to banks, insurance companies should also implement an outsorucing register. This will enable the authority to identify concentration risks at an early stage and take countermeasures.

3. Audit practice: In addition to on-site audits, off-site audits should also be developed and used as a supervisory tool.

It remains to be seen how BaFin will implement EIOPA’s suggestions.

You can find the EIOPA report here on their website.

Source: European Insurance and Occupational Pensions Authority – EIOPA,

    Documentation requirements for information security in critical infrastructure

    Critical infrastructures must document that they “have taken appropriate organizational and technical precautions to prevent disruptions to the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes“, § 8a para. 3 in conjunction with para. 1 BSIG. The German Federal Office for Information Security (BSI) has published a guide to this documentation requirement, which is intended to support critical infrastructures.

    In the document, the BSI discusses the importance of the duty and highlights why critical infrastructures should take it seriously. It takes a closer look at the elements of the legal documentation obligation and thus provides the user with valuable tips. The appendix of the assistance also includes two examples that are cited with each element to help clarify the target image. In addition, the annex also lists the individual requirements.

    The assistance of the BSI can be found here on its website.

    Source: German Federal Office for Information Security – BSI,

    How to map cyber threats

    The European Union Agency for Cybersecurity (ENISA) is involved in the creation of a Cybersecurity Threat Landscape and has developed and published an approach in the course of this. The methodology comprises six steps and is intended to promote the transparent exchange of threat data in the EU.

    To the developed approach: First, the target group of the landscape is considered as well as what it is intended to achieve (step 1). The next step is to define how data should be collected (step 2) and processed (step 3). Subsequently, the matter of data analysis and in which context it should be placed is addressed (step 4). Finally, the distribution of the data to the target groups defined at the beginning is regarded (step 5). Feedback is collected and analyzed throughout these five steps (step 6) so that it can contribute to process optimization on an ongoing basis.

    Thus, the methodology can be summarized as follows:

    1. Direction
    2. Collection
    3. Processing
    4. Analysis and production
    5. Dissemination
    6. Feedback

    The methodology of ENISA can be found here on their website.

    Source: European Union Agency for Cybersecurity –

    Although it is still unclear what steps BaFin will take as a result of EIOPA’s comments, it is clear that on-site examinations will continue to focus on outsourcing. Are you prepared for a visit by BaFin?

    We at ADWEKO are happy to assist you in preparation as well as during the inspection.

    talk to

    Pia Streicher!