IT Security Regulatory Update | May 2024
Focus: 20th IT Security Congress, digitalization of the European insurance sector, DORA
Highlight from May 2024
The 20th IT Security Congress on May 07 – 08, 2024
On the agenda: governance and security for end-to-end automation in the cloud and raising employee awareness of AI-supported cyber attacks
“Stay up to date with our monthly regulatory update on IT Security Management!”
The 20th IT Security Congress
On May 07 – 08, 2024 the BSI published a 450-page congress documentation. The following topics were discussed, among others:
– Governance and security in end-to-end automation in the cloud, using Microsoft as an example: In Germany, Microsoft Office 365 has become an integral part of many company processes. Programs such as MS Word, PowerPoint and Excel are indispensable, and the increase in remote working makes MS Teams increasingly important. In addition to these well-known tools, employees also have access to lesser-known applications such as the Power Platform through their Office 365 accounts. Thanks to a low-code/no-code approach, this enables users to carry out automation without programming knowledge and to create so-called Citizen Developer workflows and apps. Although many companies emphasize information security and have dedicated departments to train and audit employees, they often overlook the fact that Microsoft tools can be used without restriction. The Power Platform can therefore be used without the involvement of the IT department, which leads to security gaps and shadow IT. Since many companies do not include the Power Platform in their strategic planning and do not implement a role and authorization concept or standardized application lifecycle management (ALM), workflows and apps are created in an uncontrolled manner, which can cause potentially critical security gaps.
– Sensitization of employees to AI-supported cyberattacks: AI systems have developed rapidly and are not only used legally in the private and business sectors, but are also used by cyber criminals for attacks such as email phishing, social engineering and deepfakes. Companies should develop strategies to counter such attacks. As technical protective measures are often inadequate, raising employee awareness is particularly important. One example of this is a digital escape room to raise awareness of AI-supported cyberattacks, such as the one implemented at EnBW Energie Baden-Württemberg AG. The article describes the process, the technical implementation and the evaluation of this measure.
The congress documentation of the 20th IT Security Congress can be found here.
Source: Federal Office for Information Security – BSI, https://www.bsi.bund.de/
EIOPA’s report on the digitalization of the European insurance sector
EIOPA has implemented its market surveillance mandate through several initiatives, such as its annual consumer trend reports, thematic reviews, public consultations or by organizing InsurTech roundtables and workshops with stakeholders from the insurance sector. In 2021, EIOPA also established an expert advisory group on digital ethics in insurance, which concluded its term of office with the publication of a report on the principles of AI governance. In addition to the tools mentioned above and in line with its annual work programme, EIOPA issued a market monitoring survey on digitalization in 2023 to gather further empirical evidence on the state of digitalization of the European insurance sector and to keep pace with the rapid changes that innovation is bringing to the insurance sector. The survey was published on EIOPA’s website and distributed to insurance companies via the respective national competent authorities, with the aim of covering at least 60% of total gross premium income in each national market. It comprised both life and non-life insurance business (reinsurance), including both retail and corporate clients. No intermediaries were approached during this phase. The survey was launched in the second quarter of 2023, with a total of 209 responses from (re)insurance companies from 22 EU Member States.
You can find EIOPA’s report here.
Source: European Insurance and Occupational Pensions Authority – EIOPA, eiopa.europa.eu
DORA – Preparation of the ESAs and the industry
ESMA published its newsletter for April 2024, focusing in particular on DORA. Under the Digital Operational Resilience Regulation (DORA) and from 2025, financial institutions will be required to keep registers with information on their use of third-party ICT providers. In this exercise situation, this information is collected by the financial institutions via their competent authorities and serves as preparation for the implementation and reporting of the register information in accordance with DORA. The main objective of the draft regulatory technical standards (RTS) is to define the criteria for the composition of the joint audit teams – ensuring a balanced participation of staff from the ESAs and the competent authorities – as well as the appointment of members, their tasks and working arrangements. These draft RTS aim to ensure maximum efficiency and effectiveness in the functioning of the joint audit teams, given their central role in the day-to-day supervision of critical third party providers (CTPPs). The proposed technical standards take into account the high technical complexity of monitoring activities and the limited availability of the necessary expertise.
The ESMA newsletter can be found here.
Source: European Security and Markets Authority – ESMA, esma.europa.eu
At ADWEKO, we keep an eye on national, European and international regulations for you and support you in their implementation.
talk to
Pia Streicher!