Fredrik Seemann
Norelid Advokatbyrå, Stockholm
fredrik.seemann@norelidlaw.com

Johanna Eriksson
Norelid Advokatbyrå, Stockholm
johanna.eriksson@norelidlaw.com

The Swedish financial supervisory authority, Finansinspektionen (the Swedish FSA), recently released a statement on financial sector cybersecurity.^[1] It stated that the security situation in Sweden’s geographical vicinity has worsened, especially in light of Russia’s invasion of Ukraine. While explaining that energy and electronic communications are essential for a society’s functioning and therefore natural targets, the statement argues that other infrastructure is also threatened, such as finance, including insurance companies.

In short, the Swedish FSA has concluded that the financial sector’s resilience against cyber-attacks ought to be strengthened, as an attack on the Swedish financial system may have both immediate and indirect consequences for the overall confidence of the sector.

New cybersecurity obligations for the insurance sector

For the financial sector as a whole, cybersecurity legislation has already been implemented, namely, the Network and Information Security Directive (Directive (EU) 2016/1148, ‘NIS’). While NIS imposes cybersecurity obligations on banks and several other types of financial entities, insurance companies are outside of its remit. Insurance companies are also expected to remain outside the scope of the EU’s upcoming updated version of NIS (NIS2).

Nevertheless, insurance companies are unlikely to remain outside the remit of EU regulations on cybersecurity for much longer, as the Digital Operational Resilience Act (DORA) will subject financial entities, including insurance companies, to cybersecurity obligations. Consequently, the DORA may present a greater organisational challenge for the insurance sector within the EU than for the other financial sectors which have already been subject to NIS.

The Digital Operational Resilience Act

The European Council presidency and the European Parliament have concluded a provisional agreement concerning the DORA, paving the way for the DORA’s enactment. The new legislation will impose obligations on actors in the financial sector, including insurance and reinsurance companies, insurance and reinsurance intermediaries, ancillary insurance intermediaries and IT service providers employed by the above entities. Obligations will be proportional to the size of the regulated company.

Largely as a result of growing cyber risk vulnerabilities, the proposed legislation aims specifically at filling in gaps identified in EU legislation regarding the financial sector’s cybersecurity. While relevant legislation exists on aspects of cybersecurity, for example, the recommendations on outsourcing to cloud service providers (EIOPA -BoS-20-002) and on systems of governance (including IT risk management, see EIOPA-BoS-14/253), the extensive use of complex contract arrangements with IT service providers and sub-contractors poses significant risks, which have not previously been subject of regulation, for financial entities’ ability to monitor cybersecurity. The DORA sets out requirements relating to cybersecurity for financial entities consisting of, for example: information and communications technology (ICT); risk management (including data backup policies and cyber-attack response); incident reporting and recording; resilience testing; and information sharing.

Third-party service providers

According to the DORA, an ICT third-party service provider, means an entity providing a financial entity with digital and data services, for example, cloud services, software and data analytics, among others. Systemically important ICT service providers, that is, service providers on which financial entities place critical importance, will be designated critical ICT third-party service providers. Critical ICT third-party service providers will be assigned to a ‘lead overseer’ (eg, EBA, ESMA or EIOPA), which will supervise the critical ICT third-party service provider’s managing of ICT risks. Critical ICT third-party service providers will therefore be under direct EU supervision and accordingly will be subject to investigations regarding their technical, legal and organisational IT management. For non-critical ICT third-party service providers (which will not be subject to full supervisory scrutiny), the regulation primarily entails requirements relating to contractual arrangements between a financial entity and an ICT third-party service provider.

For instance, in insurance entities’ contracts with ICT third-party service providers, the DORA will require the inclusion of, inter alia, access, audit and inspection rights; clear and complete descriptions of sub-contracted services; a statement as to the location of all sub-contracted services; notice periods; and reporting obligations. It may be difficult as a practical matter to ensure that all of these types of provisions are included, let alone enforced, in the context of outsourced IT services.

Financial entities face reporting requirements under several different items of legislation, inter alia, GDPR, NIS and eventually DORA. The Swedish FSA proposes a single incident-reporting portal for all reporting obligations applicable to financial entities, including filing a police report. This is to simplify the reporting process and avoid duplicate reports for the same incident, as well as to enable all authorities concerned to provide their expertise.

Supervision

The DORA also involves enhanced supervisory capabilities for national and EU authorities with regards to the affected financial/insurance entities’ control over their digital environment and functions. Since the regulation also involves obligations for financial entities related to its outsourced IT functions, that is, its ICT third-party service providers, this ultimately means that EU supervisory authorities will have the ability to monitor ICT third-party service providers designated as critical service providers (ie, under the supervision of either EBA, ESMA or EIOPA), as referred to above.

Due to increased cyber threats, the Swedish FSA proposes extending its supervision of financial entities regarding cybersecurity. The Swedish FSA has up to now placed its cyber supervisory focus on large and medium-sized banks, but now proposes to include other types of financial enterprises, specifically large insurance companies, in its cyber efforts.

The Swedish FSA also proposes to involve the Swedish Armed Forces, the Swedish Civil Contingencies Agency, the Swedish Security Service and the Swedish National Defence Radio Establishment (the national authority for Signals Intelligence). The involvement of these national authorities would mark a significant strengthening of cybersecurity supervision and guidance to the financial sector, specifically the involvement of the Swedish National Defence Radio Establishment, lending its technical expertise to individual companies (and presumably, the FSA as well) in the financial sector.

Penalties

The DORA will also impose sanctions for non-compliance, including pecuniary penalties up to one per cent of the average daily worldwide turnover of the critical ICT third-party service provider in the preceding business year for each day the non-compliance persists during a six-month period. For potential breaches of the DORA by non-critical ICT third-party service providers, however, the current proposal states that the member states shall impose appropriate administrative penalties and remedial measures including the issuance of orders to cease non-compliant conduct as well as pecuniary penalties.

When will the DORA come into force?

The DORA is likely to include an implementation period from it entering into force to allow financial entities to adapt to the proposed legislation. The duration of implementation period has not yet been decided. According to the proposal’s legislative text, the implementation period will be 12 months, with the exception of the provisions on threat-led penetration testing (a form of testing that imitates a ‘real’ cyber-attack) and the requirements for carrying out such testing, as to which, according to the current proposal, implementation will take place over 36 months. In light of this, assuming passage during 2022, full implementation of the DORA will likely take place during 2024. This is in line with the Swedish FSA’s current expectation.

Summary

Although most insurance companies have already implemented cyber security measures for commercial reasons, the proposed EU regulation DORA will entail not only further security directives but also sanctions for non-compliant entities. The Swedish FSA’s proposal to extend its supervision to include larger insurance companies further suggests that insurance companies will have their cyber security increasingly scrutinised by authorities. The inclusion in this regime of Swedish authorities in Signals Intelligence also demonstrates the gravity that these financial sector cyber risks pose for society as a whole in the eyes of policymakers and regulators.