General Insurance Article - No one size fits all approach works for cyber resilience

 While welcoming efforts to increase resilience in the financial sector, Insurance Europe stressed that cyber risks faced by companies differ greatly from one industry to another. As such, a one-size-fits-all approach to the entire financial sector will not succeed.

 The Commission should engage in a fact-finding exercise to identify areas where the framework could add value, taking due account of the various needs of different financial services industries. This exercise should also take account of the many existing national initiatives that aim to enhance cyber and information security in financial services companies.

 Importantly, any measures to increase cyber resilience must be proportionate, not only to the type, size or financial profile of a company, but also to the risks it is exposed to and the systems and services that need to be protected and maintained. A risk-based approach to cyber resilience, distinguishing between critical and less critical functions, is therefore required.

 Finally, in order to avoid regulatory duplication and/or overload, care needs to be taken to ensure that the Commission’s work is carried out in close coordination with similar initiatives, such as EIOPA’s guidelines on outsourcing to cloud service providers and its draft guidelines on ICT security and governance.