Technological developments are changing the framework conditions in the financial market and are opening up new opportunities for insurance undertakings, that are however also bound with risks. In addition, the Covid-19 pandemic has accelerated innovations and digital interconnectedness, while current geopolitical developments have further increased challenges relating to the usage of information and communication technologies (ICT).
In this environment, the FMA is continuing its analysis of the state of digitalisation in the Austrian financial market. Based on this, the FMA is able to take preventative measures, to initiate improvements in the legal framework, determine the intensity of supervision of individual supervised undertakings in a more risk-adequate manner, and to act in a risk-based and forward-looking manner in planning and setting the priorities for supervision.
Strengthening of cyber resilience is the centrepiece of legal development.
- Since publishing its FinTech Action Plan in March 2018, among other things, the European Commission has been pursuing the objective of strengthening the defences of the EU ’s financial sector against cyber attacks. Within the Digital Finance Package, rules were also proposed in September 2020 for strengthening digital operational stability in conjunction with the use of information and communication technologies. The accompanying Regulation on Digital Operation Resilience in the Financial Sector (DORA Regulation) applies from 17 January 2025. It addresses the topics of ICT risk management and ICT incident reporting, resilience tests (incl. Threat Led Penetration Tests), ICT service risks as well as the exchange of information on cyber risks between entities.
- The FMA made its publication FMA -Leitfaden IT -Sicherheit in Versicherungs- und Rückversicherungsunternehmen (“FMA Guide on IT Security for Insurance and Reinsurance Undertakings” – available in German only) available as guidance for entities back in 2018.
- The FMA Guide was replaced in July 2021 by the EIOPA Guidelines on information and communication technology security and governance.
- From the 17th January 2025 DORA (the Digital Operational Resillience Act) will enter into force for wide sectors of the financial market, including insurance undertakings.
Furthermore the work of EIOPA , to which the FMA also actively contributes, also focuses on the topics of InsurTech and Big Data as well as on Cyber Underwriting and the development of efficient and innovative digital supervisory practices.
The European Commission’s proposed regulation for using artificial intelligence is also significant for insurance undertakings.
In the area of digitalisation, the FMA has taken the following measures and set the following priorities:
- Study on “Digitalisation of the Financial Market”: The FMA regularly conducts cross-sector analyses on digital transformation.
- Cyber Exercise: A reality-based simulation of a cyber attack is used to test entity-specific measures for ensuring cyber resilience and possibilities for improvements evaluated.
- FMA assessment on mitigations: The assessment aims to evaluate controls set by insurance undertakings to manage a selected cyber incident scenario.
- FMA Blackout Maturity Level Assessment: (in German only) preparations for a possible blackout and how to handle one were evaluated for the insurance sector.
- FMA Cyber Maturity Level Assessment: The FMA has used a tool developed in-house for measuring and evaluating the cyber resilience of Austrian insurance undertakings since 2019. See for example the FMA publication, Facts and Figures, Trends and Strategies 2021, and the item “Cyber Maturity Level Assessment” or FMA Digitalisation in the Austrian Financial Market – 2021, chapter 10 FMA Cyber Maturity Level Assessment.
- FMA Cloud Maturity Level Assessment: This tool was developed by the FMA to evaluate the precautions taken by insurance undertakings and Pensionskassen regarding the use of clouds in 2019. See also FMA , Digitalisation in the Austrian Financial Market – 2021, chapter 11 FMA Cloud Maturity Level Assessment.
- IT interdependencies: Based on the visualisation of interconnectedness in the IT service provider landscape in the insurance sector, potential concentration risks are presented and further deductions reached for supervisory strategy and practice. See also FMA Report 2022 on the state of the Austrian Insurance Industry (available in German only), chapter 2.10 Verflechtungen: IT-Provider (interdependencies: IT-provider).
- ICT-related incidents: the FMA enquires about such incidents and is thereby preparing insurance undertakings for future binding reporting requirements. See also the FMA Report 2021 on the state of the Austrian Insurance Industry (available in German only), chapter 2.13.2 IKT-bezogene Vorfälle – Cybervorfälle (ICT-related incidents – cyber incidents).
- Post Covid-19 related risks: Risks arising in conjunction with the return to presence working were analysed.
- Practice dialogue: There is an ongoing exchange with the sector about digitalisation issues.