First-of-its-kind study, produced in partnership with WTW, provides cyber guidance to risk managers, calls upon the EU to simplify reporting requirements, and raises insurance considerations
DOWLOAD IT HERE
Brussels, 04 October 2024 – FERMA is urging EU Institutions to streamline cyber reporting requirements as well as consider the insurance implications of cyber-related legislation, following the release of a new report providing guidance on recent and upcoming regulations.
The first-of-its-kind report – Cyber Reporting Stack: Navigating EU incident reporting requirements for risk managers – was produced in partnership with leading global advisory, broking and solutions company, WTW (NASDAQ:WTW) and provides risk managers with comprehensive advice on managing reporting requirements across a widening cyber policy environment.
Including a series of case studies spanning different critical breach scenarios, the document delivers guidance on reporting requirements across regulations including General Data Protection Regulation (GDPR); Network and Information Security (NIS); Network and Information Security (NIS 2); Digital Operational Resilience Act (DORA); and the Cyber Resilience Act (CRA).
Commenting on this increasing cyber reporting burden, Charlotte Hedemark, President, FERMA, said: “FERMA believes companies need a more streamlined and consistent set of requirements when it comes to reporting on cyber incidents. This reporting should help EU authorities, businesses and citizens to better understand the cyber threat—but this will only work if it’s easy, safe and secure for companies to provide information.”
As part of efforts to reduce this burden, the report recommends exploring the potential for a “single point of entry” for cyber incident notification, while also providing EU Member States with guidance on how to streamline processes and the number of entities involved.
Philippe Cotelle, Chair, Digital Committee, FERMA, said: “We are acutely aware that while risk management plays a vital role in building resilience to, and recovery from cyber-attacks, there are no regulations that give technical specifications of what risk management measures organisations should take, nor are there any that consider the insurance implications.”
The report calls upon the European Commission to consider the insurance and risk transfer implications of any future EU cyber legislation when conducting an impact assessment.
Laure Zicry, Head of FINEX Cyber, Western Europe, WTW, said: “WTW is delighted to work with FERMA on such an important report. Managing cyber risks is paramount for every company that takes very seriously the confidentiality of their client’s data and its network security. The cyber incident reporting rules and requirements covered by this whitepaper deal with cross-functional issues and therefore need to be addressed by organisations accordingly. The role of the risk manager is crucial to guarantee that all risks have been properly identified and that the best mitigation strategies have been adopted.”
Hedemark concluded: “We hope that it will give companies greater clarity about cyber incident reporting requirements and how those relate to the bigger picture of understanding this global threat.
“We also hope that the knowledge derived will help European policymakers to streamline their approach to cyber incident reporting and lead to some simplification of reporting, enabling companies to devote a greater proportion of their resources and knowledge to assessing, managing and responding to this risk.”
FERMA will also present on the findings of the report at the FERMA Forum in Madrid at 13.30 on 22 October at the Federation’s stand.