“Insurance firms are not waiting for Article 50 to be triggered before implementing their strategies on location”, Director of Insurance Supervision, Sylvia Cronin

09 March 2017 Press Release


  • We are committed to consistent regulatory and supervisory standards to mitigate some of the Brexit-related uncertainties facing firms.
  • Central Bank has invested significantly to ensure the quality of Solvency II data.
  • Survey of firms shows board engagement with IT and cybersecurity strategies.

Speaking at a KPMG Annual Client & Training Event today, Director of Insurance Supervision, Sylvia Cronin addressed the key issues currently facing insurance firms: Brexit, Solvency II reporting and IT and cybersecurity.

On the subject of Brexit, Ms Cronin said that “Since November, we have received 5 applications for authorisation as insurance or reinsurance undertaking. A further 5 entities have signalled a firm intention to apply for such an authorisation. We have been contacted by approximately another 20 insurance entities to discuss authorisation. Unlike other financial sectors, insurance firms are not generally waiting for Article 50 to be triggered before implementing their strategies on location.” She added that the Central Bank is “open to discussion and engagement with any applicant. Our website contains extensive information on our approach to authorisations. A firm will not be authorised unless it demonstrates compliance with the requirements specified in law.”

Ms Cronin added that “EIOPA’s work on supervisory convergence through the supervisory handbook and peer reviews helps ensure a certain and consistent supervisory approach across the EU.”

On the quality of data submitted under Solvency II, she said: “Boards are accountable for the accuracy of information submitted to supervisory authorities. Directors should not sign off on these submissions without thoroughly satisfying themselves as to the accuracy of the information and the effectiveness of the processes, systems and controls to ensure this accuracy.”

On IT and cybersecurity, she said that “the risks associated with IT and cybersecurity are a key concern. This is based on the potential implications for firms, consumer protection and financial stability more broadly. Accordingly, we have dedicated much effort to ensuring firms take action to manage these risks.”

Ms Cronin shared some of the findings from an industry questionnaire to lower impact firms on cybersecurity, which found that:

  • 87% of undertakings claim that IT risks are identified and assessed as part of a regular review process, with an IT risk register maintained.
  • 50% of firms do not have standalone IT risk management frameworks in place.
  • 63% of undertakings do not have a board-approved IT and cybersecurity strategy.
  • 39% of firms do not regularly report IT and cyber risks to the board.
  • 57% of firms do not have a board-agreed programme in place for regular cyber risk assessments and vulnerability scanning.

She added that “the most pronounced deficiencies relate to the governance around IT and cybersecurity. These findings point to significant weaknesses in the IT and cyber risk culture within firms. I must emphasise how crucial board involvement is. The extent of board engagement with IT and cyber risk is an indicator of the priority accorded to such risk and the ability to manage it.”