The Federation of European Risk Management Associations (FERMA) is urging European Union institutions to simplify cyber incident reporting requirements and to consider the insurance implications of cyber-related legislation. The call follows the release of a new report that offers guidance to risk managers on navigating recent and upcoming regulations.
The report, titled “Cyber Reporting Stack: Navigating EU Incident Reporting Requirements for Risk Managers”, was produced in collaboration with WTW. It provides risk managers with a detailed overview of the evolving cyber policy landscape and outlines the reporting requirements for various cyber incidents.
The report includes case studies covering different breach scenarios and offers guidance on reporting obligations under several regulations, including the General Data Protection Regulation (GDPR), Network and Information Security (NIS), Network and Information Security (NIS 2), the Digital Operational Resilience Act (DORA), and the Cyber Resilience Act (CRA).
FERMA president Charlotte Hedemark (pictured above) commented on the growing reporting burden faced by companies.
"FERMA believes companies need a more streamlined and consistent set of requirements when it comes to reporting on cyber incidents,” she said. “This reporting should help EU authorities, businesses, and citizens to better understand the cyber threat—but this will only work if it’s easy, safe, and secure for companies to provide information."
The report suggests exploring the possibility of a "single point of entry" for cyber incident notification to reduce the complexity of the reporting process. It also provides guidance for EU Member States on how to streamline procedures and minimise the number of entities involved in incident reporting.
Philippe Cotelle, chair of FERMA’s Digital Committee, highlighted the lack of specific regulations on cyber risk management and its insurance implications.
“We are acutely aware that while risk management plays a vital role in building resilience to, and recovery from, cyber-attacks, there are no regulations that give technical specifications of what risk management measures organisations should take, nor are there any that consider the insurance implications,” Cotelle said.
The report urges the European Commission to factor in the insurance and risk transfer implications when conducting impact assessments for any future EU cyber legislation.
Laure Zicry, head of FINEX Cyber for Western Europe at WTW, commented on the importance of managing cyber risks.
“The cyber incident reporting rules and requirements covered by this whitepaper deal with cross-functional issues and therefore need to be addressed by organisations accordingly. The role of the risk manager is crucial to guarantee that all risks have been properly identified and that the best mitigation strategies have been adopted,” Zicry said.
Hedemark concluded by expressing FERMA’s hope that the report will provide companies with greater clarity on cyber incident reporting requirements and help EU policymakers streamline their approach, potentially leading to simplification of the reporting process.
“We also hope that the knowledge derived will help European policymakers to streamline their approach to cyber incident reporting and lead to some simplification of reporting, enabling companies to devote a greater proportion of their resources and knowledge to assessing, managing and responding to this risk,” Hedemark said.
What are your thoughts on this story? Please feel free to share your comments below.
