← Frameworks / Prudential Regulation

Solvency II Directive (2009/138/EC) — ICT and Security Risk

EU prudential regulation for insurance and reinsurance undertakings. Pillar 2 governance and risk management requirements include ICT risk, operational resilience, outsourcing controls, and key function holder accountability. Supplemented by EIOPA Guidelines on ICT Security and Governance (EIOPA-BoS-20/600) covering information security policy, logical security, cryptography, operations security, security monitoring, business continuity, and third-party ICT risk management.

Clauses: 37

Avg Coverage: 64.5%

Publisher: European Parliament and Council / EIOPA Version: 2009/138/EC (EIOPA GL 2020)

Solvency II → SP 800-53 SP 800-53 → Solvency II Coverage Analysis

Clause	Title	SP 800-53 Controls
Art.41(1)	System of governance — general governance requirements	AC-01 CA-01 PL-01 PL-09 PM-01 PM-02 PM-29
Art.41(3)	System of governance — written policies	AC-01 AT-01 AU-01 CA-01 CM-01 CP-01 IA-01 IR-01 MA-01 MP-01 PE-01 PL-01 PS-01 RA-01 SA-01 SC-01 SI-01 SR-01
Art.42	Fit and proper requirements for persons running the undertaking	PS-01 PS-02 PS-03 PS-06 PS-09
Art.44(1)	Risk management — effective risk management system	PL-09 PL-10 PL-11 PM-01 PM-28 PM-29 RA-01 RA-03 RA-07 RA-09
Art.44(2)	Risk management — coverage of risks including operational risk	PM-08 PM-09 PM-11 PM-28 RA-01 RA-02 RA-03 RA-07
Art.45	Own Risk and Solvency Assessment (ORSA)	CA-02 CA-05 CA-07 PM-09 PM-28 RA-03 RA-07 RA-09
Art.46	Internal control — compliance function	AU-01 AU-06 CA-02 CA-05 CA-07 PM-04 PM-06 PM-14
Art.47	Internal audit function	CA-02 CA-05 CA-07 PM-06 PM-14
Art.48	Actuarial function
Art.49(1)	Outsourcing — general requirements and oversight	AC-20 PS-07 SA-04 SA-09 SA-21 SR-01 SR-02 SR-03 SR-05 SR-06
Art.49(2)	Outsourcing — critical or important operational activities or functions	RA-09 SA-04 SA-09 SR-01 SR-02 SR-03 SR-06 SR-10
Art.49(3)	Outsourcing — data protection and confidentiality	AC-04 PT-01 PT-02 PT-03 PT-04 SA-09 SC-08 SC-28 SI-12
DR.258	Delegated Regulation Art. 258 — general governance requirements	AC-01 AT-01 CA-01 PL-01 PL-09 PM-01 PM-02 PM-29 PS-01 PS-09
DR.259	Delegated Regulation Art. 259 — remuneration policy
DR.260	Delegated Regulation Art. 260 — risk management function	PM-01 PM-02 PM-09 PM-28 PM-29 RA-01 RA-03 RA-07
DR.266	Delegated Regulation Art. 266 — operational risk management including IT risk	AC-01 AT-01 AT-02 AT-03 CA-01 CA-02 CM-01 CM-02 CM-06 CP-01 CP-02 IA-01 IR-01 IR-04 PM-01 PM-08 PM-09 PM-11 RA-01 RA-03 RA-05 SA-01 SC-01 SI-01 SI-02
DR.266-BCP	Delegated Regulation Art. 266 — business continuity and disaster recovery	CP-01 CP-02 CP-03 CP-04 CP-06 CP-07 CP-08 CP-09 CP-10 CP-12 CP-13
DR.266-DataSec	Delegated Regulation Art. 266 — data security and information classification	AC-03 AC-04 AC-16 CM-08 CM-12 MP-01 MP-02 MP-03 MP-04 MP-06 RA-02 SC-08 SC-12 SC-13 SC-28 SI-12
DR.267	Delegated Regulation Art. 267 — investment risk management	PM-09 RA-03
DR.272	Delegated Regulation Art. 272 — outsourcing policy	AC-20 PS-07 SA-04 SA-09 SR-01 SR-02 SR-03 SR-04 SR-05 SR-06 SR-07 SR-08 SR-10 SR-11
DR.274	Delegated Regulation Art. 274 — contingency plans for outsourcing	CP-02 CP-04 SA-09 SR-01 SR-12
EIOPA-Cloud-GL3	EIOPA Cloud Outsourcing Guidelines — due diligence and risk assessment	AC-20 RA-03 RA-09 SA-04 SA-09 SR-02 SR-03 SR-04 SR-05 SR-06
EIOPA-Cloud-GL7	EIOPA Cloud Outsourcing Guidelines — access and audit rights	CA-02 SR-06 SR-10
EIOPA-Cloud-GL9	EIOPA Cloud Outsourcing Guidelines — data protection and data location	AC-04 CM-12 PT-01 PT-02 PT-04 SC-08 SC-28 SI-12
EIOPA-Cloud-GL11	EIOPA Cloud Outsourcing Guidelines — exit strategies and portability	CP-02 SA-09 SR-01 SR-12
EIOPA-ICT-4.1	EIOPA ICT Guidelines — ICT governance and strategy	PL-01 PL-02 PL-09 PM-01 PM-02 PM-03 PM-29 SA-02
EIOPA-ICT-4.2	EIOPA ICT Guidelines — ICT risk management framework	CA-02 CA-07 PL-09 PL-10 PL-11 PM-01 PM-09 PM-28 RA-01 RA-03 RA-07 RA-09
EIOPA-ICT-4.3	EIOPA ICT Guidelines — ICT asset management and classification	AC-16 CM-08 CM-12 CM-13 RA-02 RA-09 SA-05
EIOPA-ICT-4.4	EIOPA ICT Guidelines — logical security and access control	AC-01 AC-02 AC-03 AC-05 AC-06 AC-07 AC-11 AC-12 AC-17 IA-01 IA-02 IA-04 IA-05 IA-08 IA-12
EIOPA-ICT-4.5	EIOPA ICT Guidelines — physical security	PE-01 PE-02 PE-03 PE-04 PE-05 PE-06 PE-08 PE-09 PE-10 PE-11 PE-12 PE-13 PE-14 PE-15 PE-17 PE-18
EIOPA-ICT-4.6	EIOPA ICT Guidelines — network security	AC-04 AC-17 AC-18 AC-19 CA-03 SC-02 SC-03 SC-05 SC-07 SC-08 SC-20 SC-21 SC-22 SC-46 SC-47
EIOPA-ICT-4.7	EIOPA ICT Guidelines — cryptography and key management	IA-07 SC-08 SC-12 SC-13 SC-17 SC-28
EIOPA-ICT-4.8	EIOPA ICT Guidelines — ICT operations management	CM-02 CM-03 CM-04 CM-05 CM-06 CM-07 CM-14 MA-01 MA-02 MA-03 MA-06 SI-02 SI-07 SI-13
EIOPA-ICT-4.9	EIOPA ICT Guidelines — ICT incident and problem management	AU-06 IR-01 IR-02 IR-03 IR-04 IR-05 IR-06 IR-07 IR-08 IR-09 SI-04 SI-05
EIOPA-ICT-4.10	EIOPA ICT Guidelines — business continuity management	CP-01 CP-02 CP-03 CP-04 CP-06 CP-07 CP-08 CP-09 CP-10 CP-12 CP-13 SC-24
EIOPA-ICT-4.11	EIOPA ICT Guidelines — ICT project management and change	CM-03 CM-04 CM-05 CM-14 SA-03 SA-08 SA-10 SA-11 SA-15 SA-17
Pillar3-Reporting	Pillar 3 — supervisory reporting and public disclosure (data integrity)	AU-02 AU-03 AU-09 AU-10 AU-11 SI-07 SI-10 SI-12