19.09.2013
Key Positions

Information Technology

Digital information and communication are an integral component of private and business life. Never before were consumers, enterprises and public administrations so closely linked with each other as today — at all times and from nearly any place. In the insurance industry alone, 460 million contracts result in nearly 800 million letters annually to customers, which are processed every business day through automated business procedures and electronic data processing systems.

For the insurance industry, a secure legal framework and safe IT infrastructures are of fundamental importance for electronic communication. The industry thus urges the further development of technical and legal framework conditions that meet the growing demands of its communication partners (customers, authorities and service providers) and facilitate legally secure application of new technologies, such as cloud computing.

Download

With the GDV industry network, the insurance industry has created a secure and reliable infrastructure in the digital realm to support data exchange between authorized communication partners inside and outside the insurance industry. The security and data protection of the industry network are documented by a certificate from the Federal Office for IT Security (BSI). The insurance industry intends to continue to develop the GDV industry network into a “Trusted German Insurance Cloud (TGIC)”, a reliable solution that supports electronic communication with government (e-government) and electronic commerce applications (e-business). The components of TGIC are also certified by BSI.

By way of the Crisis Reaction Center for the IT Security of the German Insurance Industry (LKRZV), the German insurance industry ensures a reliable communications infrastructure for messaging and data exchange. Through this entity, the industry is a leader in IT security in comparison to other industries. The entity functions as an early warning system for insurance-related IT security incidents, warranting the maintenance of this critical infrastructure. This creates a basis for digital information exchange that integrates all enterprises and institutions involved in the insurance business. Data protection requirements are thus implemented in an exemplary fashion.

The possibilities offered by rapid progress in information and communications technology to customers and companies are far from being exhausted. Customers expect a high degree of security and simple procedures in electronic communications with companies and authorities. Companies want to avoid redundant processes and bureaucratic costs. With the new personal ID card and De-Mail, necessary but in no way sufficient prerequisites have been created for this.

Therefore, the legislative framework conditions must be expanded and existing legal uncertainties must be resolved. The planned E-Government Act and the project to promote electronic legal transactions provide good approaches. Now, lawmakers must take pragmatic decisions to expand the application possibilities for the new personal ID card and De-Mail, thus boosting their acceptance.

Our Positions
E-government and e-business: Expand application options and resolve legal uncertainties
Establishing legally secure electronic communication often fails due to the requirement for the written form, i.e. the oft-requested actual signature. The draft for an E-Government Act has developed a solution to this problem which is supported by the insurance industry. In addition to an electronic signature, the draft provides for alternative standards for electronic authentication. In addition to the new personal ID card and the De-Mail procedure, future technological innovations in current communications procedures must be possible. The planned Act to Promote Electronic Legal Transactions only provides solutions for communications with federal authorities. Yet, electronic communications do not stop at municipal or state borders. The authorities of the Federal Government, federal states and municipalities must act in concert when implementing new technological applications and procedures. Uniform legal and administrative action is needed so that the new personal ID card and De-Mail can be used in private and business affairs today and with technological developments in the future.
IT Security Act: Recognize established procedures to protect electronic business processes
More and more private and public organizations will in the near future be relying on cloud computing, i.e. the provision of data storage and networks in abstract IT infrastructures. Protecting critical infrastructures from cyber-criminality is therefore highly important. The insurance industry thus welcomes the initiative of the Federal Ministry of the Interior to further strengthen IT security through a legislative framework. Yet, when all operators of critical IT infrastructure are required to meet certain minimum IT security standards and reporting duties in the future, it should be taken into account that the insurance industry, in contrast to other industries and sectors, already has a recognised procedure to protect its electronic communications and business processes.
  • Insurance companies maintain protective procedures, whose reliability and security are regularly tested by independent auditors in accordance with recognised standards. The obligation foreseen in the draft for an IT Security Act for recognised auditors to carry out additional security audits in two-year cycles is therefore an exaggeration. It would lead to significant additional costs for companies, a requirement that is hardly manageable for small and medium-sized companies.
  • Legal reporting duties should be in line with proven processes, like those which already exist at the insurance industry’s Crisis Reaction Center (LKRZV). The established channel between the LKRZV and the Federal Office for IT Security must be preserved and expanded. Parallel reporting structures would be an obstacle.
  • The competence granted to the Federal Office for IT Security to investigate and review available hard and software components is reasonable as support for other test institutes. However, tests should take place before components are released to the market and in line with tests at other standardisation bodies, such as the VdS test seal. Negative test results and their publication should not cause users of these components to be evaluated negatively. Instead, test findings should serve to show manufacturers where there is room for improvement and to encourage prompt corrections.