Data security in the insurance sector

Cybersecurity and data security in the context of the use of artificial intelligence in the insurance sector were topics discussed during the 30th Banking & Insurance Forum, attended by Konrad Komornicki, Deputy President of the Personal Data Protection Office.

On the second day of the event, October 23, 2025, a panel discussion entitled "The insurer of the future - what are the modern operating models in insurance?" was held, with the participation of Konrad Komornicki.

Konrad Komornicki, Deputy President of the Personal Data Protection Office, drew attention to, among other things, the provisions of EU Regulation 2022/2554, applied since January 17 this year, which introduced common digital resilience rules throughout the European Union for, among others, insurance companies and intermediaries, aimed at limiting the effects of failures and cyberattacks and maintaining service continuity.

He emphasised that this act is complementary to the GDPR, focusing on ensuring that systems and providers operate securely and predictably, while the GDPR focuses on ensuring that personal data is processed lawfully and fairly, so together they build a complete picture of security and privacy.

In practice, this means identifying technological risks, testing critical processes, and quickly reporting serious incidents. Critical suppliers (e.g., large clouds) are subject to joint EU supervision by European supervisory authorities, but the responsibility for decisions and customer safety always remains with the insurance company," explained Konrad Komornicki.

Part of the discussion also focused on how technology is changing the insurance market and how artificial intelligence is affecting certain processes, including those related to customer service.

Konrad Komornicki pointed out that artificial intelligence supports certain processes by automating customer data analysis and personalising offers, as well as speeding up the claims settlement process. However, he noted that, in accordance with Regulation 2022/2554 and the GDPR, it is necessary to ensure that data processing is transparent, proportionate, and based on legal grounds. The Deputy President of the Personal Data Protection Office also added that artificial intelligence can support cybersecurity tasks, but the use of such technologies requires a strong framework for cybersecurity and data protection oversight.