The key source of private insurance law is the Austrian Insurance Contract Act (VersVG), which is based on general civil law provisions, in particular the General Civil Code Book (ABGB), and supplements these, but in some cases also supersedes them. The Austrian Insurance Contracts Act mainly focuses on the insurance contract itself and defines obligations for the insurer and the policyholder. Nevertheless, certain insurance contracts are excluded from the scope of application of the VersVG. This particularly applies to reinsurance contracts to which – in the absence of special statutory provisions – only general civil law applies.
The provisions of the VersVG are in turn supplemented – depending on the type of contract – by further regulations. For example, the provisions of the UGB (Commercial Code) apply to insurance contracts concluded by commercial enterprises. The provisions of the KSchG (Consumer Protection Act) apply to contracts with consumers.
In addition to contractual provisions, Austrian Insurance law is significantly influenced by the Insurance Supervision Act 2016 (VAG 2016). The VAG primarily defines (re)insurance companies as well as their organisational and regulatory framework, governance as well as capital and liquidity requirements. In addition, European Union legal acts such as the Solvency II Directive (Directive 2009/138/EC on the taking-up and pursuit of the business of Insurance and Reinsurance) or the IDD Directive (Directive EU 2016/97 on Insurance Distribution) have recently played a significant role in Austrian insurance law.
Although precedents are not legally binding, Austria’s Supreme Court decisions have an essential purpose in giving specific content to the law and determining the meaning of provisions. Decisions of lower courts are regularly also set aside by the Supreme Court if they are not in accordance with its jurisdiction.
The Austrian Insurance regulatory framework is essentially determined by the Insurance Supervision Act 2016 (VAG 2016), which implements the Solvency II Directive of the European Union.
The provisions of the VAG are supervised by the Austrian Financial Market Authority (FMA) and primarily aim to protect the insured person. Operation of an insurance company requires a licence from the FMA. Furthermore, the insurer is also obliged to disclose certain data. In this regard, IDD stipulates most disclosing and information obligations EU-wide. Nevertheless, insurance companies are only subject to formal monitoring, which means the supervisory authority cannot intervene in actual business activity. According to the Austrian Industrial Code, insurance and reinsurance intermediaries need a special business licence from the competent district administrative authority.
Worth mentioning in this context is the European Insurance and Occupational Pensions Authority (EIOPA), which ensures a common supervisory practice and uniform application of European rules. Although EIOPA has no direct legislative competence, it has a considerable influence on European standards as it draws up drafts of technical standards to which the European Commission subsequently gives binding legal effect in the form of resolutions or regulations.
The operation of an (re)insurance company requires licensing or authorisation by the FMA in the form of a concession. If an Austrian company is granted a licence to operate an insurance company, this licence in principle applies to all EU member states.
A separate concession must be applied for each class of insurance, whereby the operation of certain forms of insurance excludes other classes of insurance. Therefore, the parallel operation of a life insurance policy and a property insurance policy is excluded (under the principle of separation of lines of business).
In order to obtain a concession, the company applying for a concession must meet certain requirements. For example, the insurance company has to establish an effective risk management system, whereas capital and liquidity requirements follow the Solvency II Directive and Regulation EUR 2015/35. Furthermore, the headquarters of the insurance company must be located in Austria. Foreign providers of intermediary insurance or reinsurance services need a domicile or branch in Austria unless bilateral treaties define otherwise. Apart from that, the insurance company needs at least two board members who are able to comply with governance regulations and sufficiency of own funds. Moreover, the purchase of a qualified share (any share which corresponds to at least 10% of the capital or the voting rights) has to be notified to the FMA.
Domestic insurance companies may only operate in the legal form of a stock company, societas Europaea or a mutual company. There are no differences between writing consumer insurances or corporate insurances regarding these requirements.
The insurance premiums paid by the policyholder are generally subject to the Insurance Tax Act (VersStG), which provides different tax rates for different lines of business.
For example, a motor-related insurance tax is charged on motor vehicles registered in Austria, which is calculated on the basis of the engine’s displacement or power. For motor vehicles that are not subject to motor-related insurance tax, the motor vehicle tax law applies. Another example is insurance premiums paid for fire insurance, which are subject to the Fire Protection Act; the Fire Protection Act levies a tax of 8%. Health insurance premiums are taxed at 1%, while life insurance premiums are taxed at either 4%, 11% or 18%.
Generally, every (re)insurance company needs an Austrian concession to offer insurance and reinsurance services in Austria. With regard to (re)insurance companies that do not have their headquarters in Austria, the Insurance Supervision Act does differentiate between (re)insurers domiciled in other signatory countries of the European Economic Area (EEA insurers) and (re)insurers based in other jurisdictions (referred to as “third-country insurance and third-country reinsurance companies”).
EEA insurers may carry out their business either by establishing a branch office in Austria or according to their freedom to provide services within the European Economic Area. Thus, EEA insurers do not require an additional licence to do business in Austria. However, there is a duty to notify their competent home country supervisory authority of their intention to conduct insurance business in Austria. Other than EEA insurers, third-country (re)insurance companies require a licence in order to be able to conduct insurance business in Austria. Such licence may be obtained from the FMA. In addition, third-country (re)insurers need to establish a branch office in Austria before doing business there.
Due to Brexit, the UK is no longer a member of the EU. In terms of the EEA Agreement, the UK is now a third country, which makes it harder for British companies to access the Austrian (re)insurance market.
Additionally, Section IV of the Insurance Supervision Act does provide specific licensing requirements for third-country (re)insurers. However, where the European Commission has determined the solvency regime of a third country to be equivalent in accordance with Article 172 (2) or (4) of Directive 2009/138/EC, the provisions of this Section shall not be applied to third-country reinsurance companies having their head office in that third country. Reinsurance contracts concluded with such companies shall therefore be treated in the same manner as reinsurance contracts concluded with EEA reinsurance undertakings. Section 4, paragraph 19a VAG provides further facilitation for companies with their seat in the USA, as the operation of reinsurance in Austria undertaken by a company with its headquarters in the USA does not need a concession. However, this only applies if the conditions of a bilateral agreement with the EU are met and the reinsurance business is not conducted through a domestic Austrian branch.
According to the FMA, fronting is only partly permitted. The complete transfer of risk from an insurance company signing business in Austria to one or more reinsurers (“fronting”) is prohibited as it runs counter to the fundamental principles of insurance business. However, there are circumstances under which the complete transfer of risk for a specific segment of the cedent’s insurance portfolio is permissible, subject to certain justifiable reasons, provided that such a fronting arrangement is temporary.
Due to the existing market structure, major merger and acquisition activities in Austria were rather scarce in the last few years. In general, Austrian law does not provide for a specific legal regime when it comes to merger and acquisition activities relating to insurance companies. Therefore, acquisition of an interest in insurance companies may, in principle, be conducted on the basis of a regular share purchase agreement.
Permit for Intended Acquisition
Austrian supervisory law defines a number of preconditions that a buyer of an insurance company has to meet in order to gain a permit for the intended acquisition by the FMA. Any acquisition of a qualifying holding (eg, a direct or indirect holding in an undertaking that represents 10% or more of the voting right or capital, or any other possibility of exercising a significant influence over the management of that undertaking) in an insurance or reinsurance company has to be notified to the FMA in advance. The same applies to acquisitions of shares by persons already being shareholders in the event they intend to increase their participation to 20%, 30% or 50%.
Prohibition of Intended Acquisition
The FMA may prohibit the intended acquisition if, following the assessment of the acquiring party, there are justified reasons to do so. The assessment criteria are set out in Section 26 of the VAG and include:
Corresponding notification duties exist in the case that a shareholder intends to sell their shares, or to decrease their shares below 20%, 30% or 50%. In case the whole insurance business is merged, the concession automatically transfers and no approval of the FMA is needed. The acquisition or sale is generally considered approved if the FMA does not prohibit such within 60 days following the notification.
The Austrian legal system knows three forms of insurance intermediation, which differ in very important aspects – especially with regard to the accountability of the intermediary. All distribution channels have to comply with the applicable regulations with regard to insurance distribution – these are (i) the Industrial Code (GewO), applicable to insurance agents and brokers, and (ii) the Insurance Supervision Act 2016 (VAG 2016), applicable to insurance companies. All intermediaries need a business licence for their intermediary services. To obtain such licence the intermediary has to file a business registration with the competent administrative authority.
Insurance companies are able to sell insurance contracts by employees (direct sales). In this scenario, employees function as direct representatives of the insurance company and are identifiable as such in all mediation activities. Co-operation is based on labour law regulations and is characterised above all by factual and (in contrast to other forms of mediation) personal binding instructions on the employee.
Insurance Agents
An insurance agent can either act exclusively for just one insurance company or as a multiple agent for several. The insurance agent as independent entrepreneur is responsible for compliance with corporate, company and, above all, trade law regulations. Despite this much broader relationship between insurance agents and insurance companies, co-operation is characterised by a close connection. Thus, the insurance agent is often contractually obligated to follow objective (but not personal) instructions. For example, the insurance agent is usually required to use the corporate identity of the insurance company to comply with internal insurance guidelines and business processes that are intended to ensure successful economic co-operation. Consequently, when it comes to mediating contracts, an insurance agent’s responsibility mirrors that of a directly employed staff member engaged in direct sales.
Insurance Broker
An insurance broker – just like an insurance agent – is an independent entrepreneur and must therefore be strictly separated from the insurance company. In contrast to the insurance agent, the insurance broker is not affiliated with the insurance company. Instead, they represent the policyholder, to whom they are liable in the event of improper advice. Actions that the insurance broker undertakes vis-à-vis the insurance company on behalf of the policyholder are thus basically attributable to the latter, as are actions undertaken by the policyholder themselves.
Due to their practical relevance in Austria, distribution by credit institutions (banks) should also be mentioned here. In principle, they are not subject to any particular restrictions; all forms of insurance intermediation are at their disposal. However, a separate approval of the Austrian Financial Market Authority (FMA) is required, as this authority assumes the function of a trade authority in the case of insurance brokerage by a credit institution.
When concluding the insurance contract, the policyholder must disclose all circumstances to the insurer, which are known to them and could be significant for the insured risk. Circumstances that can influence the insurer’s decision to conclude the contract or to agree to the terms, are considered significant. Circumstances, which the insurer asked for explicitly and in written form, are – in case of doubt – also considered significant. This duty of disclosure is a statutory obligation.
Insurers do not have to proactively seek information from the policyholder, but generally use clauses in their terms and conditions stipulating certain disclosable information and circumstances. The circumstances relevant to the assessment of the risk to be insured are in practice usually requested in the application form. If the applicant answers these questions truthfully and completely, it can usually be assumed that the applicant has fulfilled their obligation to disclose. However, based on the jurisprudence of the Austrian Supreme Court (Oberster Gerichtshof, or OGH), circumstances that are not expressly requested must be communicated additionally if an application question conclusively refers to them overall, or if their communication appears to be self-evident. After the contract has been concluded, the insured person has to inform the insurer about any increased risk.
The insurer is also obliged to inform the policyholder about their right to withdraw from the contract within 14 days. In case of life insurance, the policyholder may withdraw within 30 days.
If the policyholder culpably fails to report a significant circumstance, the insurer may withdraw from the contract. A withdrawal is only possible within one month from the date the insurer became aware of the violation of the disclosure obligation.
A withdrawal is nevertheless not possible if the policyholder is not to blame for the lack of notification or for the inaccuracy of their information (eg, if the policyholder answers an application question incorrectly or incompletely, because the insurer formulates it in an unclear way, or if the policyholder’s notification is lost by post). The withdrawal of the insurer leads to the cancellation of the contract from the outset – in other words, the contract is cancelled retrospectively from the beginning of the contractual relationship. Any claims that have already arisen shall be voided and both contracting parties must defer the benefits drawn from the contract.
Regarding the premium, despite the withdrawal, the insurer is entitled to that part of the premium that falls between the conclusion of the contract and the effectiveness of the withdrawal. In exchange, those events are covered that occur before the withdrawal becomes effective and do not fall within the hidden risk area. If a withdrawal from the contract is not possible (eg, due to lack of culpability), the insurer can adjust the premium to the increased risk or, under certain circumstances, terminate the contract.
In addition to these notification obligations of the policyholder, there are also certain information obligations of the insurer towards the policyholder that have to be provided for the most part prior to the conclusion of the contractual declaration of the policyholder. In the event of a breach of these pre-contractual information obligations, the law grants the policyholder the right to withdraw from the contract under certain circumstances.
Please refer to 5.1 Distribution of Insurance and Reinsurance Products.
The Austrian Insurance Contract Act does not stipulate a special form for the conclusion of an insurance contract. Therefore, according to general civil law, only a concordant declaration of intent of the contracting parties is required, which can be made not only in writing but also, for example, conclusively or even verbally. Only in a few cases is a written form required (eg, withdrawal from the contract).
According to civil law rules, an insurance contract must (only) stipulate the essentialia negotii of a contract, meaning the insured risk, the insurance fee and the nature of the insurance. Insurance companies often use general terms and conditions for multiple contracts, which have to comply with the Austrian Civil Code. Thus, surprise clauses or clauses grossly disadvantageous are prohibited. Regarding the content of an insurance contract, there are no further limits set.
Insurances can also be concluded for third parties. In D&O policies, the company concludes an insurance contract for the company whereas people in management functions are covered by the policies. The insured persons do not have to be named in the policies by name. It is sufficient if those people can be determined by their function. The knowledge of such persons is attributed to the insured company. Therefore, coverage can be denied in case the management violated an obligation.
Since insurance contract law is strongly influenced by the principles of general civil law, most of the relevant provisions in insurance law equally apply to entrepreneurs and consumers. In case the policyholder is a consumer, the Consumer Protection Act, which provides for special protection requirements, applies to the insurance contract. According to the Consumer Protection Act, general conditions must be clear and unambiguous otherwise they are void.
Moreover, the Austrian Insurance Contract Act, for example, makes an explicit differentiation in connection with the period of engagement of the policyholder. If an insured person is a consumer, they are allowed to terminate the contract annually if at least three years have elapsed since the commencement of the insurance. The Austrian legislature obviously assumes that an entrepreneur can assess the consequences of their decision with regard to the commitment period better than an average consumer can.
Austrian law distinguishes between classical forms of reinsurance and concepts of alternative risk transfer. Austrian supervisory law explicitly addresses finite reinsurance activities as well as activities by special purpose vehicles pursuant to Directive 2005/68/EC.
Finite reinsurance is defined as reinsurance under which the maximum economic risk transferred, arising both from a significant underwriting risk and timing risk transfer, exceeds the premium over the lifetime of the contract by a limited but significant amount. Further, a finite reinsurance contract must provide for either combined consideration of the time value of money or contractual provisions to moderate the balance of economic experience between the parties over time to achieve the target risk transfer.
According to Austrian supervisory law, insurance and reinsurance companies that pursue finite reinsurance activities shall ensure that they are able to properly identify, measure, monitor, manage, control and report the risks arising from those contracts or activities. Whereas finite reinsurance contracts are widely considered genuine (re)insurance contracts, business conducted by special purpose vehicles when signing alternative risk transfer transactions is usually not classified as insurance business.
Special purpose vehicles are defined as companies other than an existing insurance or reinsurance company that assume risks from an insurance or reinsurance company and which fully fund their exposure to such risks through the proceeds of a debt issuance or any other financing mechanism where the repayment rights of the providers of such debt or financing mechanism are subordinated to the reinsurance obligations of such a company.
Special purpose vehicles with head offices in Austria require a licence pursuant to Section 105 of the VAG 2016 granted by the FMA in accordance with the provisions set forth in the implementing regulation 2015/462/EC. Special purpose vehicles pursuant to Section 105 of the VAG 2016 signing alternative risk transfer transactions do not as yet play a major role in the Austrian insurance market.
As outlined in 7.1 ART Transactions, alternative risk transfer transactions are generally not treated as insurance or reinsurance contracts under Austrian law. Therefore, foreign ART transactions are also not considered reinsurance contracts. However, Austrian supervisory law does provide for the possibility of considering both the recoverable from reinsurance contracts and special purpose vehicles pursuant to Directive 2005/68/EC when calculating the total amounts recoverable. Detailed provisions may be found in the EIOPA guidelines on the valuation of technical provisions (EIOPA-BoS-14/166).
Insurance contracts are generally – besides a few special exceptions in the Insurance Contract Act – interpreted like any other civil contract. Therefore, it is the will of the contracting parties that shall be decisive for interpretation. Of course, the peculiarities of insurance law imply a number of other circumstances relevant in the context of interpretation. For example, the insurance intermediary has to evaluate the customer’s wishes and needs on the basis of information provided by the customer. Intermediaries also have to draw up a consultation protocol for the entire consultation process. Furthermore, the will of the contracting parties can often be identified on the basis of the advertising materials used in the advisory process.
If it is not possible to ascertain a concurring will of the parties, the contractual declarations are to be interpreted – in accordance with the provisions of general civil law – on the basis of the bona fide exercise of traffic law. In this case, it depends on how a bona fide recipient of the declaration would have understood the contractual declaration in doubt. If there are still unclear issues after the interpretation of a contract, the contract has to be interpreted to the detriment of the person who made use of the unclear declaration. This is especially relevant in the context of the interpretation of insurance contracts, as it is generally not possible to clearly determine a party’s will regarding individual terms on the basis of the interpretation possibilities described above. Insurance contracts are therefore usually interpreted at the insurer’s expense if they are unclear.
Warranties are basically already stipulated by the Insurance Contract Act as well as the Austrian Civil Code. However, insurance contracts also often include a corresponding clause. If such clauses are specifically stated in the insurance contract, they are usually described as notification obligations.
If a policyholder culpably fails to report a significant circumstance as pointed out in 6.2 Failure to Comply with Obligations of an Insurance Contract, the insurer may withdraw from the contract. After the insurance contract has been concluded, the policyholder has to inform the insurer about any increased risk. The increase of such risk is only subsequently included in the insurance contract if the insurer agrees.
If the policyholder, after conclusion of the contract, does not disclose any increased risk, the insurer has the right to withdraw the contract without observing a notice period. If the policyholder is not at fault, the policyholder must accept the notice only after the expiry of one month. The right of notice shall expire after one month of the time at which the insurer becomes aware of the increased risk, or if the situation that existed before the increased risk is recovered.
In the event of a breach of the agreed contractual obligations, the insurance conditions usually stipulate the insurer’s discharge from liability. In this respect, it is essential for the policyholder to be aware of the obligations that apply to them and to fulfil such obligations in the event of a claim. However, the insurer’s discharge from liability does not apply if the policyholder is not at fault for the breach of the obligation.
Austrian Insurance Law knows conditions precedent as well as conditions subsequent.
Conditions precedent do not have to be explicitly named as such, but should be described as clearly as possible, as contracts containing conditions precedent only become effective if the stated condition is fulfilled. If the condition subsequently occurs, that event will cease one party’s obligation to the other.
Insurance contract disputes are subject to general civil jurisdiction unless they are social insurance claims. Since insurance companies are operating in the form of a joint-stock company or a European joint-stock company, the civil courts, as district or regional courts in commercial matters, usually have jurisdiction in the event of an action filed by the policyholder against the insurer for the contractually owed insurance coverage. Disputes under EUR15,000 fall under the jurisdiction of the district courts, whereas regional courts are competent for disputes above the amount of EUR15,000. Alternatively, special arbitration courts can be consulted. This applies to disputes over coverage in consumer contracts and reinsurance contracts.
The limitation period starting after the insured risk occurred is three years. Every insured person applying for coverage has to submit a declaration of damage including documents of the case to the insurer. After such declaration of damage has been filed, the limitation period gets suspended until the insurer sends a written decision about coverage. Any possible claims become time-barred if not claimed by the policyholder within ten years. If the insurer denies coverage, the insured person has to assert its claims in court within one year.
Generally, uncertainties as to the (international, subject matter and local) jurisdiction of a court must already be examined by the court without the application of a party (ie, ex officio). However, in most cases, potential lack of jurisdiction is only examined in detail following a respective motion by the defendant party. Parties may also agree on the jurisdiction of a certain court within the limits set by law. In the absence of a valid agreement, statutory provisions stipulate which court has jurisdiction.
If the court seized decides to have jurisdiction, the following procedural step is to examine which law is applicable. In this context, the applicable law may result from the agreement of the parties and, in the absence thereof, from statutory provisions. Of course, an agreement on jurisdiction as well as on the applicable law is not conceivable in the case of tortious claims.
For claims with foreign references – eg, when the (re)insurer has its seat in a foreign country – the jurisdiction follows the rules of Regulation EU 1215/2012 on Jurisdiction and the Recognition and Enforcement of Judgments in Civil and Commercial Matters (EuGVVO). The applicable law follows Regulation EG 593/2008 on the Law applicable to Contractual Obligations in Insurance Contracts. As reinsurance contracts are explicitly excluded from the scope of Regulation EG 593/2008, Austrian Law on International Private Law is applicable.
The Austrian legal system offers various avenues for initiating court action, granting plaintiffs discretion in some cases, while mandating specific procedures in others. The litigation process is governed by the Code of Civil Procedure, which states the principle of orality for litigation processes.
Most legal actions against insurers are filed using the national order for payment form. The court issues a so-called conditional order for payment on the basis of the plaintiff’s alleged facts, in which the insurer is ordered to pay the sum of money claimed or to raise an objection within a certain period of time, after which ordinary court proceedings are initiated. This procedure must be carried out nationally up to EUR75,000; internationally there is no obligation to carry out an order for payment procedure, and also no value limit. In the case of amounts exceeding EUR75,000, or if the claim is not merely in the form of money, the regular court proceedings shall be instituted immediately, in which the parties submit their substantive and legal arguments, on which the court shall decide.
If the order for payment is not objected to or a judgment is not appealed to the next higher court, the order for payment or judgment becomes effective. The prevailing party can then file an application for execution, which initiates the execution proceedings.
According to the EuGVVO, all judicial decisions of the civil and commercial courts of the EU member states are recognised ipso jure without a separate legal act and are enforceable in Austria. However, recognition can be refused for certain reasons listed in the EuGVVO.
In the case of an application for enforcement of a foreign judgment, the actual enforcement is preceded by a so-called exequatur procedure – ie, the procedure for declaring enforceability. Special conditions have to be considered in case of a European Enforcement Order according to EuVTVO.
In addition to decision on insurance contracts disputes by state courts, there is the possibility to declare non-state courts (arbitral tribunals) competent for disputes arising out of a pre-determined legal relationship in the form of an arbitration clause. This is usually achieved by an additional written agreement in the insurance contract and determines the decision authority and jurisdiction of the particular arbitral tribunal. Apart from family and tenancy law claims, arbitration clauses are enforceable.
A domestic arbitral award usually has the effect of a legally binding court decision and is enforceable after the expiry of the payment period stated in the arbitral award.
Austria has been party to the New York Convention since 1961. The Convention requires courts of contracting states to give effect to private agreements to arbitrate and to recognise and enforce arbitration awards made in other contracting states. Conversely, Austrian arbitral awards are enforceable in states that have ratified the New York Convention. However, the enforcement of a foreign arbitral award may be refused in certain cases.
Generally, alternative dispute resolution (eg, mediation) does not play a big role in the resolution of insurance disputes in Austria. Nevertheless, the Alternative Dispute Resolution Act (AStG) provides a further possibility for consumers to resolve insurance disputes. According to this Act, a consumer can initiate an alternative dispute resolution procedure instead of a regular court procedure in advance in order to achieve a cost-effective, quick and simple settlement of the dispute. However, such a procedure requires the consent of the insurance company. For this reason, the parties are free to terminate the procedure at any stage.
Penalty provisions are generally uncommon in insurance provisions. Claims for damages which arose due to late payments can be raised if the insurer improperly delayed settling the claims and the policyholder has faced losses on this ground. Furthermore, the policyholder can withdraw from the contract, and as the insured, can reclaim paid premiums and default interest.
According to the Austrian Insurance Contract Act, compensation claims of the policyholder against third parties are subrogated to the insurer if the insurer compensates the policyholder. The subrogation is not applicable if the compensation claim is directed against a family member of the policyholder living in the same household. However, compensation claims, even in this case, are subrogated if the family member caused the damage intentionally. If the policyholder waives its compensation claims against a third party, the insurer is relieved from its obligations to compensate if the insurer could have claimed compensation out of such subrogated claim.
In general, quite a lot of insurtech business activity has been observed in the Austrian insurance market recently. Besides co-operating with insurtech start-ups, a number of Austrian insurance undertakings have established their own online direct distribution channels, some of which use their established company brands, whilst others create their own brands for future online business. Most of these online distribution channels provide for the possibility of signing retail insurance contracts without consulting an insurance distributor in person.
As for the legal framework for the business conducted by insurtechs, it has to be noted that insurtechs have to comply with the same legal standards applicable to “conventional” market participants. In fact, the amount of regulation of insurance law can be seen as a major challenge for insurtechs in Austria.
Insurtechs can be non-concessioned and concessioned companies. Therefore, the FMA not only supervises licensed companies in fintech, but also clarifies the licence obligation. The FMA has established a fintech point of contact (“FinTechNavigator”) on its website, which fintech companies may contact regarding licensing requirements or other legal frameworks. However, with respect to insurtechs conducting business as an insurance intermediary rather than as an insurance company, the FMA is not the competent supervisory body.
Following international trends, insurance contracts relating to cyber-risks (such as data theft and phishing mails) have recently become increasingly popular in Austria. Whereas cyber-risks have tended not to receive the same attention in Austria as in other countries, the COVID-19 pandemic seems to have changed that. A recent survey shows that 38% of companies in Austria have noticed an increase in cyber-attacks during the pandemic. In this regard, the FMA requires high data security standards from insurers.
Other emerging risks which affect the insurance market are the consequences of global warming and associated natural disasters and technological change. The demand for insurances covering these risks is high, although some risks face extreme difficulties to be insured in the future. Artificial intelligence (AI) is also a growing concern for the global insurance industry.
With regard to the introduction of new insurance products relating to cyber-risks, a top-down development can be observed. Whereas cyber-insurance was initially subscribed mainly by large-scale enterprises, insurance undertakings in Austria have also begun to explicitly target small- and medium-sized enterprises as potential customers. Furthermore, the Austrian insurance market has recently seen the introduction of retail cyber-insurance products explicitly tailored to the needs of private persons, including coverage for damages suffered through the use of online shopping tools.
Both internationally and nationally, there has been a significant increase in cybercrime in recent years. While in 2017 around 16,800 cybercrime offences were reported in Austria, this figure had risen to over 46,000 by 2021. With increasing digitisation, not only is entrepreneurial activity shifting to the “digital world”, but criminal organisations are also adapting their actions to the changed circumstances.
In this context, the COVID-19 pandemic has not only contributed to a noticeable push in the area of digitalisation, but also to another significant increase in cybercrime. The Austrian cyber market was affected by, and had to deal with, a large number of cyber-attacks due to the increasing number of remote workers. According to the Cybercrime Report of the Austrian Federal Ministry of the Interior 2021, the rate of solved crimes in the cybercrime area has remained relatively constant at slightly more than one-third over the past five years (about 36.9% in 2021). Conversely, around two-thirds of these crimes remain unsolved, so that it is in fact not possible for victims to assert claims for damages in these cases.
The steady increase in cyber incidents has made the need for comprehensive insurance protection more and more apparent in recent years. In many cases, it is only when specific incidents occur that entrepreneurs realise that while “classic” insurance products may offer a certain level of protection, there are notable – and at times, very serious – gaps in coverage.
The insurance industry has responded to the increased need for protection against cyber incidents by launching a wide variety of products. In some cases, these have been based on standard insurance products and corresponding extensions or “additional modules” have been formulated to provide supplementary protection against “cybercrime”. On the other hand, there are concepts that are primarily “tailored” to cyber incidents.
The Network and Information Security Directive (NIS 2 Directive) which came into force on 16 January 2023 and replaces the NIS 1 Directive, is expected to tighten regulations and expand contractual obligations in the insurance industry (particularly in the area of cyber insurance and D&O Insurance). This in turn will result in an increased liability risk for managing bodies, as they will have to ensure compliance with the expanded obligations. Member States now have until 17 October 2024 to incorporate NIS2 components, strategies, and mandated reporting into their national laws. The aim is to improve the resilience and response to security incidents within the public and private sectors across the EU. It establishes an obligation to take appropriate risk management measures for the security of network and information systems. Severe sanctions are envisaged (up to EUR10 million or 2% of the group’s total annual turnover – a significant increase from the previous cap of EUR50,000). Management bodies are liable for breaches if essential risk assessments are neglected or ignored.
Kärntner Straße 10
1010 Vienna
Austria
+43 1 512 14 27
+43 1 513 86 04
office@bls4law.com www.bls4law.com