Used as a small-scale problem solver and often underestimated as a whole: end user computing (EUC), often based on Excel macros or small scripts, is also popular with insurers because it can be implemented quickly and cost-effectively. However, the use of such applications entails significant risks. We explain why insurers should take this topic seriously and what sensible solutions are available.
One thing is clear: BaFin also takes a very critical view on the use of EUC, as it recently emphasized again in its implementation notes on DORA. This fact alone should be sufficient to elevate this issue to the top of the agenda in regulated companies. The German supervising authority understands end user computing to mean all applications that are developed or operated by departments themselves.
Examples of EUC in the insurance environment
In numerous business areas, there is a veritable ecosystem of EUC. However, most people who develop or operate such applications are not even aware of this. Even an Excel workbook with macros (file extension.xlsm) can already be considered EUC in the sense of the insurance supervisory requirements for IT (VAIT). Further examples:
- Scripts to automate manual tasks in day-to-day work (e.g., RPA applications or low-code software such as Microsoft Power Automate).
- Macros in office applications (e.g., VBA in Excel workbooks).
- Tools in reporting and data transformation (e.g., in the conversion of data types and in the processing and presentation of data).
- Programs for very individual requirements (e.g., for performing complex calculations in higher-level programming languages such as Python, R or Java).
The use of EUC accelerates business processes and increases efficiency in the daily work of many employees. In addition, very specific, individual problems can be solved quickly and cost-effectively. EUC thus characterizes the day-to-day business of many companies.
What are the dangers of using EUC?
EUC is often developed by individuals. In practice, it has been shown that individual “Excel geniuses” or “scripting professionals” are often responsible for the entire EUC of large departments. Typical risks here include:
- The applications and their functionalities are poorly documented, if at all. When the creators leave the company, they usually take their (exclusive) knowledge with them.
- Regular application development is subject to a professional process model that requires, for example, structured acceptance tests or an established change management process. Since this is usually not the case with EUC, the probability of errors and failures increases.
The central IT department, which controls and distributes standard software centrally, often has no knowledge of the EUC used. This is effectively shadow IT, the use of which is generally classified as a significant threat to information security. Other actors in the internal control system (ICS) also have no chance of fulfilling their monitoring and control function. The compliance risks in the areas of data protection and data security are particularly serious here.
How do supervisory authorities assess EUC?
In its audits of insurers, the BaFin recently found serious deficiencies in the way they handle EUC – the severity of the findings here is mostly in the important and heavyweight range (F3 to F4). A departure from this audit practice is not to be expected with DORA from 2025 either: Even though the EU regulation does not make any statements about EUC, BaFin states in its implementation notes that EUC is implicitly included. The German government regulators summarize: “The key requirements for EUC continue to apply. Testing may be more extensive than previously due to the lack of a special status for EUC.”
How should insurers deal with the topic of IT systems?
When dealing with EUC, insurers need to tread carefully. This is because EUC is often an emotionally charged topic. Few departments are willing to voluntarily subject their carefully nurtured and maintained application to scrutiny or replace it with a less individualized, more expensive or more complicated solution. Moreover, at a time when IT requirements and conditions are evolving rapidly, an overly restrictive approach to EUC would be tantamount to missing out on opportunities.
“EUC can and should be used. However, this must be done within an organizational framework that mitigates the associated risks.” — Wolfgang Mokosch, Senior Strategy Consultant at matrix technology
The overarching goal must be to enable secure and transparent handling of IT-based decision support throughout the company. However, there are no uniform solutions here that fit all. The control of these applications (and ultimately regulatory compliance as well) always requires an adjustment to the individual starting situation.
Our approach: a mix of technical, process-oriented and strategic measures
In our consulting practice as an IT service provider specializing in regulatory matters, it has been shown that insurers should rely on a good mix of technical, procedural and strategic measures according to their individual risk profile. This not only protects the company from the underestimated risks, but also satisfies the supervisory authority. This is how we proceed step by step in customer projects:
Get an overview
First of all, a (rough) overview of the EUC scope of use must be created. This overview can serve as a basis for further decision-making. A protection requirement assessment should also already be carried out here.
Practical tips for the initial analysis of EUC
- Identify typical areas for EUC based on a business model analysis.
- Ask for voluntary reporting of EUC usage.
- Conduct individual spot checks in specialist departments (e.g., via interviews).
- Scan file systems for file types that are “vulnerable to EUC.”
Create a policy for EUC
At this point, companies need to think about the scope within which the authors and users of EUC may and should operate. A written policy (in form of a guideline and/or work instruction) is essential for this. Among other things, this should include a transparent procedure for classifying EUC. Further handling of EUC should be based on individual protection needs. It makes sense to define a different set of measures for each protection requires category.
Inventory of applications
A central role is played by the appropriate inventory of applications. This structured recording can be implemented in a variety of ways. For example, special tools are available on the market for recording EUC. However, it is also advisable to integrate them into existing systems, such as the CMDB. Other types of recording are also conceivable. The important thing here is that the inventory is appropriate for the company’s individual risk profile and is used in the company’s day-to-day business.
Incorporate ICS
The ICS controls regarding EUC can often be incorporated into the existing control mechanisms against shadow IT.
Create awareness
In addition to these measures, insurers must also make certain that their employees are aware of this topic. Experience has shown that this is best achieved through transparent and proactive communication and by incorporating EUC into the training catalogue.