Insurance companies must prepare for DORA compliance
Last year, the Digital Operational Resilience Act (DORA) was enacted. This EU regulation seeks to strengthen the IT security of the financial sector, including insurance companies, banks, investment firms, and even cryptocurrency service providers and crowdfunding platforms. Helping the financial backbone of Europe stay resilient in the face of a severe operational disruption such as a broad cyberattack is the underlying goal of the Act.
Any insurer, even those based in other parts of the world, that provides services within the EU or is partnered with any EU-based financial services firms or vendors needs to comply with these rules if they exceed the applicable threshold in the previous two years:
● For payment institutions: €120 billion ($128.96 billion US) in payment transactions
● For electronic money institutions: €120 billion in payment transactions or €40 billion ($42.98 billion) in total value of the amount of outstanding electronic money
● For insurance and reinsurance institutions: €500 million ($537.29 million) in gross premiums
● For trading platforms: the largest market share nationally or 5% at the European level
The second batch of DORA rules is set to be published in July 2024, and companies will have until January 17, 2025, to comply with all of the regulations. That means insurers have only roughly half a year to put in place the capabilities to meet DORA requirements.
A focus on third-party risks
As complex financial services increasingly require insurers to bring in specialized vendors, it’s common for insurance companies to have working relationships with a large number of contractors and subcontractors, any of which could open them up to risks. DORA requires firms to adopt a risk management framework to not only govern their information and communication technology (ICT) risks but also address third-party risks.
DORA mandates that insurers and intermediaries not only build such a framework, but then adopt the capabilities needed to effectively manage ICT risks. It also specifies that there be mechanisms in place to handle and report in a timely fashion ICT-related incidents, and policies that direct employees on what to do in such a scenario. Thorough testing of third-party risk management (TPRM) programs must also be set as a matter of policy, and contingency plans should be in place for the event of a vendor failure.
Insurers subject to DORA must implement the above proportionally, in keeping with their size, overall risk profile, and both the nature and scale of their services and operations. Third-party ICT providers who work with insurers that are under the scope of DORA also will be subject to strict oversight framework managed by the European Supervisory Authorities (ESAs).
What happens if insurers don’t comply
Each member of the European Union will enforce DORA on their own. The authorities they put in place will have the ability to direct organizations in the finance sector to remediate specific vulnerabilities or take particular security measures. They can also charge administrative—or even criminal—penalties for noncompliance.
While each country will define its own fine and penalty structure, certain providers that the EU considers “critical” will be overseen directly by ESAs. ESAs can also request specific security actions to be taken by a financial services organization, and they can also charge significant fines: 1% of the organization’s average daily worldwide revenue. This fine can be levied every day for up to six months until compliance is reached.
There’s also considerable reputational damage that comes with noncompliance. DORA violations could signal to vendors that an insurer is risky to work with, making it harder to negotiate more favorable terms in the future. Even worse, potential customers might choose to avoid an insurance provider entirely if they have a history of security noncompliance; customers are very sensitive about how their data will be handled, particularly their personal and financial data.
Steps to meeting DORA requirements
Visibility
For insurers, meeting DORA rules will require modernizing legacy TPRM to meet transparency requirements and make it easier to quickly react to any vendor that is putting the insurer at risk of DORA violation. This requires data to be un-siloed and brought into an easy-to-review system. Contract data may currently live in a different system than cybersecurity, financial, and other relevant data, making both crucial risk insights and details that need to be reported as part of DORA harder to access.
Insurance companies should aim to develop a clear and detailed map of the relationships between their company and all vendors and subcontractors providing services. Such data mapping, pulling information together from multiple disparate systems in an enterprise, helps illuminate where important data resides as well as various dependencies in a digital supply chain.
Remediation
Understanding the impact that could come from a disruption at one of a company’s vendors is crucial in building a plan to mitigate any impacts of such an event—and developing the required stress tests for internal systems to see how they handle such a scenario. It’s recommended that all financial services organizations put their focus on the vendors providing the most crucial functions first when investigating their security practices and assessing how they fit into the company’s daily activities.
Contract management
In order to be DORA compliant, insurers must do their due diligence on any new vendors before signing contracts. An assessment must take place of their operational resilience, current security posture, and how well they comply with other security or regulatory requirements. Officials checking for DORA compliance will be taking a close look at contracts with vendors, looking for provisions in the language for audit rights, incident reporting, required training and more. It should be clear from the initial contract that any incidents involving customer or company data need to be reported to the insurer, and the vendor must take part in assisting in any regulatory investigations that result from such incidents.
These requirements aren’t simply for new vendors. Current third-party contracts will need to be reviewed, and any that don’t align with the insurer’s DORA requirements need to be addressed right away. Financial organizations should seek out vendors who are capable of providing audit evidence promptly when they are required; assessing which vendors have audit-ready systems in place, and which are capable of putting them in place by January, is an important step.
Preparing for 2025
DORA is a time-sensitive challenge for insurance companies doing business in the EU, as well as the ICT vendors supporting them. Most of the above processes will take months or longer to set up, so there is no room for delay in building a resiliency framework and implementing the tools and policies to see them through. Insurers and vendors should prioritize contract management, vendor visibility, and both testing and reporting processes in the latter half of 2024
It will be hard work, but the result will be a more resilient, stable, and secure financial sector. With the right tools and processes put into place, insurance organizations should find themselves entering 2025 with more robust and secure IT systems and better risk management processes to protect them moving forward.
Jag Lamba is the founder and CEO of Certa, a third-party lifecycle management platform for procurement, compliance, and ESG. Certa is backed by Techstars and top global VCs. A Wharton and McKinsey alum, Lamba lives in Saratoga, Calif.
See more:Security in the evolving cyber threat landscapeCyberattack losses raise issues with responsibility for claims